Re: Parallel-ForkManager security issue

To: John Lightsey <lightsey@debian.org>
Cc: Debian Perl List <debian-perl@lists.debian.org>
Subject: Re: Parallel-ForkManager security issue
From: Gabor Szabo <gabor@szabgab.com>
Date: Sat, 22 Dec 2012 21:31:10 +0200
Message-id: <[🔎] CABe4FJBtn5aRfBTFEvHeeCgvrFzDO3Q2Zck7yAFW7Bwmg74cig@mail.gmail.com>
In-reply-to: <[🔎] 1356202746.4071.19.camel@goat.lightspeed>
References: <[🔎] CABe4FJDjWadBNVFgZaB+pc2S+NHh8jANV0mk1A2-=XxQVfVYOA@mail.gmail.com> <[🔎] 1356202746.4071.19.camel@goat.lightspeed>

On Sat, Dec 22, 2012 at 8:59 PM, John Lightsey <lightsey@debian.org> wrote:
> On Sat, 2012-12-22 at 20:17 +0200, Gabor Szabo wrote:
>> Hi,
>>
>> I am adding some tests to Parallel-ForkManager and encountered the ticket
>>
>> https://rt.cpan.org/Public/Bug/Display.html?id=68298
>>
>> that links to
>>
>> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=610384
>
> Please note that the Debian package of Parallel::ForkManager is not
> maintained by the Debian Perl group.

Sorry, I did not know that.

>> Is there any Debian patch for the problem?
>
> No, I saw that this was insecure and notified the upstream author when
> the first version of Parallel::ForkManager came out that included this
> functionality. I haven't updated Parallel::ForkManager in Debian to any
> of the affected versions since this bug was introduced.

I see.


>
>> Would using the tempdir function of  File::Temp instead of
>> File::Spec->tmpdir be secure enough?
>
> Not necessarily. The problems are basically:
> 1) The filenames used in /tmp are predictable.

As far as I know the tempdir of File::Temp creates a random name
but if that's not enough the filenames could be further randomized.
OTOH I think there are lots of CPAN modules that use tempdir, so
if that's not enough then maybe there are many other modules with similar
security issues.

> 2) None of the file operations are checked to verify they are operating
> on safe targets.
> 3) The umask is not set so the data passed through /tmp is world
> readable.
> 4) Whether or not any data is passed through /tmp, the parent process
> attempts to deserialize the filename in /tmp using Storable which allows
> arbitrary code execution for any local attacker in the context of the
> parent process.

Please explain how do you think it would be better written. I am sure
others in this mailing list will also learn from it, (or comment on it)
so it would be better to do it in public.

>
>> What else would you suggest?
>
> Actually, it's silly this bug has dragged on so long now. I'll contact
> the upstream author again and see if he'll give me comaint on the CPAN
> module to fix it. Passing data like this isn't difficult to accomplish
> in a secure way.
>

I already got co-maint from the author, but of course if you do it yourself
that's ok with me. I just added a few tests to the module.

regards
   Gabor

Reply to:

References:
- Parallel-ForkManager security issue
  - From: Gabor Szabo <gabor@szabgab.com>
- Re: Parallel-ForkManager security issue
  - From: John Lightsey <lightsey@debian.org>

Prev by Date: Parallel-ForkManager security issue
Next by Date: Re: Parallel-ForkManager security issue
Previous by thread: Re: Parallel-ForkManager security issue
Next by thread: The State of the TimeZone in Debian
Index(es):
- Date
- Thread