390719 – (CVE-2011-4116) <perl-core/File-Temp-0.230.0: insecure temporary file handling vulnerability (CVE-2011-4116)

Bug 390719 (CVE-2011-4116) - <perl-core/File-Temp-0.230.0: insecure temporary file handling vulnerability (CVE-2011-4116)

Summary: <perl-core/File-Temp-0.230.0: insecure temporary file handling vulnerability ...

Status:	RESOLVED FIXED

Alias:	CVE-2011-4116

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	https://rt.cpan.org/Public/Bug/Displa...
Whiteboard:	B3 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2011-11-16 10:35 UTC by Agostino Sarubbo
Modified:	2014-12-25 15:59 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Agostino Sarubbo gentoo-dev

2011-11-16 10:35:36 UTC

From the upstream bug at $URL:

Description:
As user "attacker":

ln -s /tmp /tmp/exploit

As user "victim":

perl -MFile::Temp -e 'File::Temp->safe_level(File::Temp::HIGH); print
File::Temp::tempdir("/tmp/exploit/meXXXX") . "\n";'

The temporary directory path that is returned includes the symlink owned
by the "attacker" user.

Solution:
https://rt.cpan.org/Ticket/Attachment/949904/493927/symlink-safety.patch

Comment 1 Chris Reffett (RETIRED) gentoo-dev

2013-09-03 18:13:48 UTC

Stalled upstream. @maintainers: please apply the patch.

Comment 2 Andreas K. Hüttel archtester

2014-10-15 22:11:34 UTC

This is fixed in 

virtual/perl-File-Temp-0.230.0-r1
perl-core/File-Temp-0.230.0
virtual/perl-File-Temp-0.230.400-r2
perl-core/File-Temp-0.230.400-r1

Note that we have to keep carrying the patches.

Comment 3 Andreas K. Hüttel archtester

2014-10-15 22:31:50 UTC

Arches please stabilize:

virtual/perl-File-Temp-0.230.0-r1
perl-core/File-Temp-0.230.0
dev-lang/perl-5.18.2-r2

Target: all stable arches

[The only change in the dev-lang/perl ebuild is the addition of a PDEPEND to ensure that the perl-core package is installed.]

Comment 4 Agostino Sarubbo gentoo-dev

2014-10-16 10:22:46 UTC

amd64 stable

Comment 5 Agostino Sarubbo gentoo-dev

2014-10-16 10:23:39 UTC

x86 stable

Comment 6 Tobias Klausmann (RETIRED) gentoo-dev

2014-10-16 11:05:07 UTC

All three stable on alpha.

Comment 7 Jeroen Roovers (RETIRED) gentoo-dev

2014-10-16 15:31:12 UTC

Stable for HPPA.

Comment 8 Agostino Sarubbo gentoo-dev

2014-10-17 13:13:58 UTC

ppc stable

Comment 9 Agostino Sarubbo gentoo-dev

2014-10-17 13:27:33 UTC

ppc64 stable

Comment 10 Agostino Sarubbo gentoo-dev

2014-10-18 14:06:19 UTC

ia64 stable

Comment 11 Agostino Sarubbo gentoo-dev

2014-10-18 14:10:23 UTC

sparc stable

Comment 12 SpanKY gentoo-dev

2014-10-21 18:47:43 UTC

all are stable now

Comment 13 Andreas K. Hüttel archtester

2014-10-21 20:27:35 UTC

Old versions removed. Perl out.

Comment 14 Andreas K. Hüttel archtester

2014-10-21 21:27:43 UTC

(In reply to SpanKY from comment #12)
> all are stable now

(In reply to Andreas K. Hüttel from comment #13)
> Old versions removed. Perl out.

Old version restored since arm stabilization was missing.

arm please stabilize:

virtual/perl-File-Temp-0.230.0-r1
perl-core/File-Temp-0.230.0
dev-lang/perl-5.18.2-r2

Comment 15 Markus Meier gentoo-dev

2014-10-22 19:16:33 UTC

arm stable, all arches done.

Comment 16 Andreas K. Hüttel archtester

2014-10-24 18:38:11 UTC

Old versions removed. Perl out.

Comment 17 Mikle Kolyada (RETIRED) archtester

2014-10-24 18:45:37 UTC

GLSA vote: no.

Comment 18 Sean Amoss (RETIRED) gentoo-dev

2014-12-25 15:59:57 UTC

GLSA vote: no, too.

Closing noglsa.