Skip Menu |
 

This queue is for tickets about the PAR-Packer CPAN distribution.

Report information
The Basics
Id: 69560
Status: resolved
Priority: 0/
Queue: PAR-Packer

People
Owner: Nobody in particular
Requestors: john [...] nixnuts.net
Cc:
AdminCc:

Bug Information
Severity: Critical
Broken in: (no value)
Fixed in: (no value)



Subject: PAR packed files are extracted to unsafe and predictable temporary directories
Download (untitled) / with headers
text/plain 658b
par_mktmpdir() makes no effort to verify that the /tmp/par-<username> directory is safe to use (owned by the correct UID and GID, not world writable, no symlinks in the path that are owned by another user.) This makes PAR packed scripts unsafe on multiuser systems. Example: 1) start with a clean /tmp (reboot the system, tmpwatch, etc.) 2) attacker does mkdir /tmp/par-victim 3) victim runs a PAR packed program 4) attacker now moves the cache directory aside and copies it back to its original location so that all she owns all of the files and can modify them at will. 5) victim runs the PAR packed program again and is now executing attacker's code.
Download (untitled) / with headers
text/plain 499b
On 2011-07-18 22:16:46, lightsey wrote: Show quoted text
> par_mktmpdir() makes no effort to verify that the /tmp/par-<username> > directory is safe to use (owned by the correct UID and GID, not world > writable, no symlinks in the path that are owned by another user.) > > This makes PAR packed scripts unsafe on multiuser systems.
Yawn. Where does it say that they are safe? If you're really concerned about safety you should use per-user temp directories, not for PAR::Packer, but in general. Cheers, Roderich
This bug has been assigned CVE-2011-4114
Download (untitled) / with headers
text/plain 804b
Presumably, one could at least have a build-time option for pp (not packaging time, but PAR::Packer compilation time) that enables some extra measures: perl Makefile.PL --paranoid make test && make install a) assert ownership of all directories and files under $TMPDIR/par-$USER b) assert that other can't write. (How portable would this be?) Doing this by default would make the cached-startup slow enough to not warrant caching at all. That would make PAR::Packer useless for all but the most trivial scripts. Think about it. If any other executable would have to scan the entire perl source tree before starting, it'd be slower to boot than java. Right now, the proper way to get entirely safe PAR'd executables is to set an alternate extraction/cache directory. See "man PAR::Environment".
Download (untitled) / with headers
text/plain 603b
On 2011-11-05 06:04:02, SMUELLER wrote: Show quoted text
> a) assert ownership of all directories and files under $TMPDIR/par-$USER > b) assert that other can't write. (How portable would this be?)
I dont't think that's really necessary. We should (on *nix): - create $TMPDIR/par-$USER with mode 0700 if it doesn't already exist - if it exists, check that it's owned by $USER and still mode 0700 (otherwise we bail out) Am I overlooking something obvious here? I checked what Gnome's orbit daemon does (it creates sockets for clients to connect to under /tmp/orbit-$USER) and it does the above. Cheers, Roderich
Fixed in PAR 1.005 and PAR::Packer 1.012 (for *nix only)


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.