Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 394203 (CVE-2011-4114) - <dev-perl/PAR-1.5.0: unsafe temp file usage (CVE-2011-{4114,5060})
Summary: <dev-perl/PAR-1.5.0: unsafe temp file usage (CVE-2011-{4114,5060})
Status: RESOLVED FIXED
Alias: CVE-2011-4114
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://cpansearch.perl.org/src/RSCHUP...
Whiteboard: B3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2011-12-10 01:03 UTC by Tim Sammut (RETIRED)
Modified: 2012-03-06 01:18 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Tim Sammut (RETIRED) gentoo-dev 2011-12-10 01:03:41 UTC 
From the upstream changelog at $URL I believe this is fixed in 1.5. More information at https://rt.cpan.org/Public/Bug/Display.html?id=69560.

@perl, can we go ahead and stabilize =dev-perl/PAR-1.5.0? Thanks.
Comment 1 Torsten Veller (RETIRED) gentoo-dev 2011-12-17 16:56:48 UTC 
(In reply to comment #0)
> @perl, can we go ahead and stabilize =dev-perl/PAR-1.5.0? Thanks.

Sure, no bug reports til now.
Comment 2 Tim Sammut (RETIRED) gentoo-dev 2011-12-17 17:16:24 UTC 
Great, thanks.

Arches, please test and mark stable:
=dev-perl/PAR-1.5.0
Target keywords : "amd64 x86"
Comment 3 Agostino Sarubbo gentoo-dev 2011-12-17 17:30:42 UTC 
amd64 stable
Comment 4 Markus Meier gentoo-dev 2011-12-26 12:50:10 UTC 
x86 stable, all arches done.
Comment 5 Agostino Sarubbo gentoo-dev 2011-12-26 14:33:58 UTC 
@security, please vote.
Comment 6 Tim Sammut (RETIRED) gentoo-dev 2011-12-27 05:20:49 UTC 
Thanks, everyone. GLSA vote: no.
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2012-02-26 22:04:31 UTC 
CVE-2011-5060 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-5060):
  The par_mktmpdir function in the PAR module before 1.003 for Perl creates
  temporary files in a directory with a predictable name without verifying
  ownership and permissions of this directory, which allows local users to
  overwrite files when another user extracts a PAR packed program, a different
  vulnerability in a different package than CVE-2011-4114.
Comment 8 Stefan Behte (RETIRED) gentoo-dev Security 2012-03-06 01:18:32 UTC 
Vote: No. Closing noglsa.