Bug#652107: pu: package libpar-packer-perl/1.006-1 and libpar-perl/1.000-1

To: "Adam D. Barratt" <adam@adam-barratt.org.uk>, 652107@bugs.debian.org
Subject: Bug#652107: pu: package libpar-packer-perl/1.006-1 and libpar-perl/1.000-1
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Sun, 18 Dec 2011 23:12:46 +0100
Message-id: <[🔎] 20111218221246.GA29407@elende>
Reply-to: Salvatore Bonaccorso <carnil@debian.org>, 652107@bugs.debian.org
In-reply-to: <[🔎] 1324219850.8517.4.camel@hathi.jungle.funky-badger.org>
References: <[🔎] 20111214211200.3110.73465.reportbug@elende.valinor.li> <[🔎] 1324219850.8517.4.camel@hathi.jungle.funky-badger.org>

Hey Adam

On Sun, Dec 18, 2011 at 02:50:49PM +0000, Adam D. Barratt wrote:
> tag 652107 + squeeze moreinfo
> thanks
> 
> On Wed, 2011-12-14 at 22:12 +0100, Salvatore Bonaccorso wrote:
> > libpar-packer-perl 1.006-1 and libpar-perl 1.000-1 in Squeeze are
> > affected by CVE-2011-4114: "PAR packed files are extracted to unsafe
> > and predictable temporary directories.".
> [...]
> > The debdiffs I would propose are attached. I have one further
> > question, would you accept addition of these patches (adapted) [3] and
> > [4]?
> > 
> >  [3] http://search.cpan.org/diff?from=PAR-Packer-1.011&to=PAR-Packer-1.012&w=1
> >  [4] http://search.cpan.org/diff?from=PAR-1.004&to=PAR-1.005&w=1
> 
> Yes, those patches should be okay to include.  I'd like to see final
> debdiffs before giving a final ACK though.

Sure, please find both attached. In case you would like to have
something changed, I will do.

> It wasn't entirely clear from your mail, but have the packages with the
> patches applied been tested on squeeze?

Yes, now I tested the packages on Squeeze. The build already contains
some tests, which all pass, furthermore I did some testing with a par
file, and the pp utility. They behave now detecting unsafe directory
in /tmp if I create these manually with unsafe permissions.

Regards
Salvatore

diff -Nru libpar-packer-perl-1.006/debian/changelog libpar-packer-perl-1.006/debian/changelog
--- libpar-packer-perl-1.006/debian/changelog	2010-06-28 18:17:16.000000000 +0200
+++ libpar-packer-perl-1.006/debian/changelog	2011-12-18 20:51:10.000000000 +0100
@@ -1,3 +1,18 @@
+libpar-packer-perl (1.006-1+squeeze1) stable; urgency=low
+
+  * Team upload.
+  * Add create-safe-temporary-directories.patch patch.
+    Fixes CVE-2011-4114: PAR packed files are extracted to unsafe and
+    predictable temporary directories. (Closes: #650706)
+  * Bump (Build-)Depends on libpar-perl.
+    Bump the dependencies to libpar-perl (>= 1.000-1+squeeze1) as this
+    version contains the other half of the fix for CVE-2011-4114.
+  * Add run_all_tests_using_a_nonce_PAR_TMPDIR.patch.
+    Run all tests using a nonce PAR_TMPDIR (a leftover /tmp/par-USER
+    directory from previous builds may now be considered "unsafe")
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Sun, 18 Dec 2011 20:44:15 +0100
+
 libpar-packer-perl (1.006-1) unstable; urgency=low
 
   * New upstream release.
diff -Nru libpar-packer-perl-1.006/debian/control libpar-packer-perl-1.006/debian/control
--- libpar-packer-perl-1.006/debian/control	2010-06-28 18:13:58.000000000 +0200
+++ libpar-packer-perl-1.006/debian/control	2011-12-18 20:51:10.000000000 +0100
@@ -6,7 +6,7 @@
  libgetopt-argvfile-perl (>= 1.07),
  libinline-perl,
  libmodule-scandeps-perl (>= 0.96),
- libpar-perl (>= 1.000),
+ libpar-perl (>= 1.000-1+squeeze1),
  libperl-dev,
  libtest-pod-perl,
  perl (>= 5.10) | libio-compress-perl | libcompress-zlib-perl (>= 1.3)
@@ -28,7 +28,7 @@
  libgetopt-argvfile-perl (>= 1.07),
  libmodule-scandeps-perl (>= 0.96),
  libpar-dist-perl (>= 0.22),
- libpar-perl (>= 1.000),
+ libpar-perl (>= 1.000-1+squeeze1),
  perl (>= 5.10) | libio-compress-perl | libcompress-zlib-perl (>= 1.3)
 Recommends: libtk-perl
 Description: utility for creating PAR archives and stand-alone executables
diff -Nru libpar-packer-perl-1.006/debian/patches/create-safe-temporary-directories.patch libpar-packer-perl-1.006/debian/patches/create-safe-temporary-directories.patch
--- libpar-packer-perl-1.006/debian/patches/create-safe-temporary-directories.patch	1970-01-01 01:00:00.000000000 +0100
+++ libpar-packer-perl-1.006/debian/patches/create-safe-temporary-directories.patch	2011-12-18 20:51:10.000000000 +0100
@@ -0,0 +1,67 @@
+Description: Create safe temporary directories
+ CVE-2011-4114: PAR packed files are extracted to unsafe and predictable
+ temporary directories.
+ .
+ - create parent of cache directory (i.e. /tmp/par-USER) with mode 0700
+ - if it already exists, make sure that (and bail out if not)
+   - it's not a symlink
+   - it's mode 0700
+   - it's owned by USER
+Origin: upstream
+Bug: https://rt.cpan.org/Public/Bug/Display.html?id=69560
+Bug-Debian: http://bugs.debian.org/650706
+Forwarded: not-needed
+Author: Salvatore Bonaccorso <carnil@debian.org>
+Last-Update: 2011-12-13
+
+--- a/myldr/mktmpdir.c
++++ b/myldr/mktmpdir.c
+@@ -153,7 +153,38 @@
+     stmpdir = malloc( stmp_len );
+     stmpdir2 = malloc( stmp_len );
+     sprintf(stmpdir2, "%s%s%s%s", tmpdir, dir_sep, subdirbuf_prefix, username);
+-    my_mkdir(stmpdir2, 0755);
++#ifdef WIN32
++    _mkdir(stmpdir2);         /* FIXME bail if error (other than EEXIST) */
++#else
++    {
++        struct stat st;
++
++        if (mkdir(stmpdir2, 0700) == -1 && errno != EEXIST) {
++            fprintf(stderr, "%s: creation of private subdirectory %s failed (errno=%i)\n", 
++                    argv[0], stmpdir2, errno);
++            return NULL;
++        }
++
++        /* now check that:
++         * - stmpdir2 is a directory (and not a symlink)
++         * - stmpdir2 is owned by the user
++         * - stmpdir2 has mode 0700
++         */
++        if (lstat(stmpdir2, &st) == -1) {
++            fprintf(stderr, "%s: stat of private subdirectory %s failed (errno=%i)\n",
++                    argv[0], stmpdir2, errno);
++            return NULL;
++        }
++
++        if (!S_ISDIR(st.st_mode)
++            || st.st_uid != getuid()
++            || (st.st_mode & 0777) != 0700 ) {
++            fprintf(stderr, "%s: private subdirectory %s is unsafe\n",
++                    argv[0], stmpdir2);
++            return NULL;
++        }
++    }
++#endif
+ 
+     /* Doesn't really work - XXX */
+     val = par_getenv( "PATH" );
+@@ -239,7 +270,7 @@
+            a prior invocation crashed leaving garbage in a temp directory that
+            might interfere. */
+ 
+-        while (my_mkdir(stmpdir, 0755) == -1 && errno == EEXIST) {
++        while (my_mkdir(stmpdir, 0700) == -1 && errno == EEXIST) {
+             sprintf(
+                 stmpdir,
+                 "%s%stemp-%u-%u%s",
diff -Nru libpar-packer-perl-1.006/debian/patches/run_all_tests_using_a_nonce_PAR_TMPDIR.patch libpar-packer-perl-1.006/debian/patches/run_all_tests_using_a_nonce_PAR_TMPDIR.patch
--- libpar-packer-perl-1.006/debian/patches/run_all_tests_using_a_nonce_PAR_TMPDIR.patch	1970-01-01 01:00:00.000000000 +0100
+++ libpar-packer-perl-1.006/debian/patches/run_all_tests_using_a_nonce_PAR_TMPDIR.patch	2011-12-18 20:51:10.000000000 +0100
@@ -0,0 +1,71 @@
+Description: run all tests using a nonce PAR_TMPDIR
+Origin: upstream, http://search.cpan.org/diff/PAR-Packer-1.011-PAR-Packer-1.012.-w.diff
+Forwarded: not-needed
+Author: Salvatore Bonaccorso <carnil@debian.org>
+Last-Update: 2011-12-18
+Applied-Upstream: yes
+
+--- a/t/10-parl-generation.t
++++ b/t/10-parl-generation.t
+@@ -9,6 +9,8 @@
+ use Config qw/%Config/;
+ use vars qw/@INC %INC/;
+ 
++$ENV{PAR_TMPDIR} = File::Temp::tempdir(TMPDIR => 1, CLEANUP => 1);
++
+ unshift @INC, ($FindBin::Bin);
+ use_ok('PAR');
+ use_ok('PAR::StrippedPARL::Static');
+--- a/t/20-pp.t
++++ b/t/20-pp.t
+@@ -5,8 +5,11 @@
+ use Config;
+ use FindBin;
+ use File::Spec;
++use File::Temp ();
+ use ExtUtils::MakeMaker;
+ 
++$ENV{PAR_TMPDIR} = File::Temp::tempdir(TMPDIR => 1, CLEANUP => 1);
++
+ sub samefiles {
+     my ($f1, $f2) = @_;
+     $f1 eq $f2 and return 1;
+--- a/t/30-current_exec.t
++++ b/t/30-current_exec.t
+@@ -5,6 +5,7 @@
+ use File::Spec;
+ use File::Path;
+ use File::Basename;
++use File::Temp ();
+ use FindBin;
+ 
+ use Test::More;
+@@ -12,6 +13,8 @@
+     if $FindBin::Bin =~ / /;
+ plan tests => 4;
+ 
++$ENV{PAR_TMPDIR} = File::Temp::tempdir(TMPDIR => 1, CLEANUP => 1);
++
+ my $has_inline_c = eval "use Inline; 1;";
+ # warn $@ if $@;
+ 
+--- a/t/40-packer_cd_option.t
++++ b/t/40-packer_cd_option.t
+@@ -4,6 +4,8 @@
+ use strict;
+ use warnings;
+ 
++use File::Temp ();
++
+ # Fake a frontend to see if caching options are correctly passed through
+ package TestFE;
+ 
+@@ -27,6 +29,8 @@
+ use Test::More (tests => 2);
+ use PAR::Packer;
+ 
++$ENV{PAR_TMPDIR} = File::Temp::tempdir(TMPDIR => 1, CLEANUP => 1);
++
+ for my $opt (qw/cd cachedeps/){
+     TestFE::init();
+     my $p = PAR::Packer->new();
diff -Nru libpar-packer-perl-1.006/debian/patches/series libpar-packer-perl-1.006/debian/patches/series
--- libpar-packer-perl-1.006/debian/patches/series	2010-04-14 16:43:02.000000000 +0200
+++ libpar-packer-perl-1.006/debian/patches/series	2011-12-18 20:51:10.000000000 +0100
@@ -1,3 +1,5 @@
 fix-pod-spelling.patch
 01_manpage-ext.patch
 fix-with-new-par-name
+create-safe-temporary-directories.patch
+run_all_tests_using_a_nonce_PAR_TMPDIR.patch

diff -Nru libpar-perl-1.000/debian/changelog libpar-perl-1.000/debian/changelog
--- libpar-perl-1.000/debian/changelog	2010-04-13 21:21:16.000000000 +0200
+++ libpar-perl-1.000/debian/changelog	2011-12-18 20:33:10.000000000 +0100
@@ -1,3 +1,15 @@
+libpar-perl (1.000-1+squeeze1) stable; urgency=low
+
+  * Team upload.
+  * Add create-safe-temporary-directories.patch patch.
+    Fixes CVE-2011-4114: PAR packed files are extracted to unsafe and
+    predictable temporary directories. (Closes: #650707)
+  * Add run_all_tests_using_a_nonce_PAR_TMPDIR.patch.
+    Run all tests using a nonce PAR_TMPDIR (a leftover /tmp/par-USER
+    directory from previous builds may now be considered "unsafe")
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Sun, 18 Dec 2011 20:31:44 +0100
+
 libpar-perl (1.000-1) unstable; urgency=low
 
   [ Ryan Niebur ]
diff -Nru libpar-perl-1.000/debian/patches/create-safe-temporary-directories.patch libpar-perl-1.000/debian/patches/create-safe-temporary-directories.patch
--- libpar-perl-1.000/debian/patches/create-safe-temporary-directories.patch	1970-01-01 01:00:00.000000000 +0100
+++ libpar-perl-1.000/debian/patches/create-safe-temporary-directories.patch	2011-12-18 20:33:10.000000000 +0100
@@ -0,0 +1,74 @@
+Description: Create safe temporary directories
+ CVE-2011-4114: PAR packed files are extracted to unsafe and predictable
+ temporary directories.
+ .
+ - create parent of cache directory (i.e. /tmp/par-USER) with mode 0700
+ - if it already exists, make sure that (and bail out if not)
+   - it's not a symlink
+   - it's mode 0700
+   - it's owned by USER
+Origin: upstream
+Bug: https://rt.cpan.org/Public/Bug/Display.html?id=69560
+Bug-Debian: http://bugs.debian.org/650707
+Forwarded: not-needed
+Author: Salvatore Bonaccorso <carnil@debian.org>
+Last-Update: 2011-12-07
+
+--- a/lib/PAR/SetupTemp.pm
++++ b/lib/PAR/SetupTemp.pm
+@@ -5,6 +5,8 @@
+ use strict;
+ use warnings;
+ 
++use Fcntl ':mode';
++
+ use PAR::SetupProgname;
+ 
+ =head1 NAME
+@@ -42,8 +44,9 @@
+     }
+ 
+     my $stmpdir = _get_par_user_tempdir();
++    die "unable to create cache directory" unless $stmpdir;
++
+     require File::Spec;
+-    if (defined $stmpdir) { # it'd be quite bad if this was not the case
+       if (!$ENV{PAR_CLEAN} and my $mtime = (stat($PAR::SetupProgname::Progname))[9]) {
+           my $ctx = _get_digester();
+ 
+@@ -71,8 +74,7 @@
+       }
+ 
+       $ENV{PAR_TEMP} = $stmpdir;
+-      mkdir $stmpdir, 0755;
+-    } # end if found a temp dir
++    mkdir $stmpdir, 0700;
+ 
+     $PARTemp = $1 if defined $ENV{PAR_TEMP} and $ENV{PAR_TEMP} =~ /(.+)/;
+ }
+@@ -98,7 +100,24 @@
+     next unless defined $path and -d $path and -w $path;
+     $temp_path = File::Spec->catdir($path, "par-$username");
+     ($temp_path) = $temp_path =~ /^(.*)$/s;
+-    mkdir $temp_path, 0755;
++    unless (mkdir($temp_path, 0700) || $!{EEXIST}) {
++      warn "creation of private subdirectory $temp_path failed (errno=$!)"; 
++      return;
++    }
++
++    unless ($^O eq 'MSWin32') {
++        my @st;
++        unless (@st = lstat($temp_path)) {
++          warn "stat of private subdirectory $temp_path failed (errno=$!)";
++          return;
++        }
++        if (!S_ISDIR($st[2])
++            || $st[4] != $<
++            || ($st[2] & 0777) != 0700 ) {
++          warn "private subdirectory $temp_path is unsafe (please remove it and retry your operation)";
++          return;
++        }
++    }
+ 
+     last;
+   }
diff -Nru libpar-perl-1.000/debian/patches/run_all_tests_using_a_nonce_PAR_TMPDIR.patch libpar-perl-1.000/debian/patches/run_all_tests_using_a_nonce_PAR_TMPDIR.patch
--- libpar-perl-1.000/debian/patches/run_all_tests_using_a_nonce_PAR_TMPDIR.patch	1970-01-01 01:00:00.000000000 +0100
+++ libpar-perl-1.000/debian/patches/run_all_tests_using_a_nonce_PAR_TMPDIR.patch	2011-12-18 20:33:10.000000000 +0100
@@ -0,0 +1,62 @@
+Description: run all tests using a nonce PAR_TMPDIR
+Origin: upstream, http://search.cpan.org/diff/PAR-1.004-PAR-1.005.-w.diff
+Forwarded: not-needed
+Author: Salvatore Bonaccorso <carnil@debian.org>
+Last-Update: 2011-12-18
+Applied-Upstream: yes
+
+--- a/t/01-basic.t
++++ b/t/01-basic.t
+@@ -4,8 +4,10 @@
+ use Test::More tests => 8;
+ use File::Spec;
+ use File::Path;
++use File::Temp ();
+ 
+ BEGIN {
++  $ENV{PAR_TMPDIR} = File::Temp::tempdir(TMPDIR => 1, CLEANUP => 1);
+   $ENV{PAR_CLEAN} = 1;
+ }
+ 
+--- a/t/40-par-hashref.t
++++ b/t/40-par-hashref.t
+@@ -3,9 +3,12 @@
+ use Test::More tests => 7;
+ 
+ use File::Spec;
++use File::Temp ();
+ use FindBin;
+ use vars qw/@INC %INC/;
+ 
++$ENV{PAR_TMPDIR} = File::Temp::tempdir(TMPDIR => 1, CLEANUP => 1);
++
+ unshift @INC, ($FindBin::Bin);
+ use_ok('PAR');
+ 
+--- a/t/50-autoloaderfix.t
++++ b/t/50-autoloaderfix.t
+@@ -1,6 +1,10 @@
+ #!/usr/bin/perl
+ # Problem doesn't manifest if Test::More is in effect?
+ # What the hell?
++
++use File::Temp ();
++BEGIN { $ENV{PAR_TMPDIR} = File::Temp::tempdir(TMPDIR => 1, CLEANUP => 1); }
++
+ $|=1;
+ print "1..1\n";
+ use PAR;
+--- a/t/60-cleanup.t
++++ b/t/60-cleanup.t
+@@ -6,9 +6,11 @@
+ # the /tmp/par-$USER/temp-$$ directories get cleaned up when
+ # in CLEAN mode.
+ 
++use File::Temp ();
+ use Test::More tests => 5;
+ 
+ BEGIN {
++  $ENV{PAR_TMPDIR} = File::Temp::tempdir(TMPDIR => 1, CLEANUP => 1);
+   $ENV{PAR_CLEAN} = 1;
+   delete $ENV{PAR_TEMP};
+ }
diff -Nru libpar-perl-1.000/debian/patches/series libpar-perl-1.000/debian/patches/series
--- libpar-perl-1.000/debian/patches/series	2010-03-28 18:22:00.000000000 +0200
+++ libpar-perl-1.000/debian/patches/series	2011-12-18 20:33:10.000000000 +0100
@@ -1 +1,3 @@
 fix-test_50-autoloaderfix.t.patch
+create-safe-temporary-directories.patch
+run_all_tests_using_a_nonce_PAR_TMPDIR.patch

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Bug#652107: pu: package libpar-packer-perl/1.006-1 and libpar-perl/1.000-1
  - From: Salvatore Bonaccorso <carnil@debian.org>
- Bug#652107: pu: package libpar-packer-perl/1.006-1 and libpar-perl/1.000-1
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

References:
- Bug#652107: pu: package libpar-packer-perl/1.006-1 and libpar-perl/1.000-1
  - From: Salvatore Bonaccorso <carnil@debian.org>
- Bug#652107: pu: package libpar-packer-perl/1.006-1 and libpar-perl/1.000-1
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Prev by Date: Bug#645818: marked as done ([britney2] Port to python-apt 0.8 API)
Next by Date: Bug#628529: marked as done (transition: ICU transition (4.4 -> 4.8))
Previous by thread: Processed: Re: Bug#652107: pu: package libpar-packer-perl/1.006-1 and libpar-perl/1.000-1
Next by thread: Bug#652107: pu: package libpar-packer-perl/1.006-1 and libpar-perl/1.000-1
Index(es):
- Date
- Thread