Hey Adam On Sun, Dec 18, 2011 at 02:50:49PM +0000, Adam D. Barratt wrote: > tag 652107 + squeeze moreinfo > thanks > > On Wed, 2011-12-14 at 22:12 +0100, Salvatore Bonaccorso wrote: > > libpar-packer-perl 1.006-1 and libpar-perl 1.000-1 in Squeeze are > > affected by CVE-2011-4114: "PAR packed files are extracted to unsafe > > and predictable temporary directories.". > [...] > > The debdiffs I would propose are attached. I have one further > > question, would you accept addition of these patches (adapted) [3] and > > [4]? > > > > [3] > > http://search.cpan.org/diff?from=PAR-Packer-1.011&to=PAR-Packer-1.012&w=1 > > [4] http://search.cpan.org/diff?from=PAR-1.004&to=PAR-1.005&w=1 > > Yes, those patches should be okay to include. I'd like to see final > debdiffs before giving a final ACK though.
Sure, please find both attached. In case you would like to have something changed, I will do. > It wasn't entirely clear from your mail, but have the packages with the > patches applied been tested on squeeze? Yes, now I tested the packages on Squeeze. The build already contains some tests, which all pass, furthermore I did some testing with a par file, and the pp utility. They behave now detecting unsafe directory in /tmp if I create these manually with unsafe permissions. Regards Salvatore
diff -Nru libpar-packer-perl-1.006/debian/changelog libpar-packer-perl-1.006/debian/changelog --- libpar-packer-perl-1.006/debian/changelog 2010-06-28 18:17:16.000000000 +0200 +++ libpar-packer-perl-1.006/debian/changelog 2011-12-18 20:51:10.000000000 +0100 @@ -1,3 +1,18 @@ +libpar-packer-perl (1.006-1+squeeze1) stable; urgency=low + + * Team upload. + * Add create-safe-temporary-directories.patch patch. + Fixes CVE-2011-4114: PAR packed files are extracted to unsafe and + predictable temporary directories. (Closes: #650706) + * Bump (Build-)Depends on libpar-perl. + Bump the dependencies to libpar-perl (>= 1.000-1+squeeze1) as this + version contains the other half of the fix for CVE-2011-4114. + * Add run_all_tests_using_a_nonce_PAR_TMPDIR.patch. + Run all tests using a nonce PAR_TMPDIR (a leftover /tmp/par-USER + directory from previous builds may now be considered "unsafe") + + -- Salvatore Bonaccorso <car...@debian.org> Sun, 18 Dec 2011 20:44:15 +0100 + libpar-packer-perl (1.006-1) unstable; urgency=low * New upstream release. diff -Nru libpar-packer-perl-1.006/debian/control libpar-packer-perl-1.006/debian/control --- libpar-packer-perl-1.006/debian/control 2010-06-28 18:13:58.000000000 +0200 +++ libpar-packer-perl-1.006/debian/control 2011-12-18 20:51:10.000000000 +0100 @@ -6,7 +6,7 @@ libgetopt-argvfile-perl (>= 1.07), libinline-perl, libmodule-scandeps-perl (>= 0.96), - libpar-perl (>= 1.000), + libpar-perl (>= 1.000-1+squeeze1), libperl-dev, libtest-pod-perl, perl (>= 5.10) | libio-compress-perl | libcompress-zlib-perl (>= 1.3) @@ -28,7 +28,7 @@ libgetopt-argvfile-perl (>= 1.07), libmodule-scandeps-perl (>= 0.96), libpar-dist-perl (>= 0.22), - libpar-perl (>= 1.000), + libpar-perl (>= 1.000-1+squeeze1), perl (>= 5.10) | libio-compress-perl | libcompress-zlib-perl (>= 1.3) Recommends: libtk-perl Description: utility for creating PAR archives and stand-alone executables diff -Nru libpar-packer-perl-1.006/debian/patches/create-safe-temporary-directories.patch libpar-packer-perl-1.006/debian/patches/create-safe-temporary-directories.patch --- libpar-packer-perl-1.006/debian/patches/create-safe-temporary-directories.patch 1970-01-01 01:00:00.000000000 +0100 +++ libpar-packer-perl-1.006/debian/patches/create-safe-temporary-directories.patch 2011-12-18 20:51:10.000000000 +0100 @@ -0,0 +1,67 @@ +Description: Create safe temporary directories + CVE-2011-4114: PAR packed files are extracted to unsafe and predictable + temporary directories. + . + - create parent of cache directory (i.e. /tmp/par-USER) with mode 0700 + - if it already exists, make sure that (and bail out if not) + - it's not a symlink + - it's mode 0700 + - it's owned by USER +Origin: upstream +Bug: https://rt.cpan.org/Public/Bug/Display.html?id=69560 +Bug-Debian: http://bugs.debian.org/650706 +Forwarded: not-needed +Author: Salvatore Bonaccorso <car...@debian.org> +Last-Update: 2011-12-13 + +--- a/myldr/mktmpdir.c ++++ b/myldr/mktmpdir.c +@@ -153,7 +153,38 @@ + stmpdir = malloc( stmp_len ); + stmpdir2 = malloc( stmp_len ); + sprintf(stmpdir2, "%s%s%s%s", tmpdir, dir_sep, subdirbuf_prefix, username); +- my_mkdir(stmpdir2, 0755); ++#ifdef WIN32 ++ _mkdir(stmpdir2); /* FIXME bail if error (other than EEXIST) */ ++#else ++ { ++ struct stat st; ++ ++ if (mkdir(stmpdir2, 0700) == -1 && errno != EEXIST) { ++ fprintf(stderr, "%s: creation of private subdirectory %s failed (errno=%i)\n", ++ argv[0], stmpdir2, errno); ++ return NULL; ++ } ++ ++ /* now check that: ++ * - stmpdir2 is a directory (and not a symlink) ++ * - stmpdir2 is owned by the user ++ * - stmpdir2 has mode 0700 ++ */ ++ if (lstat(stmpdir2, &st) == -1) { ++ fprintf(stderr, "%s: stat of private subdirectory %s failed (errno=%i)\n", ++ argv[0], stmpdir2, errno); ++ return NULL; ++ } ++ ++ if (!S_ISDIR(st.st_mode) ++ || st.st_uid != getuid() ++ || (st.st_mode & 0777) != 0700 ) { ++ fprintf(stderr, "%s: private subdirectory %s is unsafe\n", ++ argv[0], stmpdir2); ++ return NULL; ++ } ++ } ++#endif + + /* Doesn't really work - XXX */ + val = par_getenv( "PATH" ); +@@ -239,7 +270,7 @@ + a prior invocation crashed leaving garbage in a temp directory that + might interfere. */ + +- while (my_mkdir(stmpdir, 0755) == -1 && errno == EEXIST) { ++ while (my_mkdir(stmpdir, 0700) == -1 && errno == EEXIST) { + sprintf( + stmpdir, + "%s%stemp-%u-%u%s", diff -Nru libpar-packer-perl-1.006/debian/patches/run_all_tests_using_a_nonce_PAR_TMPDIR.patch libpar-packer-perl-1.006/debian/patches/run_all_tests_using_a_nonce_PAR_TMPDIR.patch --- libpar-packer-perl-1.006/debian/patches/run_all_tests_using_a_nonce_PAR_TMPDIR.patch 1970-01-01 01:00:00.000000000 +0100 +++ libpar-packer-perl-1.006/debian/patches/run_all_tests_using_a_nonce_PAR_TMPDIR.patch 2011-12-18 20:51:10.000000000 +0100 @@ -0,0 +1,71 @@ +Description: run all tests using a nonce PAR_TMPDIR +Origin: upstream, http://search.cpan.org/diff/PAR-Packer-1.011-PAR-Packer-1.012.-w.diff +Forwarded: not-needed +Author: Salvatore Bonaccorso <car...@debian.org> +Last-Update: 2011-12-18 +Applied-Upstream: yes + +--- a/t/10-parl-generation.t ++++ b/t/10-parl-generation.t +@@ -9,6 +9,8 @@ + use Config qw/%Config/; + use vars qw/@INC %INC/; + ++$ENV{PAR_TMPDIR} = File::Temp::tempdir(TMPDIR => 1, CLEANUP => 1); ++ + unshift @INC, ($FindBin::Bin); + use_ok('PAR'); + use_ok('PAR::StrippedPARL::Static'); +--- a/t/20-pp.t ++++ b/t/20-pp.t +@@ -5,8 +5,11 @@ + use Config; + use FindBin; + use File::Spec; ++use File::Temp (); + use ExtUtils::MakeMaker; + ++$ENV{PAR_TMPDIR} = File::Temp::tempdir(TMPDIR => 1, CLEANUP => 1); ++ + sub samefiles { + my ($f1, $f2) = @_; + $f1 eq $f2 and return 1; +--- a/t/30-current_exec.t ++++ b/t/30-current_exec.t +@@ -5,6 +5,7 @@ + use File::Spec; + use File::Path; + use File::Basename; ++use File::Temp (); + use FindBin; + + use Test::More; +@@ -12,6 +13,8 @@ + if $FindBin::Bin =~ / /; + plan tests => 4; + ++$ENV{PAR_TMPDIR} = File::Temp::tempdir(TMPDIR => 1, CLEANUP => 1); ++ + my $has_inline_c = eval "use Inline; 1;"; + # warn $@ if $@; + +--- a/t/40-packer_cd_option.t ++++ b/t/40-packer_cd_option.t +@@ -4,6 +4,8 @@ + use strict; + use warnings; + ++use File::Temp (); ++ + # Fake a frontend to see if caching options are correctly passed through + package TestFE; + +@@ -27,6 +29,8 @@ + use Test::More (tests => 2); + use PAR::Packer; + ++$ENV{PAR_TMPDIR} = File::Temp::tempdir(TMPDIR => 1, CLEANUP => 1); ++ + for my $opt (qw/cd cachedeps/){ + TestFE::init(); + my $p = PAR::Packer->new(); diff -Nru libpar-packer-perl-1.006/debian/patches/series libpar-packer-perl-1.006/debian/patches/series --- libpar-packer-perl-1.006/debian/patches/series 2010-04-14 16:43:02.000000000 +0200 +++ libpar-packer-perl-1.006/debian/patches/series 2011-12-18 20:51:10.000000000 +0100 @@ -1,3 +1,5 @@ fix-pod-spelling.patch 01_manpage-ext.patch fix-with-new-par-name +create-safe-temporary-directories.patch +run_all_tests_using_a_nonce_PAR_TMPDIR.patch
diff -Nru libpar-perl-1.000/debian/changelog libpar-perl-1.000/debian/changelog --- libpar-perl-1.000/debian/changelog 2010-04-13 21:21:16.000000000 +0200 +++ libpar-perl-1.000/debian/changelog 2011-12-18 20:33:10.000000000 +0100 @@ -1,3 +1,15 @@ +libpar-perl (1.000-1+squeeze1) stable; urgency=low + + * Team upload. + * Add create-safe-temporary-directories.patch patch. + Fixes CVE-2011-4114: PAR packed files are extracted to unsafe and + predictable temporary directories. (Closes: #650707) + * Add run_all_tests_using_a_nonce_PAR_TMPDIR.patch. + Run all tests using a nonce PAR_TMPDIR (a leftover /tmp/par-USER + directory from previous builds may now be considered "unsafe") + + -- Salvatore Bonaccorso <car...@debian.org> Sun, 18 Dec 2011 20:31:44 +0100 + libpar-perl (1.000-1) unstable; urgency=low [ Ryan Niebur ] diff -Nru libpar-perl-1.000/debian/patches/create-safe-temporary-directories.patch libpar-perl-1.000/debian/patches/create-safe-temporary-directories.patch --- libpar-perl-1.000/debian/patches/create-safe-temporary-directories.patch 1970-01-01 01:00:00.000000000 +0100 +++ libpar-perl-1.000/debian/patches/create-safe-temporary-directories.patch 2011-12-18 20:33:10.000000000 +0100 @@ -0,0 +1,74 @@ +Description: Create safe temporary directories + CVE-2011-4114: PAR packed files are extracted to unsafe and predictable + temporary directories. + . + - create parent of cache directory (i.e. /tmp/par-USER) with mode 0700 + - if it already exists, make sure that (and bail out if not) + - it's not a symlink + - it's mode 0700 + - it's owned by USER +Origin: upstream +Bug: https://rt.cpan.org/Public/Bug/Display.html?id=69560 +Bug-Debian: http://bugs.debian.org/650707 +Forwarded: not-needed +Author: Salvatore Bonaccorso <car...@debian.org> +Last-Update: 2011-12-07 + +--- a/lib/PAR/SetupTemp.pm ++++ b/lib/PAR/SetupTemp.pm +@@ -5,6 +5,8 @@ + use strict; + use warnings; + ++use Fcntl ':mode'; ++ + use PAR::SetupProgname; + + =head1 NAME +@@ -42,8 +44,9 @@ + } + + my $stmpdir = _get_par_user_tempdir(); ++ die "unable to create cache directory" unless $stmpdir; ++ + require File::Spec; +- if (defined $stmpdir) { # it'd be quite bad if this was not the case + if (!$ENV{PAR_CLEAN} and my $mtime = (stat($PAR::SetupProgname::Progname))[9]) { + my $ctx = _get_digester(); + +@@ -71,8 +74,7 @@ + } + + $ENV{PAR_TEMP} = $stmpdir; +- mkdir $stmpdir, 0755; +- } # end if found a temp dir ++ mkdir $stmpdir, 0700; + + $PARTemp = $1 if defined $ENV{PAR_TEMP} and $ENV{PAR_TEMP} =~ /(.+)/; + } +@@ -98,7 +100,24 @@ + next unless defined $path and -d $path and -w $path; + $temp_path = File::Spec->catdir($path, "par-$username"); + ($temp_path) = $temp_path =~ /^(.*)$/s; +- mkdir $temp_path, 0755; ++ unless (mkdir($temp_path, 0700) || $!{EEXIST}) { ++ warn "creation of private subdirectory $temp_path failed (errno=$!)"; ++ return; ++ } ++ ++ unless ($^O eq 'MSWin32') { ++ my @st; ++ unless (@st = lstat($temp_path)) { ++ warn "stat of private subdirectory $temp_path failed (errno=$!)"; ++ return; ++ } ++ if (!S_ISDIR($st[2]) ++ || $st[4] != $< ++ || ($st[2] & 0777) != 0700 ) { ++ warn "private subdirectory $temp_path is unsafe (please remove it and retry your operation)"; ++ return; ++ } ++ } + + last; + } diff -Nru libpar-perl-1.000/debian/patches/run_all_tests_using_a_nonce_PAR_TMPDIR.patch libpar-perl-1.000/debian/patches/run_all_tests_using_a_nonce_PAR_TMPDIR.patch --- libpar-perl-1.000/debian/patches/run_all_tests_using_a_nonce_PAR_TMPDIR.patch 1970-01-01 01:00:00.000000000 +0100 +++ libpar-perl-1.000/debian/patches/run_all_tests_using_a_nonce_PAR_TMPDIR.patch 2011-12-18 20:33:10.000000000 +0100 @@ -0,0 +1,62 @@ +Description: run all tests using a nonce PAR_TMPDIR +Origin: upstream, http://search.cpan.org/diff/PAR-1.004-PAR-1.005.-w.diff +Forwarded: not-needed +Author: Salvatore Bonaccorso <car...@debian.org> +Last-Update: 2011-12-18 +Applied-Upstream: yes + +--- a/t/01-basic.t ++++ b/t/01-basic.t +@@ -4,8 +4,10 @@ + use Test::More tests => 8; + use File::Spec; + use File::Path; ++use File::Temp (); + + BEGIN { ++ $ENV{PAR_TMPDIR} = File::Temp::tempdir(TMPDIR => 1, CLEANUP => 1); + $ENV{PAR_CLEAN} = 1; + } + +--- a/t/40-par-hashref.t ++++ b/t/40-par-hashref.t +@@ -3,9 +3,12 @@ + use Test::More tests => 7; + + use File::Spec; ++use File::Temp (); + use FindBin; + use vars qw/@INC %INC/; + ++$ENV{PAR_TMPDIR} = File::Temp::tempdir(TMPDIR => 1, CLEANUP => 1); ++ + unshift @INC, ($FindBin::Bin); + use_ok('PAR'); + +--- a/t/50-autoloaderfix.t ++++ b/t/50-autoloaderfix.t +@@ -1,6 +1,10 @@ + #!/usr/bin/perl + # Problem doesn't manifest if Test::More is in effect? + # What the hell? ++ ++use File::Temp (); ++BEGIN { $ENV{PAR_TMPDIR} = File::Temp::tempdir(TMPDIR => 1, CLEANUP => 1); } ++ + $|=1; + print "1..1\n"; + use PAR; +--- a/t/60-cleanup.t ++++ b/t/60-cleanup.t +@@ -6,9 +6,11 @@ + # the /tmp/par-$USER/temp-$$ directories get cleaned up when + # in CLEAN mode. + ++use File::Temp (); + use Test::More tests => 5; + + BEGIN { ++ $ENV{PAR_TMPDIR} = File::Temp::tempdir(TMPDIR => 1, CLEANUP => 1); + $ENV{PAR_CLEAN} = 1; + delete $ENV{PAR_TEMP}; + } diff -Nru libpar-perl-1.000/debian/patches/series libpar-perl-1.000/debian/patches/series --- libpar-perl-1.000/debian/patches/series 2010-03-28 18:22:00.000000000 +0200 +++ libpar-perl-1.000/debian/patches/series 2011-12-18 20:33:10.000000000 +0100 @@ -1 +1,3 @@ fix-test_50-autoloaderfix.t.patch +create-safe-temporary-directories.patch +run_all_tests_using_a_nonce_PAR_TMPDIR.patch
signature.asc
Description: Digital signature
