Bug#652107: pu: package libpar-packer-perl/1.006-1 and libpar-perl/1.000-1
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: pu
Hi Release Team
libpar-packer-perl 1.006-1 and libpar-perl 1.000-1 in Squeeze are
affected by CVE-2011-4114: "PAR packed files are extracted to unsafe
and predictable temporary directories.".
According to the security team this does not need a DSA, but could be
fixed trough stable point release update.
[1] http://bugs.debian.org/650706
[2] http://bugs.debian.org/650707
The debdiffs I would propose are attached. I have one further
question, would you accept addition of these patches (adapted) [3] and
[4]?
[3] http://search.cpan.org/diff?from=PAR-Packer-1.011&to=PAR-Packer-1.012&w=1
[4] http://search.cpan.org/diff?from=PAR-1.004&to=PAR-1.005&w=1
Note: libpar-perl and libpar-packer-perl should be updated both.
Note: To require libpar-perl I have also updated here the versioned
(Build-)Depends on libpar-perl which contains the other half of the
fix for CVE-2011-4114.
Would you accept hese for an upcoming point release update? I still
would like to test the resulting packages.
Thanks for your work!
Regards,
Salvatore
-- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32-5-amd64 (SMP w/8 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash
diff -Nru libpar-packer-perl-1.006/debian/changelog libpar-packer-perl-1.006/debian/changelog
--- libpar-packer-perl-1.006/debian/changelog 2010-06-28 18:17:16.000000000 +0200
+++ libpar-packer-perl-1.006/debian/changelog 2011-12-13 22:04:05.000000000 +0100
@@ -1,3 +1,15 @@
+libpar-packer-perl (1.006-1+squeeze1) unstable; urgency=low
+
+ * Team upload.
+ * Add create-safe-temporary-directories.patch patch.
+ Fixes CVE-2011-4114: PAR packed files are extracted to unsafe and
+ predictable temporary directories. (Closes: #650706)
+ * Bump (Build-)Depends on libpar-perl.
+ Bump the dependencies to libpar-perl (>= 1.000-1+squeeze1) as this
+ version contains the other half of the fix for CVE-2011-4114.
+
+ -- Salvatore Bonaccorso <carnil@debian.org> Tue, 13 Dec 2011 22:03:26 +0100
+
libpar-packer-perl (1.006-1) unstable; urgency=low
* New upstream release.
diff -Nru libpar-packer-perl-1.006/debian/control libpar-packer-perl-1.006/debian/control
--- libpar-packer-perl-1.006/debian/control 2010-06-28 18:13:58.000000000 +0200
+++ libpar-packer-perl-1.006/debian/control 2011-12-13 22:04:05.000000000 +0100
@@ -6,7 +6,7 @@
libgetopt-argvfile-perl (>= 1.07),
libinline-perl,
libmodule-scandeps-perl (>= 0.96),
- libpar-perl (>= 1.000),
+ libpar-perl (>= 1.000-1+squeeze1),
libperl-dev,
libtest-pod-perl,
perl (>= 5.10) | libio-compress-perl | libcompress-zlib-perl (>= 1.3)
@@ -28,7 +28,7 @@
libgetopt-argvfile-perl (>= 1.07),
libmodule-scandeps-perl (>= 0.96),
libpar-dist-perl (>= 0.22),
- libpar-perl (>= 1.000),
+ libpar-perl (>= 1.000-1+squeeze1),
perl (>= 5.10) | libio-compress-perl | libcompress-zlib-perl (>= 1.3)
Recommends: libtk-perl
Description: utility for creating PAR archives and stand-alone executables
diff -Nru libpar-packer-perl-1.006/debian/patches/create-safe-temporary-directories.patch libpar-packer-perl-1.006/debian/patches/create-safe-temporary-directories.patch
--- libpar-packer-perl-1.006/debian/patches/create-safe-temporary-directories.patch 1970-01-01 01:00:00.000000000 +0100
+++ libpar-packer-perl-1.006/debian/patches/create-safe-temporary-directories.patch 2011-12-13 22:04:05.000000000 +0100
@@ -0,0 +1,68 @@
+Description: Create safe temporary directories
+ CVE-2011-4114: PAR packed files are extracted to unsafe and predictable
+ temporary directories.
+ .
+ - create parent of cache directory (i.e. /tmp/par-USER) with mode 0700
+ - if it already exists, make sure that (and bail out if not)
+ - it's not a symlink
+ - it's mode 0700
+ - it's owned by USER
+Origin: upstream
+Bug: https://rt.cpan.org/Public/Bug/Display.html?id=69560
+Bug-Debian: http://bugs.debian.org/650706
+Forwarded: not-needed
+Author: Salvatore Bonaccorso <carnil@debian.org>
+Reviewed-by: Salvatore Bonaccorso <carnil@debian.org>
+Last-Update: 2011-12-13
+
+--- a/myldr/mktmpdir.c
++++ b/myldr/mktmpdir.c
+@@ -153,7 +153,38 @@
+ stmpdir = malloc( stmp_len );
+ stmpdir2 = malloc( stmp_len );
+ sprintf(stmpdir2, "%s%s%s%s", tmpdir, dir_sep, subdirbuf_prefix, username);
+- my_mkdir(stmpdir2, 0755);
++#ifdef WIN32
++ _mkdir(stmpdir2); /* FIXME bail if error (other than EEXIST) */
++#else
++ {
++ struct stat st;
++
++ if (mkdir(stmpdir2, 0700) == -1 && errno != EEXIST) {
++ fprintf(stderr, "%s: creation of private subdirectory %s failed (errno=%i)\n",
++ argv[0], stmpdir2, errno);
++ return NULL;
++ }
++
++ /* now check that:
++ * - stmpdir2 is a directory (and not a symlink)
++ * - stmpdir2 is owned by the user
++ * - stmpdir2 has mode 0700
++ */
++ if (lstat(stmpdir2, &st) == -1) {
++ fprintf(stderr, "%s: stat of private subdirectory %s failed (errno=%i)\n",
++ argv[0], stmpdir2, errno);
++ return NULL;
++ }
++
++ if (!S_ISDIR(st.st_mode)
++ || st.st_uid != getuid()
++ || (st.st_mode & 0777) != 0700 ) {
++ fprintf(stderr, "%s: private subdirectory %s is unsafe\n",
++ argv[0], stmpdir2);
++ return NULL;
++ }
++ }
++#endif
+
+ /* Doesn't really work - XXX */
+ val = par_getenv( "PATH" );
+@@ -239,7 +270,7 @@
+ a prior invocation crashed leaving garbage in a temp directory that
+ might interfere. */
+
+- while (my_mkdir(stmpdir, 0755) == -1 && errno == EEXIST) {
++ while (my_mkdir(stmpdir, 0700) == -1 && errno == EEXIST) {
+ sprintf(
+ stmpdir,
+ "%s%stemp-%u-%u%s",
diff -Nru libpar-packer-perl-1.006/debian/patches/series libpar-packer-perl-1.006/debian/patches/series
--- libpar-packer-perl-1.006/debian/patches/series 2010-04-14 16:43:02.000000000 +0200
+++ libpar-packer-perl-1.006/debian/patches/series 2011-12-13 22:04:05.000000000 +0100
@@ -1,3 +1,4 @@
fix-pod-spelling.patch
01_manpage-ext.patch
fix-with-new-par-name
+create-safe-temporary-directories.patch
diff -Nru libpar-perl-1.000/debian/changelog libpar-perl-1.000/debian/changelog
--- libpar-perl-1.000/debian/changelog 2010-04-13 21:21:16.000000000 +0200
+++ libpar-perl-1.000/debian/changelog 2011-12-07 15:58:15.000000000 +0100
@@ -1,3 +1,12 @@
+libpar-perl (1.000-1+squeeze1) stable; urgency=low
+
+ * Team upload.
+ * Add create-safe-temporary-directories.patch patch.
+ Fixes CVE-2011-4114: PAR packed files are extracted to unsafe and
+ predictable temporary directories. (Closes: #650707)
+
+ -- Salvatore Bonaccorso <carnil@debian.org> Wed, 07 Dec 2011 15:53:57 +0100
+
libpar-perl (1.000-1) unstable; urgency=low
[ Ryan Niebur ]
diff -Nru libpar-perl-1.000/debian/patches/create-safe-temporary-directories.patch libpar-perl-1.000/debian/patches/create-safe-temporary-directories.patch
--- libpar-perl-1.000/debian/patches/create-safe-temporary-directories.patch 1970-01-01 01:00:00.000000000 +0100
+++ libpar-perl-1.000/debian/patches/create-safe-temporary-directories.patch 2011-12-07 15:58:15.000000000 +0100
@@ -0,0 +1,74 @@
+Description: Create safe temporary directories
+ CVE-2011-4114: PAR packed files are extracted to unsafe and predictable
+ temporary directories.
+ .
+ - create parent of cache directory (i.e. /tmp/par-USER) with mode 0700
+ - if it already exists, make sure that (and bail out if not)
+ - it's not a symlink
+ - it's mode 0700
+ - it's owned by USER
+Origin: upstream
+Bug: https://rt.cpan.org/Public/Bug/Display.html?id=69560
+Bug-Debian: http://bugs.debian.org/650707
+Forwarded: not-needed
+Author: Salvatore Bonaccorso <carnil@debian.org>
+Last-Update: 2011-12-07
+
+--- a/lib/PAR/SetupTemp.pm
++++ b/lib/PAR/SetupTemp.pm
+@@ -5,6 +5,8 @@
+ use strict;
+ use warnings;
+
++use Fcntl ':mode';
++
+ use PAR::SetupProgname;
+
+ =head1 NAME
+@@ -42,8 +44,9 @@
+ }
+
+ my $stmpdir = _get_par_user_tempdir();
++ die "unable to create cache directory" unless $stmpdir;
++
+ require File::Spec;
+- if (defined $stmpdir) { # it'd be quite bad if this was not the case
+ if (!$ENV{PAR_CLEAN} and my $mtime = (stat($PAR::SetupProgname::Progname))[9]) {
+ my $ctx = _get_digester();
+
+@@ -71,8 +74,7 @@
+ }
+
+ $ENV{PAR_TEMP} = $stmpdir;
+- mkdir $stmpdir, 0755;
+- } # end if found a temp dir
++ mkdir $stmpdir, 0700;
+
+ $PARTemp = $1 if defined $ENV{PAR_TEMP} and $ENV{PAR_TEMP} =~ /(.+)/;
+ }
+@@ -98,7 +100,24 @@
+ next unless defined $path and -d $path and -w $path;
+ $temp_path = File::Spec->catdir($path, "par-$username");
+ ($temp_path) = $temp_path =~ /^(.*)$/s;
+- mkdir $temp_path, 0755;
++ unless (mkdir($temp_path, 0700) || $!{EEXIST}) {
++ warn "creation of private subdirectory $temp_path failed (errno=$!)";
++ return;
++ }
++
++ unless ($^O eq 'MSWin32') {
++ my @st;
++ unless (@st = lstat($temp_path)) {
++ warn "stat of private subdirectory $temp_path failed (errno=$!)";
++ return;
++ }
++ if (!S_ISDIR($st[2])
++ || $st[4] != $<
++ || ($st[2] & 0777) != 0700 ) {
++ warn "private subdirectory $temp_path is unsafe (please remove it and retry your operation)";
++ return;
++ }
++ }
+
+ last;
+ }
diff -Nru libpar-perl-1.000/debian/patches/series libpar-perl-1.000/debian/patches/series
--- libpar-perl-1.000/debian/patches/series 2010-03-28 18:22:00.000000000 +0200
+++ libpar-perl-1.000/debian/patches/series 2011-12-07 15:58:15.000000000 +0100
@@ -1 +1,2 @@
fix-test_50-autoloaderfix.t.patch
+create-safe-temporary-directories.patch
Reply to: