Re: Bug#671255: CVE-2012-2451: CWE-377 Insecure Temporary File

[gregor herrmann <gregoa@debian.org>]

On Sun, 06 May 2012 22:13:05 +0100, Adam D. Barratt wrote:

> Specifically, a loss of error handling.  The original version at least
> let the caller gracefully handle the failure, whereas the new version is
> technically an API change in that the function is defined as returning
> undef in the case of failure and no longer does if creating the
> temporary file fails; I'm not sure how well the (several) r-deps in the
> archive will handle that.

Upstream has fixed this regression in the error handling in 2.73 [0],
and I've now backported this change to the backport of the original
fix.

Attached is the new debdiff; I'm looking forward to another review.

Cheers,
gregor

[0]
https://bitbucket.org/shlomif/perl-config-inifiles/changeset/511f34b73b85
https://rt.cpan.org/Public/Bug/Display.html?id=77039
-- 
 .''`.  Homepage: http://info.comodo.priv.at/ - OpenPGP key 0xBB3A68018649AA06
 : :' : Debian GNU/Linux user, admin, and developer  -  http://www.debian.org/
 `. `'  Member of VIBE!AT & SPI, fellow of the Free Software Foundation Europe
   `-   NP: Bob Dylan: Blowin' In The Wind

diff -u libconfig-inifiles-perl-2.52/debian/changelog libconfig-inifiles-perl-2.52/debian/changelog
--- libconfig-inifiles-perl-2.52/debian/changelog
+++ libconfig-inifiles-perl-2.52/debian/changelog
@@ -1,3 +1,13 @@
+libconfig-inifiles-perl (2.52-1+squeeze1) stable-proposed-updates; urgency=low
+
+  * Team upload.
+  * SECURITY BUG FIX: Config::IniFiles used to write to a temporary
+    filename with a predictable name ("${filename}-new") which opens the
+    door for potential exploits. -- CVE-2012-2451, CWE-377
+    (Closes: #671255)
+
+ -- gregor herrmann <gregoa@debian.org>  Mon, 14 May 2012 16:53:42 +0200
+
 libconfig-inifiles-perl (2.52-1) unstable; urgency=low
 
   [ Jonathan Yu ]
only in patch2:
unchanged:
--- libconfig-inifiles-perl-2.52.orig/lib/Config/IniFiles.pm
+++ libconfig-inifiles-perl-2.52/lib/Config/IniFiles.pm
@@ -9,6 +9,9 @@
 use Carp;
 use Symbol 'gensym','qualify_to_ref';   # For the 'any data type' hack
 
+use File::Basename qw( dirname );
+use File::Temp qw/ tempfile /;
+
 @Config::IniFiles::errors = ( );
 
 #	$Header: /home/shlomi/progs/perl/cpan/Config/IniFiles/config-inifiles-cvsbackup/config-inifiles/IniFiles.pm,v 2.41 2003-12-08 10:50:56 domq Exp $
@@ -1194,15 +1197,23 @@
           #carp "Store mode $self->{file_mode} prohibits writing config";
     }
   
-    my $new_file = $file . "-new";
-    local(*F);
-    open(F, "> $new_file") || do {
-      carp "Unable to write temp config file $new_file: $!";
-      return undef;
+    my ($fh, $new_file);
+    eval {
+        ($fh, $new_file) = tempfile(
+            "temp.ini-XXXXXXXXXX",
+            DIR => dirname($file)
+        );
     };
-    my $oldfh = select(F);
+
+    if ($@)
+    {
+        carp( "Unable to write temp config file: $!" );
+        return undef;
+    }
+
+    my $oldfh = select($fh);
     $self->OutputConfig($parms{-delta});
-    close(F);
+    close($fh);
     select($oldfh);
     rename( $new_file, $file ) || do {
       carp "Unable to rename temp config file ($new_file) to $file: $!";

Attachment: signature.asc
Description: Digital signature