Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: pu
Hi Release Team libpar-packer-perl 1.006-1 and libpar-perl 1.000-1 in Squeeze are affected by CVE-2011-4114: "PAR packed files are extracted to unsafe and predictable temporary directories.". According to the security team this does not need a DSA, but could be fixed trough stable point release update. [1] http://bugs.debian.org/650706 [2] http://bugs.debian.org/650707 The debdiffs I would propose are attached. I have one further question, would you accept addition of these patches (adapted) [3] and [4]? [3] http://search.cpan.org/diff?from=PAR-Packer-1.011&to=PAR-Packer-1.012&w=1 [4] http://search.cpan.org/diff?from=PAR-1.004&to=PAR-1.005&w=1 Note: libpar-perl and libpar-packer-perl should be updated both. Note: To require libpar-perl I have also updated here the versioned (Build-)Depends on libpar-perl which contains the other half of the fix for CVE-2011-4114. Would you accept hese for an upcoming point release update? I still would like to test the resulting packages. Thanks for your work! Regards, Salvatore -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 2.6.32-5-amd64 (SMP w/8 CPU cores) Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Shell: /bin/sh linked to /bin/dash
diff -Nru libpar-packer-perl-1.006/debian/changelog libpar-packer-perl-1.006/debian/changelog --- libpar-packer-perl-1.006/debian/changelog 2010-06-28 18:17:16.000000000 +0200 +++ libpar-packer-perl-1.006/debian/changelog 2011-12-13 22:04:05.000000000 +0100 @@ -1,3 +1,15 @@ +libpar-packer-perl (1.006-1+squeeze1) unstable; urgency=low + + * Team upload. + * Add create-safe-temporary-directories.patch patch. + Fixes CVE-2011-4114: PAR packed files are extracted to unsafe and + predictable temporary directories. (Closes: #650706) + * Bump (Build-)Depends on libpar-perl. + Bump the dependencies to libpar-perl (>= 1.000-1+squeeze1) as this + version contains the other half of the fix for CVE-2011-4114. + + -- Salvatore Bonaccorso <car...@debian.org> Tue, 13 Dec 2011 22:03:26 +0100 + libpar-packer-perl (1.006-1) unstable; urgency=low * New upstream release. diff -Nru libpar-packer-perl-1.006/debian/control libpar-packer-perl-1.006/debian/control --- libpar-packer-perl-1.006/debian/control 2010-06-28 18:13:58.000000000 +0200 +++ libpar-packer-perl-1.006/debian/control 2011-12-13 22:04:05.000000000 +0100 @@ -6,7 +6,7 @@ libgetopt-argvfile-perl (>= 1.07), libinline-perl, libmodule-scandeps-perl (>= 0.96), - libpar-perl (>= 1.000), + libpar-perl (>= 1.000-1+squeeze1), libperl-dev, libtest-pod-perl, perl (>= 5.10) | libio-compress-perl | libcompress-zlib-perl (>= 1.3) @@ -28,7 +28,7 @@ libgetopt-argvfile-perl (>= 1.07), libmodule-scandeps-perl (>= 0.96), libpar-dist-perl (>= 0.22), - libpar-perl (>= 1.000), + libpar-perl (>= 1.000-1+squeeze1), perl (>= 5.10) | libio-compress-perl | libcompress-zlib-perl (>= 1.3) Recommends: libtk-perl Description: utility for creating PAR archives and stand-alone executables diff -Nru libpar-packer-perl-1.006/debian/patches/create-safe-temporary-directories.patch libpar-packer-perl-1.006/debian/patches/create-safe-temporary-directories.patch --- libpar-packer-perl-1.006/debian/patches/create-safe-temporary-directories.patch 1970-01-01 01:00:00.000000000 +0100 +++ libpar-packer-perl-1.006/debian/patches/create-safe-temporary-directories.patch 2011-12-13 22:04:05.000000000 +0100 @@ -0,0 +1,68 @@ +Description: Create safe temporary directories + CVE-2011-4114: PAR packed files are extracted to unsafe and predictable + temporary directories. + . + - create parent of cache directory (i.e. /tmp/par-USER) with mode 0700 + - if it already exists, make sure that (and bail out if not) + - it's not a symlink + - it's mode 0700 + - it's owned by USER +Origin: upstream +Bug: https://rt.cpan.org/Public/Bug/Display.html?id=69560 +Bug-Debian: http://bugs.debian.org/650706 +Forwarded: not-needed +Author: Salvatore Bonaccorso <car...@debian.org> +Reviewed-by: Salvatore Bonaccorso <car...@debian.org> +Last-Update: 2011-12-13 + +--- a/myldr/mktmpdir.c ++++ b/myldr/mktmpdir.c +@@ -153,7 +153,38 @@ + stmpdir = malloc( stmp_len ); + stmpdir2 = malloc( stmp_len ); + sprintf(stmpdir2, "%s%s%s%s", tmpdir, dir_sep, subdirbuf_prefix, username); +- my_mkdir(stmpdir2, 0755); ++#ifdef WIN32 ++ _mkdir(stmpdir2); /* FIXME bail if error (other than EEXIST) */ ++#else ++ { ++ struct stat st; ++ ++ if (mkdir(stmpdir2, 0700) == -1 && errno != EEXIST) { ++ fprintf(stderr, "%s: creation of private subdirectory %s failed (errno=%i)\n", ++ argv[0], stmpdir2, errno); ++ return NULL; ++ } ++ ++ /* now check that: ++ * - stmpdir2 is a directory (and not a symlink) ++ * - stmpdir2 is owned by the user ++ * - stmpdir2 has mode 0700 ++ */ ++ if (lstat(stmpdir2, &st) == -1) { ++ fprintf(stderr, "%s: stat of private subdirectory %s failed (errno=%i)\n", ++ argv[0], stmpdir2, errno); ++ return NULL; ++ } ++ ++ if (!S_ISDIR(st.st_mode) ++ || st.st_uid != getuid() ++ || (st.st_mode & 0777) != 0700 ) { ++ fprintf(stderr, "%s: private subdirectory %s is unsafe\n", ++ argv[0], stmpdir2); ++ return NULL; ++ } ++ } ++#endif + + /* Doesn't really work - XXX */ + val = par_getenv( "PATH" ); +@@ -239,7 +270,7 @@ + a prior invocation crashed leaving garbage in a temp directory that + might interfere. */ + +- while (my_mkdir(stmpdir, 0755) == -1 && errno == EEXIST) { ++ while (my_mkdir(stmpdir, 0700) == -1 && errno == EEXIST) { + sprintf( + stmpdir, + "%s%stemp-%u-%u%s", diff -Nru libpar-packer-perl-1.006/debian/patches/series libpar-packer-perl-1.006/debian/patches/series --- libpar-packer-perl-1.006/debian/patches/series 2010-04-14 16:43:02.000000000 +0200 +++ libpar-packer-perl-1.006/debian/patches/series 2011-12-13 22:04:05.000000000 +0100 @@ -1,3 +1,4 @@ fix-pod-spelling.patch 01_manpage-ext.patch fix-with-new-par-name +create-safe-temporary-directories.patch
diff -Nru libpar-perl-1.000/debian/changelog libpar-perl-1.000/debian/changelog --- libpar-perl-1.000/debian/changelog 2010-04-13 21:21:16.000000000 +0200 +++ libpar-perl-1.000/debian/changelog 2011-12-07 15:58:15.000000000 +0100 @@ -1,3 +1,12 @@ +libpar-perl (1.000-1+squeeze1) stable; urgency=low + + * Team upload. + * Add create-safe-temporary-directories.patch patch. + Fixes CVE-2011-4114: PAR packed files are extracted to unsafe and + predictable temporary directories. (Closes: #650707) + + -- Salvatore Bonaccorso <car...@debian.org> Wed, 07 Dec 2011 15:53:57 +0100 + libpar-perl (1.000-1) unstable; urgency=low [ Ryan Niebur ] diff -Nru libpar-perl-1.000/debian/patches/create-safe-temporary-directories.patch libpar-perl-1.000/debian/patches/create-safe-temporary-directories.patch --- libpar-perl-1.000/debian/patches/create-safe-temporary-directories.patch 1970-01-01 01:00:00.000000000 +0100 +++ libpar-perl-1.000/debian/patches/create-safe-temporary-directories.patch 2011-12-07 15:58:15.000000000 +0100 @@ -0,0 +1,74 @@ +Description: Create safe temporary directories + CVE-2011-4114: PAR packed files are extracted to unsafe and predictable + temporary directories. + . + - create parent of cache directory (i.e. /tmp/par-USER) with mode 0700 + - if it already exists, make sure that (and bail out if not) + - it's not a symlink + - it's mode 0700 + - it's owned by USER +Origin: upstream +Bug: https://rt.cpan.org/Public/Bug/Display.html?id=69560 +Bug-Debian: http://bugs.debian.org/650707 +Forwarded: not-needed +Author: Salvatore Bonaccorso <car...@debian.org> +Last-Update: 2011-12-07 + +--- a/lib/PAR/SetupTemp.pm ++++ b/lib/PAR/SetupTemp.pm +@@ -5,6 +5,8 @@ + use strict; + use warnings; + ++use Fcntl ':mode'; ++ + use PAR::SetupProgname; + + =head1 NAME +@@ -42,8 +44,9 @@ + } + + my $stmpdir = _get_par_user_tempdir(); ++ die "unable to create cache directory" unless $stmpdir; ++ + require File::Spec; +- if (defined $stmpdir) { # it'd be quite bad if this was not the case + if (!$ENV{PAR_CLEAN} and my $mtime = (stat($PAR::SetupProgname::Progname))[9]) { + my $ctx = _get_digester(); + +@@ -71,8 +74,7 @@ + } + + $ENV{PAR_TEMP} = $stmpdir; +- mkdir $stmpdir, 0755; +- } # end if found a temp dir ++ mkdir $stmpdir, 0700; + + $PARTemp = $1 if defined $ENV{PAR_TEMP} and $ENV{PAR_TEMP} =~ /(.+)/; + } +@@ -98,7 +100,24 @@ + next unless defined $path and -d $path and -w $path; + $temp_path = File::Spec->catdir($path, "par-$username"); + ($temp_path) = $temp_path =~ /^(.*)$/s; +- mkdir $temp_path, 0755; ++ unless (mkdir($temp_path, 0700) || $!{EEXIST}) { ++ warn "creation of private subdirectory $temp_path failed (errno=$!)"; ++ return; ++ } ++ ++ unless ($^O eq 'MSWin32') { ++ my @st; ++ unless (@st = lstat($temp_path)) { ++ warn "stat of private subdirectory $temp_path failed (errno=$!)"; ++ return; ++ } ++ if (!S_ISDIR($st[2]) ++ || $st[4] != $< ++ || ($st[2] & 0777) != 0700 ) { ++ warn "private subdirectory $temp_path is unsafe (please remove it and retry your operation)"; ++ return; ++ } ++ } + + last; + } diff -Nru libpar-perl-1.000/debian/patches/series libpar-perl-1.000/debian/patches/series --- libpar-perl-1.000/debian/patches/series 2010-03-28 18:22:00.000000000 +0200 +++ libpar-perl-1.000/debian/patches/series 2011-12-07 15:58:15.000000000 +0100 @@ -1 +1,2 @@ fix-test_50-autoloaderfix.t.patch +create-safe-temporary-directories.patch
