On Sat, 2012-12-22 at 20:17 +0200, Gabor Szabo wrote: > Hi, > > I am adding some tests to Parallel-ForkManager and encountered the ticket > > https://rt.cpan.org/Public/Bug/Display.html?id=68298 > > that links to > > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=610384 Please note that the Debian package of Parallel::ForkManager is not maintained by the Debian Perl group. > Is there any Debian patch for the problem? No, I saw that this was insecure and notified the upstream author when the first version of Parallel::ForkManager came out that included this functionality. I haven't updated Parallel::ForkManager in Debian to any of the affected versions since this bug was introduced. > Would using the tempdir function of File::Temp instead of > File::Spec->tmpdir be secure enough? Not necessarily. The problems are basically: 1) The filenames used in /tmp are predictable. 2) None of the file operations are checked to verify they are operating on safe targets. 3) The umask is not set so the data passed through /tmp is world readable. 4) Whether or not any data is passed through /tmp, the parent process attempts to deserialize the filename in /tmp using Storable which allows arbitrary code execution for any local attacker in the context of the parent process. > What else would you suggest? Actually, it's silly this bug has dragged on so long now. I'll contact the upstream author again and see if he'll give me comaint on the CPAN module to fix it. Passing data like this isn't difficult to accomplish in a secure way. > > regards > Gabor > note: I am not related to the author of the module > >
Attachment:
signature.asc
Description: This is a digitally signed message part