Preferred bug tracker

Please visit the preferred bug tracker to report your issue.

This queue is for tickets about the Parallel-ForkManager CPAN distribution.

Report information
The Basics

dlux [...]
john [...]

Broken in:
Fixed in:
(no value)

Subject: Insecure /tmp file handling
Parallel::ForkManager's handling of temporary files is very insecure. 1) Temporary file names are predictable. There is nothing random about the temporary file names in Parallel::ForkManager. Using a predictable filename in a directory writable by other turns theoretical exploits (if I guess the filename and do X, Y, Z) into actual exploits (if I do X Y Z.) 2) Parallel::ForkManager allows overwriting arbitrary files. Ex: Root is running code under Parallel::Forkmanager that uses the temporary file logic. Attacker sees the code running in ps output and symlinks /tmp/Parallel-ForkManager-$parent_pid-$child_pid.txt to /etc/shadow. Storable will overwrite the shadow file and make logins impossible on the system. 3) Parallel::ForkManager allows an attacker to feed arbitrary data to the return mechanism. Ex: Root is running code under Parallel::ForkManager that uses the temporary file logic. Attacker creates a dangling symlink from /tmp/Parallel-ForkManager-$parent_pid-$child_pid.txt to /home/attacker/attack.txt. Now the attacker goes into a loop waiting for attack.txt to appear and as soon as it does the attacker unlinks it and replaces it with a file containing whatever arbitrary data the attacker wants to feed into the parent. 4) Parallel::ForkManager uses insecure permissions on its temporary files. Sotrable is just going to use the umask when creating the temporary files. The default on umask on most systems is 0022 meaning that any account on the system can inspect the contents of the /tmp files.
This bug has been assigned CVE-2011-4115
Subject: [ #68298]
Date: Fri, 06 Jul 2012 15:15:12 -0700
From: Matt Taggart <>
Any progress on this security issue in Parallel::Forkmanager? Debian will be shipping a new release soon and it would be good to get a newer version in the release. See Thanks, -- Matt Taggart
Hi Matt, I need some more info on the last comment you made: - What are the consequences of not fixing the bug? - What is the timeframe to fix it? Thanks, Balázs
Subject: Re: [ #68298] Insecure /tmp file handling
Date: Mon, 09 Jul 2012 20:55:23 -0700
From: Matt Taggart <>
"Szabo, Balazs via RT" writes:
Show quoted text
Show quoted text
> I need some more info on the last comment you made: > - What are the consequences of not fixing the bug?
Right now Debian provides a package based on 0.7.5 in both it's stable release and also for the upcoming release currently in testing. In Jan 2011 I filed this "wishlist" severity bug asking for an update which was closed with the "wontfix" tag due to the security problem. The Debian stable release managers may do a couple different things * continue to ship the 0.7.5 based package in the next release * drop the package from the next release until the problem is sorted out * drop the package from the next release and the development branch until the problem is sorted out * allow a package based on a newer version that fixes the security problem to ship in the next release * something else I haven't thought of Which they choose is probably dependent on if the bug is going to be fixed upstream and when, how critical they view this libary, and if there are other alternative libraries that provide the same functionality.
Show quoted text
> - What is the timeframe to fix it?
The next Debian release is currently in "freeze" but the release team may provide freeze exceptions in cases that fix release critical or security related bugs. If you fix it now there is a chance it might get in the release. Thanks, -- Matt Taggart
Since version 1.0.0 Parallel::ForkManager creates temporary files under a directory created by File::Temp::tempdir(), which should be secure. -- dam (trying to close the ticket)

This service runs on Request Tracker, is sponsored by The Perl Foundation, and maintained by Best Practical Solutions.

Please report any issues with to