From 8093e46d867638a508e443702a85be91a2499d3b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Miloslav=20Trma=C4=8D?= <m...@redhat.com>
Date: Tue, 29 Sep 2015 19:36:58 +0200
Subject: Fix use of predictable temporary file names
---
IPTables-Parse-1.5-predictable-tmp.patch | 48 ++++++++++++++++++++++++++++++++
perl-IPTables-Parse.spec | 4 +++
2 files changed, 52 insertions(+)
create mode 100644 IPTables-Parse-1.5-predictable-tmp.patch
diff --git a/IPTables-Parse-1.5-predictable-tmp.patch
b/IPTables-Parse-1.5-predictable-tmp.patch
new file mode 100644
index 0000000..7e2d9de
--- /dev/null
+++ b/IPTables-Parse-1.5-predictable-tmp.patch
@@ -0,0 +1,48 @@
+From b400b976d81140f6971132e94eb7657b5b0a2b87 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Miloslav=20Trma=C4=8D?= <m...@redhat.com>
+Date: Tue, 29 Sep 2015 19:09:43 +0200
+Subject: [PATCH] Don't use predictable names for temporary files
+
+This allows an attacker on a multi-user system to set up symlinks to
+overwrite any file the current user has write access to.
+
+Don't recommend users of this module to use predictable names either.
+---
+ lib/IPTables/Parse.pm | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/lib/IPTables/Parse.pm b/lib/IPTables/Parse.pm
+index 7c27b8b..cbd2042 100644
+--- a/lib/IPTables/Parse.pm
++++ b/lib/IPTables/Parse.pm
+@@ -17,6 +17,7 @@ package IPTables::Parse;
+ use 5.006;
+ use POSIX ":sys_wait_h";
+ use Carp;
++use File::Temp;
+ use strict;
+ use warnings;
+ use vars qw($VERSION);
+@@ -36,8 +37,8 @@ sub new() {
+ _firewall_cmd => $args{'firewall-cmd'} || '',
+ _fwd_args => $args{'fwd_args'} || '--direct --passthrough
ipv4',
+ _ipv6 => $args{'use_ipv6'} || 0,
+- _iptout => $args{'iptout'} || '/tmp/ipt.out' . $$,
+- _ipterr => $args{'ipterr'} || '/tmp/ipt.err' . $$,
++ _iptout => $args{'iptout'} ||
mktemp('/tmp/ipt.out.XXXXXX'),
++ _ipterr => $args{'ipterr'} ||
mktemp('/tmp/ipt.err.XXXXXX'),
+ _ipt_alarm => $args{'ipt_alarm'} || 30,
+ _debug => $args{'debug'} || 0,
+ _verbose => $args{'verbose'} || 0,
+@@ -980,8 +981,6 @@ IPTables::Parse - Perl extension for parsing iptables and
ip6tables policies
+ 'use_ipv6' => 0, # can set to 1 to force ip6tables usage
+ 'ipt_rules_file' => '', # optional file path from
+ # which to read iptables rules
+- 'iptout' => '/tmp/iptables.out',
+- 'ipterr' => '/tmp/iptables.err',
+ 'debug' => 0,
+ 'verbose' => 0
+ );
+--
+2.4.3
+
diff --git a/perl-IPTables-Parse.spec b/perl-IPTables-Parse.spec
index 74602db..ee40570 100644
--- a/perl-IPTables-Parse.spec
+++ b/perl-IPTables-Parse.spec
@@ -7,6 +7,8 @@ Group: Development/Libraries
URL: http://www.cipherdyne.org/modules/
Source0:
http://www.cipherdyne.org/modules/IPTables-Parse-%{version}.tar.bz2
Source1:
http://www.cipherdyne.org/modules/IPTables-Parse-%{version}.tar.bz2.asc
+# https://github.com/mrash/IPTables-Parse/pull/6
+Patch0: IPTables-Parse-1.5-predictable-tmp.patch
BuildArch: noarch
BuildRequires: perl(ExtUtils::MakeMaker)
Requires: perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo
$version))
@@ -21,6 +23,7 @@ rules exist.
%prep
%setup -q -n IPTables-Parse-%{version}
+%patch0 -p1
%build
%{__perl} Makefile.PL INSTALLDIRS=vendor
@@ -49,6 +52,7 @@ rm -rf $RPM_BUILD_ROOT
%changelog
* Tue Sep 29 2015 Miloslav Trmač <m...@redhat.com> - 1.5-1
- Update to IPTables-Parse-1.5
+- Fix use of predictable temporary file names
* Thu Jun 18 2015 Fedora Release Engineering <rel-...@lists.fedoraproject.org>
- 1.4-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
--
cgit v0.11.2
http://pkgs.fedoraproject.org/cgit/perl-IPTables-Parse.git/commit/?h=f22&id=8093e46d867638a508e443702a85be91a2499d3b
--
Fedora Extras Perl SIG
http://www.fedoraproject.org/wiki/Extras/SIGs/Perl
perl-devel mailing list
perl-de...@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/perl-devel
