Skip Menu |
 

This queue is for tickets about the Parallel-ForkManager CPAN distribution.

Report information
The Basics
Id: 68298
Status: resolved
Priority: 0/
Queue: Parallel-ForkManager

People
Owner: dlux [...] dlux.hu
Requestors: john [...] nixnuts.net
Cc:
AdminCc:

Bug Information
Severity: Critical
Broken in: 0.7.6
Fixed in: (no value)



Subject: Insecure /tmp file handling
Download (untitled) / with headers
text/plain 1.4k
Parallel::ForkManager's handling of temporary files is very insecure. 1) Temporary file names are predictable. There is nothing random about the temporary file names in Parallel::ForkManager. Using a predictable filename in a directory writable by other turns theoretical exploits (if I guess the filename and do X, Y, Z) into actual exploits (if I do X Y Z.) 2) Parallel::ForkManager allows overwriting arbitrary files. Ex: Root is running code under Parallel::Forkmanager that uses the temporary file logic. Attacker sees the code running in ps output and symlinks /tmp/Parallel-ForkManager-$parent_pid-$child_pid.txt to /etc/shadow. Storable will overwrite the shadow file and make logins impossible on the system. 3) Parallel::ForkManager allows an attacker to feed arbitrary data to the return mechanism. Ex: Root is running code under Parallel::ForkManager that uses the temporary file logic. Attacker creates a dangling symlink from /tmp/Parallel-ForkManager-$parent_pid-$child_pid.txt to /home/attacker/attack.txt. Now the attacker goes into a loop waiting for attack.txt to appear and as soon as it does the attacker unlinks it and replaces it with a file containing whatever arbitrary data the attacker wants to feed into the parent. 4) Parallel::ForkManager uses insecure permissions on its temporary files. Sotrable is just going to use the umask when creating the temporary files. The default on umask on most systems is 0022 meaning that any account on the system can inspect the contents of the /tmp files.
This bug has been assigned CVE-2011-4115
Subject: [rt.cpan.org #68298]
Date: Fri, 06 Jul 2012 15:15:12 -0700
To: bug-Parallel-ForkManager [...] rt.cpan.org
From: Matt Taggart <taggart [...] debian.org>
Download (untitled) / with headers
text/plain 273b
Any progress on this security issue in Parallel::Forkmanager? Debian will be shipping a new release soon and it would be good to get a newer version in the release. See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=610384 Thanks, -- Matt Taggart taggart@debian.org
RT-Send-CC: taggart [...] debian.org
Download (untitled) / with headers
text/plain 166b
Hi Matt, I need some more info on the last comment you made: - What are the consequences of not fixing the bug? - What is the timeframe to fix it? Thanks, Balázs
CC: taggart [...] debian.org
Subject: Re: [rt.cpan.org #68298] Insecure /tmp file handling
Date: Mon, 09 Jul 2012 20:55:23 -0700
To: bug-Parallel-ForkManager [...] rt.cpan.org
From: Matt Taggart <taggart [...] debian.org>
Download (untitled) / with headers
text/plain 1.5k
"Szabo, Balazs via RT" writes: Show quoted text
Hi, Show quoted text
> I need some more info on the last comment you made: > - What are the consequences of not fixing the bug?
Right now Debian provides a package based on 0.7.5 in both it's stable release and also for the upcoming release currently in testing. In Jan 2011 I filed this "wishlist" severity bug asking for an update http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=610384 which was closed with the "wontfix" tag due to the security problem. The Debian stable release managers may do a couple different things * continue to ship the 0.7.5 based package in the next release * drop the package from the next release until the problem is sorted out * drop the package from the next release and the development branch until the problem is sorted out * allow a package based on a newer version that fixes the security problem to ship in the next release * something else I haven't thought of Which they choose is probably dependent on if the bug is going to be fixed upstream and when, how critical they view this libary, and if there are other alternative libraries that provide the same functionality. Show quoted text
> - What is the timeframe to fix it?
The next Debian release is currently in "freeze" but the release team may provide freeze exceptions in cases that fix release critical or security related bugs. If you fix it now there is a chance it might get in the release. Thanks, -- Matt Taggart taggart@debian.org
Download (untitled) / with headers
text/plain 178b
Since version 1.0.0 Parallel::ForkManager creates temporary files under a directory created by File::Temp::tempdir(), which should be secure. -- dam (trying to close the ticket)


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.