Hi

Attached is a (preliminary) proposed debdiff for the issue, and
applying for squeeze (this is prepared in git repository but not yet
pushed).

I did not found time to do the same for libpar-packer-perl so far.

Regards
Salvatore
diff -Nru libpar-perl-1.000/debian/changelog libpar-perl-1.000/debian/changelog
--- libpar-perl-1.000/debian/changelog	2010-04-13 21:21:16.000000000 +0200
+++ libpar-perl-1.000/debian/changelog	2011-12-07 15:58:15.000000000 +0100
@@ -1,3 +1,12 @@
+libpar-perl (1.000-1+squeeze1) stable; urgency=low
+
+  * Team upload.
+  * Add create-safe-temporary-directories.patch patch.
+    Fixes CVE-2011-4114: PAR packed files are extracted to unsafe and
+    predictable temporary directories. (Closes: #650707)
+
+ -- Salvatore Bonaccorso <[email protected]>  Wed, 07 Dec 2011 15:53:57 +0100
+
 libpar-perl (1.000-1) unstable; urgency=low
 
   [ Ryan Niebur ]
diff -Nru libpar-perl-1.000/debian/patches/create-safe-temporary-directories.patch libpar-perl-1.000/debian/patches/create-safe-temporary-directories.patch
--- libpar-perl-1.000/debian/patches/create-safe-temporary-directories.patch	1970-01-01 01:00:00.000000000 +0100
+++ libpar-perl-1.000/debian/patches/create-safe-temporary-directories.patch	2011-12-07 15:58:15.000000000 +0100
@@ -0,0 +1,74 @@
+Description: Create safe temporary directories
+ CVE-2011-4114: PAR packed files are extracted to unsafe and predictable
+ temporary directories.
+ .
+ - create parent of cache directory (i.e. /tmp/par-USER) with mode 0700
+ - if it already exists, make sure that (and bail out if not)
+   - it's not a symlink
+   - it's mode 0700
+   - it's owned by USER
+Origin: upstream
+Bug: https://rt.cpan.org/Public/Bug/Display.html?id=69560
+Bug-Debian: http://bugs.debian.org/650707
+Forwarded: not-needed
+Author: Salvatore Bonaccorso <[email protected]>
+Last-Update: 2011-12-07
+
+--- a/lib/PAR/SetupTemp.pm
++++ b/lib/PAR/SetupTemp.pm
+@@ -5,6 +5,8 @@
+ use strict;
+ use warnings;
+ 
++use Fcntl ':mode';
++
+ use PAR::SetupProgname;
+ 
+ =head1 NAME
+@@ -42,8 +44,9 @@
+     }
+ 
+     my $stmpdir = _get_par_user_tempdir();
++    die "unable to create cache directory" unless $stmpdir;
++
+     require File::Spec;
+-    if (defined $stmpdir) { # it'd be quite bad if this was not the case
+       if (!$ENV{PAR_CLEAN} and my $mtime = (stat($PAR::SetupProgname::Progname))[9]) {
+           my $ctx = _get_digester();
+ 
+@@ -71,8 +74,7 @@
+       }
+ 
+       $ENV{PAR_TEMP} = $stmpdir;
+-      mkdir $stmpdir, 0755;
+-    } # end if found a temp dir
++    mkdir $stmpdir, 0700;
+ 
+     $PARTemp = $1 if defined $ENV{PAR_TEMP} and $ENV{PAR_TEMP} =~ /(.+)/;
+ }
+@@ -98,7 +100,24 @@
+     next unless defined $path and -d $path and -w $path;
+     $temp_path = File::Spec->catdir($path, "par-$username");
+     ($temp_path) = $temp_path =~ /^(.*)$/s;
+-    mkdir $temp_path, 0755;
++    unless (mkdir($temp_path, 0700) || $!{EEXIST}) {
++      warn "creation of private subdirectory $temp_path failed (errno=$!)"; 
++      return;
++    }
++
++    unless ($^O eq 'MSWin32') {
++        my @st;
++        unless (@st = lstat($temp_path)) {
++          warn "stat of private subdirectory $temp_path failed (errno=$!)";
++          return;
++        }
++        if (!S_ISDIR($st[2])
++            || $st[4] != $<
++            || ($st[2] & 0777) != 0700 ) {
++          warn "private subdirectory $temp_path is unsafe (please remove it and retry your operation)";
++          return;
++        }
++    }
+ 
+     last;
+   }
diff -Nru libpar-perl-1.000/debian/patches/series libpar-perl-1.000/debian/patches/series
--- libpar-perl-1.000/debian/patches/series	2010-03-28 18:22:00.000000000 +0200
+++ libpar-perl-1.000/debian/patches/series	2011-12-07 15:58:15.000000000 +0100
@@ -1 +1,2 @@
 fix-test_50-autoloaderfix.t.patch
+create-safe-temporary-directories.patch

Attachment: signature.asc
Description: Digital signature

Reply via email to