Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 390719 (CVE-2011-4116) - <perl-core/File-Temp-0.230.0: insecure temporary file handling vulnerability (CVE-2011-4116)
Summary: <perl-core/File-Temp-0.230.0: insecure temporary file handling vulnerability ...
Status: RESOLVED FIXED
Alias: CVE-2011-4116
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://rt.cpan.org/Public/Bug/Displa...
Whiteboard: B3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2011-11-16 10:35 UTC by Agostino Sarubbo
Modified: 2014-12-25 15:59 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2011-11-16 10:35:36 UTC
From the upstream bug at $URL:

Description:
As user "attacker":

ln -s /tmp /tmp/exploit

As user "victim":

perl -MFile::Temp -e 'File::Temp->safe_level(File::Temp::HIGH); print
File::Temp::tempdir("/tmp/exploit/meXXXX") . "\n";'

The temporary directory path that is returned includes the symlink owned
by the "attacker" user.

Solution:
https://rt.cpan.org/Ticket/Attachment/949904/493927/symlink-safety.patch
Comment 1 Chris Reffett (RETIRED) gentoo-dev Security 2013-09-03 18:13:48 UTC
Stalled upstream. @maintainers: please apply the patch.
Comment 2 Andreas K. Hüttel archtester gentoo-dev 2014-10-15 22:11:34 UTC
This is fixed in 

virtual/perl-File-Temp-0.230.0-r1
perl-core/File-Temp-0.230.0
virtual/perl-File-Temp-0.230.400-r2
perl-core/File-Temp-0.230.400-r1

Note that we have to keep carrying the patches.
Comment 3 Andreas K. Hüttel archtester gentoo-dev 2014-10-15 22:31:50 UTC
Arches please stabilize:

virtual/perl-File-Temp-0.230.0-r1
perl-core/File-Temp-0.230.0
dev-lang/perl-5.18.2-r2

Target: all stable arches

[The only change in the dev-lang/perl ebuild is the addition of a PDEPEND to ensure that the perl-core package is installed.]
Comment 4 Agostino Sarubbo gentoo-dev 2014-10-16 10:22:46 UTC
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2014-10-16 10:23:39 UTC
x86 stable
Comment 6 Tobias Klausmann (RETIRED) gentoo-dev 2014-10-16 11:05:07 UTC
All three stable on alpha.
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2014-10-16 15:31:12 UTC
Stable for HPPA.
Comment 8 Agostino Sarubbo gentoo-dev 2014-10-17 13:13:58 UTC
ppc stable
Comment 9 Agostino Sarubbo gentoo-dev 2014-10-17 13:27:33 UTC
ppc64 stable
Comment 10 Agostino Sarubbo gentoo-dev 2014-10-18 14:06:19 UTC
ia64 stable
Comment 11 Agostino Sarubbo gentoo-dev 2014-10-18 14:10:23 UTC
sparc stable
Comment 12 SpanKY gentoo-dev 2014-10-21 18:47:43 UTC
all are stable now
Comment 13 Andreas K. Hüttel archtester gentoo-dev 2014-10-21 20:27:35 UTC
Old versions removed. Perl out.
Comment 14 Andreas K. Hüttel archtester gentoo-dev 2014-10-21 21:27:43 UTC
(In reply to SpanKY from comment #12)
> all are stable now

(In reply to Andreas K. Hüttel from comment #13)
> Old versions removed. Perl out.

Old version restored since arm stabilization was missing.

arm please stabilize:

virtual/perl-File-Temp-0.230.0-r1
perl-core/File-Temp-0.230.0
dev-lang/perl-5.18.2-r2
Comment 15 Markus Meier gentoo-dev 2014-10-22 19:16:33 UTC
arm stable, all arches done.
Comment 16 Andreas K. Hüttel archtester gentoo-dev 2014-10-24 18:38:11 UTC
Old versions removed. Perl out.
Comment 17 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2014-10-24 18:45:37 UTC
GLSA vote: no.
Comment 18 Sean Amoss (RETIRED) gentoo-dev Security 2014-12-25 15:59:57 UTC
GLSA vote: no, too.

Closing noglsa.