Bug#671255: CVE-2012-2451: CWE-377 Insecure Temporary File

To: 671255@bugs.debian.org
Subject: Bug#671255: CVE-2012-2451: CWE-377 Insecure Temporary File
From: gregor herrmann <gregoa@debian.org>
Date: Sun, 6 May 2012 15:20:03 +0200
Message-id: <[🔎] 20120506132003.GA1956@jadzia.comodo.priv.at>
Reply-to: gregor herrmann <gregoa@debian.org>, 671255@bugs.debian.org
In-reply-to: <20120502190213.GA12701@kludge.henri.nerv.fi>
References: <20120502190213.GA12701@kludge.henri.nerv.fi>

On Wed, 02 May 2012 22:02:13 +0300, Henri Salo wrote:

> https://bitbucket.org/shlomif/perl-config-inifiles/changeset/a08fa26f4f59
> CVE-identifier assigned in here: http://seclists.org/oss-sec/2012/q2/225

Attached is a backport of the fix for squeeze; reviews welcome.

Dear security and release teams: Please advise on how to proceed;
does s-p-u sound right for this isse?

Cheers,
gregor

-- 
 .''`.  Homepage: http://info.comodo.priv.at/ - OpenPGP key 0xBB3A68018649AA06
 : :' : Debian GNU/Linux user, admin, and developer  -  http://www.debian.org/
 `. `'  Member of VIBE!AT & SPI, fellow of the Free Software Foundation Europe
   `-   NP: Dire Straits: Tunnel Of Love

diff -u libconfig-inifiles-perl-2.52/debian/changelog libconfig-inifiles-perl-2.52/debian/changelog
--- libconfig-inifiles-perl-2.52/debian/changelog
+++ libconfig-inifiles-perl-2.52/debian/changelog
@@ -1,3 +1,13 @@
+libconfig-inifiles-perl (2.52-1+squeeze1) stable-proposed-updates; urgency=low
+
+  * Team upload.
+  * SECURITY BUG FIX: Config::IniFiles used to write to a temporary
+    filename with a predictable name ("${filename}-new") which opens the
+    door for potential exploits. -- CVE-2012-2451, CWE-377
+    (Closes: #671255)
+
+ -- gregor herrmann <gregoa@debian.org>  Sun, 06 May 2012 15:11:54 +0200
+
 libconfig-inifiles-perl (2.52-1) unstable; urgency=low
 
   [ Jonathan Yu ]
only in patch2:
unchanged:
--- libconfig-inifiles-perl-2.52.orig/lib/Config/IniFiles.pm
+++ libconfig-inifiles-perl-2.52/lib/Config/IniFiles.pm
@@ -9,6 +9,9 @@
 use Carp;
 use Symbol 'gensym','qualify_to_ref';   # For the 'any data type' hack
 
+use File::Basename qw( dirname );
+use File::Temp qw/ tempfile /;
+
 @Config::IniFiles::errors = ( );
 
 #	$Header: /home/shlomi/progs/perl/cpan/Config/IniFiles/config-inifiles-cvsbackup/config-inifiles/IniFiles.pm,v 2.41 2003-12-08 10:50:56 domq Exp $
@@ -1194,15 +1197,13 @@
           #carp "Store mode $self->{file_mode} prohibits writing config";
     }
   
-    my $new_file = $file . "-new";
-    local(*F);
-    open(F, "> $new_file") || do {
-      carp "Unable to write temp config file $new_file: $!";
-      return undef;
-    };
-    my $oldfh = select(F);
+    my ($fh, $new_file) = tempfile(
+      "temp.ini-XXXXXXXXXX",
+      DIR => dirname($file)
+    );
+    my $oldfh = select($fh);
     $self->OutputConfig($parms{-delta});
-    close(F);
+    close($fh);
     select($oldfh);
     rename( $new_file, $file ) || do {
       carp "Unable to rename temp config file ($new_file) to $file: $!";

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Re: Bug#671255: CVE-2012-2451: CWE-377 Insecure Temporary File
  - From: Cyril Brulebois <kibi@debian.org>

Prev by Date: Re: give back widelands [s390] and lua-lgi [ia64]
Next by Date: Re: give back widelands [s390] and lua-lgi [ia64]
Previous by thread: Re: give back widelands [s390] and lua-lgi [ia64]
Next by thread: Re: Bug#671255: CVE-2012-2451: CWE-377 Insecure Temporary File
Index(es):
- Date
- Thread