Skip Menu |
 
rt.cpan.org will be shut down on March 1st, 2021.

Preferred bug tracker

Please visit the preferred bug tracker to report your issue.

This queue is for tickets about the Parallel-ForkManager CPAN distribution.

Report information
The Basics
Id: 68298
Status: resolved
Priority: 0/
Queue: Parallel-ForkManager

People
Owner: dlux [...] dlux.hu
Requestors: john [...] nixnuts.net
Cc:
AdminCc:

Bug Information
Severity: Critical
Broken in: 0.7.6
Fixed in: (no value)



Subject: Insecure /tmp file handling
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
X-Mailer: MIME-tools 5.427 (Entity 5.427)
Content-Disposition: inline
Content-Transfer-Encoding: binary
X-RT-Original-Encoding: utf-8
Content-Length: 1528
Download (untitled) / with headers
text/plain 1.4k
Parallel::ForkManager's handling of temporary files is very insecure. 1) Temporary file names are predictable. There is nothing random about the temporary file names in Parallel::ForkManager. Using a predictable filename in a directory writable by other turns theoretical exploits (if I guess the filename and do X, Y, Z) into actual exploits (if I do X Y Z.) 2) Parallel::ForkManager allows overwriting arbitrary files. Ex: Root is running code under Parallel::Forkmanager that uses the temporary file logic. Attacker sees the code running in ps output and symlinks /tmp/Parallel-ForkManager-$parent_pid-$child_pid.txt to /etc/shadow. Storable will overwrite the shadow file and make logins impossible on the system. 3) Parallel::ForkManager allows an attacker to feed arbitrary data to the return mechanism. Ex: Root is running code under Parallel::ForkManager that uses the temporary file logic. Attacker creates a dangling symlink from /tmp/Parallel-ForkManager-$parent_pid-$child_pid.txt to /home/attacker/attack.txt. Now the attacker goes into a loop waiting for attack.txt to appear and as soon as it does the attacker unlinks it and replaces it with a file containing whatever arbitrary data the attacker wants to feed into the parent. 4) Parallel::ForkManager uses insecure permissions on its temporary files. Sotrable is just going to use the umask when creating the temporary files. The default on umask on most systems is 0022 meaning that any account on the system can inspect the contents of the /tmp files.
MIME-Version: 1.0
X-Mailer: MIME-tools 5.427 (Entity 5.427)
Content-Disposition: inline
Content-Type: text/plain; charset="UTF-8"
Message-ID: <rt-3.8.HEAD-2603-1320423734-338.68298-0-0 [...] rt.cpan.org>
Content-Transfer-Encoding: binary
X-RT-Original-Encoding: utf-8
Content-Length: 40
This bug has been assigned CVE-2011-4115
From taggart [...] debian.org Fri Jul 6 18: 15:29 2012
X-Spam-Status: No, score=-6.9 tagged_above=-99.9 required=10 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5] autolearn=ham
X-Spam-Flag: NO
Content-Type: text/plain; charset="utf-8"
X-Virus-Scanned: Debian amavisd-new at bestpractical.com
X-Virus-Scanned: clamav-milter 0.97.3 at complete.lackof.org
Message-ID: <20120706221512.D0A8C105 [...] taggart.lackof.org>
X-RT-Original-Encoding: utf-8
X-Spam-Score: -6.9
Received: from localhost (localhost [127.0.0.1]) by hipster.bestpractical.com (Postfix) with ESMTP id CD6F8240433 for <cpan-bug+Parallel-ForkManager [...] hipster.bestpractical.com>; Fri, 6 Jul 2012 18:15:28 -0400 (EDT)
Received: from hipster.bestpractical.com ([127.0.0.1]) by localhost (hipster.bestpractical.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id az-TeDMN+OO2 for <cpan-bug+Parallel-ForkManager [...] hipster.bestpractical.com>; Fri, 6 Jul 2012 18:15:26 -0400 (EDT)
Received: from la.mx.develooper.com (x1.develooper.com [207.171.7.70]) by hipster.bestpractical.com (Postfix) with SMTP id BFBFF2403C3 for <bug-Parallel-ForkManager [...] rt.cpan.org>; Fri, 6 Jul 2012 18:15:25 -0400 (EDT)
Received: (qmail 21171 invoked by uid 103); 6 Jul 2012 22:15:22 -0000
Received: from x16.dev (10.0.100.26) by x1.dev with QMQP; 6 Jul 2012 22:15:22 -0000
Received: from complete.lackof.org (HELO complete.lackof.org) (198.49.126.79) by 16.mx.develooper.com (qpsmtpd/0.80/v0.80-19-gf52d165) with ESMTP; Fri, 06 Jul 2012 15:15:17 -0700
Received: from taggart.lackof.org (c-98-203-139-173.hsd1.wa.comcast.net [98.203.139.173]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "taggart.lackof.org", Issuer "CAcert Class 3 Root" (verified OK)) by complete.lackof.org (Postfix) with ESMTPS id 90A8C33E005B for <bug-Parallel-ForkManager [...] rt.cpan.org>; Fri, 6 Jul 2012 16:15:14 -0600 (MDT)
Received: by taggart.lackof.org (Postfix, from userid 1000) id D0A8C105; Fri, 6 Jul 2012 15:15:12 -0700 (PDT)
Received: from zorak.home.bogus (localhost [127.0.0.1]) by taggart.lackof.org (Postfix) with ESMTP id CEB43C4 for <bug-Parallel-ForkManager [...] rt.cpan.org>; Fri, 6 Jul 2012 15:15:12 -0700 (PDT)
Delivered-To: cpan-bug+Parallel-ForkManager [...] hipster.bestpractical.com
Subject: [rt.cpan.org #68298]
Return-Path: <taggart [...] debian.org>
X-Spam-Check-BY: 16.mx.develooper.com
X-Original-To: cpan-bug+Parallel-ForkManager [...] hipster.bestpractical.com
X-RT-Mail-Extension: parallel-forkmanager
X-Old-Spam-Status: No, score=0.0 required=5.0 tests=UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1
Date: Fri, 06 Jul 2012 15:15:12 -0700
X-Spam-Level:
X-Virus-Status: Clean
To: bug-Parallel-ForkManager [...] rt.cpan.org
From: Matt Taggart <taggart [...] debian.org>
RT-Message-ID: <rt-3.8.HEAD-2979-1341612929-968.68298-0-0 [...] rt.cpan.org>
Content-Length: 273
Download (untitled) / with headers
text/plain 273b
Any progress on this security issue in Parallel::Forkmanager? Debian will be shipping a new release soon and it would be good to get a newer version in the release. See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=610384 Thanks, -- Matt Taggart taggart@debian.org
MIME-Version: 1.0
X-Mailer: MIME-tools 5.427 (Entity 5.427)
Content-Disposition: inline
Content-Type: text/plain; charset="UTF-8"
Message-ID: <rt-3.8.HEAD-22072-1341848960-519.68298-0-0 [...] rt.cpan.org>
Content-Transfer-Encoding: binary
X-RT-Original-Encoding: utf-8
RT-Send-CC: taggart [...] debian.org
Content-Length: 166
Download (untitled) / with headers
text/plain 166b
Hi Matt, I need some more info on the last comment you made: - What are the consequences of not fixing the bug? - What is the timeframe to fix it? Thanks, Balázs
From taggart [...] debian.org Mon Jul 9 23: 55:33 2012
Comments: In-reply-to "Szabo, Balazs via RT" <bug-Parallel-ForkManager [...] rt.cpan.org> message dated "Mon, 09 Jul 2012 11:49:21 -0400."
CC: taggart [...] debian.org
MIME-Version: 1.0
X-Spam-Status: No, score=-5.65 tagged_above=-99.9 required=10 tests=[AWL=1.250, BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5] autolearn=ham
In-Reply-To: <rt-3.8.HEAD-22072-1341848961-1159.68298-7-0 [...] rt.cpan.org>
X-Mailer: exmh version 2.8.0 04/21/2012 (debian 1:2.8.0~rc1-1) with nmh-1.3
X-Spam-Flag: NO
References: <RT-Ticket-68298 [...] rt.cpan.org> <rt-3.8.HEAD-22072-1341848961-1159.68298-7-0 [...] rt.cpan.org>
X-Virus-Scanned: Debian amavisd-new at bestpractical.com
X-Virus-Scanned: clamav-milter 0.97.3 at complete.lackof.org
Content-Type: text/plain; charset="utf-8"
Message-ID: <20120710035523.8D4FED2 [...] taggart.lackof.org>
X-RT-Original-Encoding: utf-8
X-Spam-Score: -5.65
Received: from localhost (localhost [127.0.0.1]) by hipster.bestpractical.com (Postfix) with ESMTP id C5A16240466 for <cpan-bug+Parallel-ForkManager [...] hipster.bestpractical.com>; Mon, 9 Jul 2012 23:55:33 -0400 (EDT)
Received: from hipster.bestpractical.com ([127.0.0.1]) by localhost (hipster.bestpractical.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f7HZfI9m1q1C for <cpan-bug+Parallel-ForkManager [...] hipster.bestpractical.com>; Mon, 9 Jul 2012 23:55:31 -0400 (EDT)
Received: from la.mx.develooper.com (x1.develooper.com [207.171.7.70]) by hipster.bestpractical.com (Postfix) with SMTP id 57F7A240400 for <bug-Parallel-ForkManager [...] rt.cpan.org>; Mon, 9 Jul 2012 23:55:30 -0400 (EDT)
Received: (qmail 17345 invoked by uid 103); 10 Jul 2012 03:55:30 -0000
Received: from x16.dev (10.0.100.26) by x1.dev with QMQP; 10 Jul 2012 03:55:30 -0000
Received: from complete.lackof.org (HELO complete.lackof.org) (198.49.126.79) by 16.mx.develooper.com (qpsmtpd/0.80/v0.80-19-gf52d165) with ESMTP; Mon, 09 Jul 2012 20:55:27 -0700
Received: from taggart.lackof.org (c-98-203-139-173.hsd1.wa.comcast.net [98.203.139.173]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "taggart.lackof.org", Issuer "CAcert Class 3 Root" (verified OK)) by complete.lackof.org (Postfix) with ESMTPS id 4D99133E00E8; Mon, 9 Jul 2012 21:55:24 -0600 (MDT)
Received: by taggart.lackof.org (Postfix, from userid 1000) id 8D4FED2; Mon, 9 Jul 2012 20:55:23 -0700 (PDT)
Received: from zorak.home.bogus (localhost [127.0.0.1]) by taggart.lackof.org (Postfix) with ESMTP id 89306C5; Mon, 9 Jul 2012 20:55:23 -0700 (PDT)
Delivered-To: cpan-bug+Parallel-ForkManager [...] hipster.bestpractical.com
Subject: Re: [rt.cpan.org #68298] Insecure /tmp file handling
Return-Path: <taggart [...] debian.org>
X-Spam-Check-BY: 16.mx.develooper.com
X-Original-To: cpan-bug+Parallel-ForkManager [...] hipster.bestpractical.com
X-RT-Mail-Extension: parallel-forkmanager
X-Old-Spam-Status: No, score=0.0 required=5.0 tests=UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1
Date: Mon, 09 Jul 2012 20:55:23 -0700
X-Spam-Level:
X-Virus-Status: Clean
To: bug-Parallel-ForkManager [...] rt.cpan.org
From: Matt Taggart <taggart [...] debian.org>
RT-Message-ID: <rt-3.8.HEAD-19938-1341892534-816.68298-0-0 [...] rt.cpan.org>
Content-Length: 1540
Download (untitled) / with headers
text/plain 1.5k
"Szabo, Balazs via RT" writes: Show quoted text
Hi, Show quoted text
> I need some more info on the last comment you made: > - What are the consequences of not fixing the bug?
Right now Debian provides a package based on 0.7.5 in both it's stable release and also for the upcoming release currently in testing. In Jan 2011 I filed this "wishlist" severity bug asking for an update http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=610384 which was closed with the "wontfix" tag due to the security problem. The Debian stable release managers may do a couple different things * continue to ship the 0.7.5 based package in the next release * drop the package from the next release until the problem is sorted out * drop the package from the next release and the development branch until the problem is sorted out * allow a package based on a newer version that fixes the security problem to ship in the next release * something else I haven't thought of Which they choose is probably dependent on if the bug is going to be fixed upstream and when, how critical they view this libary, and if there are other alternative libraries that provide the same functionality. Show quoted text
> - What is the timeframe to fix it?
The next Debian release is currently in "freeze" but the release team may provide freeze exceptions in cases that fix release critical or security related bugs. If you fix it now there is a chance it might get in the release. Thanks, -- Matt Taggart taggart@debian.org
MIME-Version: 1.0
X-Mailer: MIME-tools 5.427 (Entity 5.427)
Content-Disposition: inline
Content-Type: text/plain; charset="UTF-8"
Message-ID: <rt-3.8.HEAD-15941-1364813602-1390.68298-0-0 [...] rt.cpan.org>
Content-Transfer-Encoding: binary
X-RT-Original-Encoding: utf-8
Content-Length: 178
Download (untitled) / with headers
text/plain 178b
Since version 1.0.0 Parallel::ForkManager creates temporary files under a directory created by File::Temp::tempdir(), which should be secure. -- dam (trying to close the ticket)


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.