Recent Vulnerabilities Research Posts Trends Blog About Contact

Related Vulnerabilities: CVE-2013-7135

Source

Debian Bug report logs - #732283
libproc-daemon-perl: CVE-2013-7135: Writes pidfile with mode 666

Package: libproc-daemon-perl; Maintainer for libproc-daemon-perl is Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>; Source for libproc-daemon-perl is src:libproc-daemon-perl (PTS, buildd, popcon).

Reported by: christian mock <cm@coretec.at>

Date: Mon, 16 Dec 2013 11:09:02 UTC

Severity: normal

Tags: confirmed, security

Found in version libproc-daemon-perl/0.14-1

Fixed in version libproc-daemon-perl/0.14-2

Done: Axel Beckert <abe@debian.org>

Bug is archived. No further changes may be made.

Forwarded to https://rt.cpan.org/Public/Bug/Display.html?id=91450

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#732283; Package libproc-daemon-perl. (Mon, 16 Dec 2013 11:09:06 GMT) (full text, mbox, link).

Acknowledgement sent to christian mock <cm@coretec.at>:
New Bug report received and forwarded. Copy sent to Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>. (Mon, 16 Dec 2013 11:09:06 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

Package: libproc-daemon-perl
Version: 0.14-1
Severity: normal

Dear Maintainer,

Proc::Daemon, when instructed to write a pid file, does that with a
umask set to 0, so the pid file ends up with mode 666. This is a
rather stupid idea and may well be a security issue.

-- System Information:
Debian Release: 7.2
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.9-0.bpo.1-amd64 (SMP w/8 CPU cores)
Locale: LANG=C, LC_CTYPE=de_AT.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages libproc-daemon-perl depends on:
ii  libproc-processtable-perl  0.45-6
ii  perl                       5.14.2-21+deb7u1

libproc-daemon-perl recommends no packages.

libproc-daemon-perl suggests no packages.

-- no debconf information

Added tag(s) confirmed and security. Request was from Axel Beckert <abe@debian.org> to control@bugs.debian.org. (Mon, 16 Dec 2013 19:21:04 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#732283; Package libproc-daemon-perl. (Mon, 16 Dec 2013 19:39:22 GMT) (full text, mbox, link).

Message #10 received at 732283@bugs.debian.org (full text, mbox, reply):

tag 732283 + pending
thanks

Some bugs in the libproc-daemon-perl package are closed in revision
86e8f7cbf39c33ecde20da0306962275f883ebbb in branch 'master' by Axel
Beckert

The full diff can be seen at
http://anonscm.debian.org/gitweb/?p=pkg-perl/packages/libproc-daemon-perl.git;a=commitdiff;h=86e8f7c

Commit message:

    Add patch to use more secure umask for pid file (Closes: #732283)

Added tag(s) pending. Request was from pkg-perl-maintainers@lists.alioth.debian.org to control@bugs.debian.org. (Mon, 16 Dec 2013 19:39:28 GMT) (full text, mbox, link).

Message sent on to christian mock <cm@coretec.at>:
Bug#732283. (Mon, 16 Dec 2013 19:39:36 GMT) (full text, mbox, link).

Set Bug forwarded-to-address to 'https://rt.cpan.org/Public/Bug/Display.html?id=91450'. Request was from Axel Beckert <abe@debian.org> to control@bugs.debian.org. (Mon, 16 Dec 2013 19:54:15 GMT) (full text, mbox, link).

Message sent on to christian mock <cm@coretec.at>:
Bug#732283. (Mon, 16 Dec 2013 19:54:19 GMT) (full text, mbox, link).

Message #20 received at 732283-submitter@bugs.debian.org (full text, mbox, reply):

Hi,

the following bug has been reported[1] against Proc::Daemon in Debian.
Patch at [2].

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=732283
[2] http://anonscm.debian.org/gitweb/?p=pkg-perl/packages/libproc-daemon-perl.git;a=blob;f=debian/patches/pid.patch

----- Forwarded message from christian mock <cm@coretec.at> -----
Date: Sun, 15 Dec 2013 20:33:59 +0100
From: christian mock <cm@coretec.at>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#732283: libproc-daemon-perl: Writes pidfile with mode 666
Sender: pkg-perl-maintainers <pkg-perl-maintainers-bounces+abe=deuxchevaux.org@lists.alioth.debian.org>
Reply-To: christian mock <cm@coretec.at>, 732283@bugs.debian.org

Package: libproc-daemon-perl
Version: 0.14-1
Severity: normal

Dear Maintainer,

Proc::Daemon, when instructed to write a pid file, does that with a
umask set to 0, so the pid file ends up with mode 666. This is a
rather stupid idea and may well be a security issue.

-- System Information:
Debian Release: 7.2
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.9-0.bpo.1-amd64 (SMP w/8 CPU cores)
Locale: LANG=C, LC_CTYPE=de_AT.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages libproc-daemon-perl depends on:
ii  libproc-processtable-perl  0.45-6
ii  perl                       5.14.2-21+deb7u1

libproc-daemon-perl recommends no packages.

libproc-daemon-perl suggests no packages.

-- no debconf information
----- End forwarded message -----

		Regards, Axel
-- 
 ,''`.  |  Axel Beckert <abe@debian.org>, http://people.debian.org/~abe/
: :' :  |  Debian Developer, ftp.ch.debian.org Admin
`. `'   |  1024D: F067 EA27 26B9 C3FC 1486  202E C09E 1D89 9593 0EDE
  `-    |  4096R: 2517 B724 C5F6 CA99 5329  6E61 2FF9 CD59 6126 16B5

Reply sent to Axel Beckert <abe@debian.org>:
You have taken responsibility. (Mon, 16 Dec 2013 21:25:14 GMT) (full text, mbox, link).

Notification sent to christian mock <cm@coretec.at>:
Bug acknowledged by developer. (Mon, 16 Dec 2013 21:25:14 GMT) (full text, mbox, link).

Message #25 received at 732283-close@bugs.debian.org (full text, mbox, reply):

Source: libproc-daemon-perl
Source-Version: 0.14-2

We believe that the bug you reported is fixed in the latest version of
libproc-daemon-perl, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 732283@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Axel Beckert <abe@debian.org> (supplier of updated libproc-daemon-perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 16 Dec 2013 20:40:39 +0100
Source: libproc-daemon-perl
Binary: libproc-daemon-perl
Architecture: source all
Version: 0.14-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>
Changed-By: Axel Beckert <abe@debian.org>
Description: 
 libproc-daemon-perl - module for running scripts as daemons
Closes: 732283
Changes: 
 libproc-daemon-perl (0.14-2) unstable; urgency=medium
 .
   * Team upload
 .
   [ Ansgar Burchardt ]
   * debian/control: Convert Vcs-* fields to Git.
 .
   [ Salvatore Bonaccorso ]
   * debian/copyright: Replace DEP5 Format-Specification URL from
     svn.debian.org to anonscm.debian.org URL.
   * Change Vcs-Git to canonical URI (git://anonscm.debian.org)
   * Change search.cpan.org based URIs to metacpan.org based URIs
 .
   [ Axel Beckert ]
   * debian/copyright: migrate pre-1.0 format to 1.0 using "cme fix dpkg-
     copyright"
   * Add patch to use more secure umask for pid file (Closes: #732283)
   * Apply wrap-and-sort.
   * Switch Homepage URL to metacpan.org based URL
   * Bump Standards-Version to 3.9.5 (no changes)
Checksums-Sha1: 
 c8cc5d0b48af3f021b5b80b5813fa0a670b303f3 1629 libproc-daemon-perl_0.14-2.dsc
 8531d29a80a74dbd6018724a09b678d86c505b01 3468 libproc-daemon-perl_0.14-2.debian.tar.gz
 b3ad4804c8340cd82569f922ba239feab93c1af6 21572 libproc-daemon-perl_0.14-2_all.deb
Checksums-Sha256: 
 d8c3e56af3cb02d7004e583a1fce1bb0c77e717fa34a93d924f354a96ff5c838 1629 libproc-daemon-perl_0.14-2.dsc
 1827d0521612eac1d5348095bad788aff4a08ae1b43720f3c73cbd18b5141eb9 3468 libproc-daemon-perl_0.14-2.debian.tar.gz
 76ebcb1c402cda50f637330196d01161a835b0ab5fc3d07623dc2dd7c65624e8 21572 libproc-daemon-perl_0.14-2_all.deb
Files: 
 f5e532e87bee72057ac090ebfacff7db 1629 perl optional libproc-daemon-perl_0.14-2.dsc
 5004deb44f58f40f19b46bec41810cce 3468 perl optional libproc-daemon-perl_0.14-2.debian.tar.gz
 bcffd866a6000a9821343e5c01ef07fc 21572 perl optional libproc-daemon-perl_0.14-2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)

iEYEARECAAYFAlKvWvMACgkQwJ4diZWTDt5GOQCfdESL9psDhrLctMy+oNrwrXO/
9RcAn2Q8PX/4/26rkynh4TSGV9hokgEN
=Vqx8
-----END PGP SIGNATURE-----

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#732283; Package libproc-daemon-perl. (Mon, 16 Dec 2013 21:39:05 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>. (Mon, 16 Dec 2013 21:39:05 GMT) (full text, mbox, link).

Message #30 received at 732283@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Hi Kurt,

christian mock <cm@coretec.at> has reported[1] that Proc::Daemon, when
instructed to write a pid file, does that with a umask set to 0, so
the pid file ends up with world-writable permissions.

Upstream bugreport is at [2].

 [1] http://bugs.debian.org/732283
 [2] https://rt.cpan.org/Ticket/Display.html?id=91450
 
Axel Beckert has commited a patch to the Debian packaging[3] and
forwarded it to upstream.

 [3] http://anonscm.debian.org/gitweb/?p=pkg-perl/packages/libproc-daemon-perl.git;a=blob;f=debian/patches/pid.patch

Could a CVE be assigend for this issue?

Regards and thanks in advance,
Salvatore

[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#732283; Package libproc-daemon-perl. (Wed, 18 Dec 2013 01:15:05 GMT) (full text, mbox, link).

Acknowledgement sent to cve-assign@mitre.org:
Extra info received and forwarded to list. Copy sent to Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>. (Wed, 18 Dec 2013 01:15:05 GMT) (full text, mbox, link).

Message #35 received at 732283@bugs.debian.org (full text, mbox, reply):

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> christian mock <cm@coretec.at> has reported[1] that Proc::Daemon, when
> instructed to write a pid file, does that with a umask set to 0, so
> the pid file ends up with world-writable permissions.
> 
> Upstream bugreport is at [2].
> 
>  [1] http://bugs.debian.org/732283
>  [2] https://rt.cpan.org/Ticket/Display.html?id=91450
>  
> Axel Beckert has commited a patch to the Debian packaging[3] and
> forwarded it to upstream.
> 
>  [3] http://anonscm.debian.org/gitweb/?p=pkg-perl/packages/libproc-daemon-perl.git;a=blob;f=debian/patches/pid.patch
> 
> Could a CVE be assigend for this issue?

Use CVE-2013-7135.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJSsPPCAAoJEKllVAevmvmsDjkH/0ArQqMr437ZRT3i8pvsAP+6
Wc39qGXxcEZCPxSHGv9HdoeGrYBWBwLLWKjtPV+iSKE67BtBV1YS+j1ISI9ST6cz
93dhjxnN2n9VyvXStRTo3nj20wRkbWEyBWN1hUaR3niDb7bd+QqRd7m79MGY6VkG
uAkXP5pJacezleLBM1900W3rvppbdU/tCe4Oc5pMSRUZU9V2XWB8Y9yrCOztYVH4
2sojMuUv9kMdeHRM9iskOw1oGPX4GK5eKj0c/unJ1w82zF/56hM5Rw+yqYIY0mcH
er0Cl1N7TFPfQEVPhYg2s2kZUVOjA4UuHEWuArY3hv4m8XFC+GlBtkm36/7wfv0=
=jG8p
-----END PGP SIGNATURE-----

Changed Bug title to 'libproc-daemon-perl: CVE-2013-7135: Writes pidfile with mode 666' from 'libproc-daemon-perl: Writes pidfile with mode 666' Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Wed, 18 Dec 2013 05:33:05 GMT) (full text, mbox, link).

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 19 Jan 2014 07:32:27 GMT) (full text, mbox, link).

Bug unarchived. Request was from Axel Beckert <abe@debian.org> to control@bugs.debian.org. (Fri, 26 Dec 2014 21:00:04 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#732283; Package libproc-daemon-perl. (Fri, 26 Dec 2014 21:03:05 GMT) (full text, mbox, link).

Acknowledgement sent to Axel Beckert <abe@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>. (Fri, 26 Dec 2014 21:03:05 GMT) (full text, mbox, link).

Message #46 received at 732283@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Hi,

I just received this modified patch from upstream and wanted to
document that in te BTS.

		Regards, Axel
-- 
 ,''`.  |  Axel Beckert <abe@debian.org>, http://people.debian.org/~abe/
: :' :  |  Debian Developer, ftp.ch.debian.org Admin
`. `'   |  1024D: F067 EA27 26B9 C3FC 1486  202E C09E 1D89 9593 0EDE
  `-    |  4096R: 2517 B724 C5F6 CA99 5329  6E61 2FF9 CD59 6126 16B5

[Message part 2 (message/rfc822, inline)]

[Message part 3 (text/plain, inline)]

<URL: https://rt.cpan.org/Ticket/Display.html?id=91450 >

While the patch from Debian fixes the security issue, it makes unreadable for other users all other files created by a daemon, what is unwanted in some cases.
Attached patch fixes this problem.

[perl-Proc-Daemon-restore-umask.patch (text/x-diff, inline)]

diff -crB lib.orig/Proc/Daemon.pm lib/Proc/Daemon.pm
*** lib.orig/Proc/Daemon.pm	2013-12-18 10:13:31.000000000 -0400
--- lib/Proc/Daemon.pm	2014-12-18 14:14:43.358761046 -0400
***************
*** 152,157 ****
--- 152,158 ----
              die "Can't <chdir> to $self->{work_dir}: $!" unless chdir $self->{work_dir};
  
              # Clear the file creation mask.
+             $self->{_orig_umask} = umask;
              umask 066;
  
              # Detach the child from the terminal (no controlling tty), make it the
***************
*** 253,258 ****
--- 254,261 ----
                      # potential damage later.
                  }
  
+                 # Restore the original file creation mask.
+                 umask $self->{_orig_umask};
  
                  # Execute a system command and never return.
                  if ( $exec_command ) {

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sat, 24 Jan 2015 07:30:20 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 19:12:57 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

libproc-daemon-perl: CVE-2013-7135: Writes pidfile with mode 666

Debian Bug report logs - #732283
libproc-daemon-perl: CVE-2013-7135: Writes pidfile with mode 666

Vulmon Search

About

Products

Connect

libproc-daemon-perl: CVE-2013-7135: Writes pidfile with mode 666

Debian Bug report logs - #732283 libproc-daemon-perl: CVE-2013-7135: Writes pidfile with mode 666

Vulmon Search

About

Products

Connect

Debian Bug report logs - #732283
libproc-daemon-perl: CVE-2013-7135: Writes pidfile with mode 666