libxml-dt-perl: Insecure use of temporary files (CVE-2014-5260)

Debian Bug report logs - #756566
libxml-dt-perl: Insecure use of temporary files (CVE-2014-5260)

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Steve Kemp <steve@steve.org.uk>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: libxml-dt-perl: Insecure use of temporary files

Date: Wed, 30 Jul 2014 23:31:43 +0100

Package: libxml-dt-perl
Version: 0.62-1
Severity: important
Tags: security


The libxml-dt-perl package installs the script "/usr/bin/mkxmltype"
which blindly overwrites the contents of the file:

	/tmp/_xml_$$

(Where '$$' corresponds to the PID of the process.)

This is insecure and can allow the truncation of arbitrary files
the user has permission to access.

A similar problem exists in /usr/bin/mkdtskel, again the file
accessed is /tmp/_xml_$$.

Both scripts should be updated to use File::Temp, or similar.


Steve
--  
http://steve.org.uk/

-- System Information:
Debian Release: 7.6
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.14-0.bpo.1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF8, LC_CTYPE=en_US.UTF8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF8)
Shell: /bin/sh linked to /bin/dash

Message #12 received at 756566@bugs.debian.org (full text, mbox, reply):

From: pkg-perl-maintainers@lists.alioth.debian.org

To: 756566@bugs.debian.org, 756566-submitter@bugs.debian.org

Subject: Pending fixes for bugs in the libxml-dt-perl package

Date: Thu, 31 Jul 2014 18:55:32 +0000

tag 756566 + pending
thanks

Some bugs in the libxml-dt-perl package are closed in revision
2165a4402d13e340bd16e5c644c467d67a629a42 in branch 'master' by Damyan
Ivanov

The full diff can be seen at
http://anonscm.debian.org/gitweb/?p=pkg-perl/packages/libxml-dt-perl.git;a=commitdiff;h=2165a44

Commit message:

    add patch fixing insecure usage of temporary files
    
    Thanks to Steve Kemp. Closes: #756566

Message #24 received at 756566-close@bugs.debian.org (full text, mbox, reply):

From: gregor herrmann <gregoa@debian.org>

To: 756566-close@bugs.debian.org

Subject: Bug#756566: fixed in libxml-dt-perl 0.65-1

Date: Fri, 01 Aug 2014 22:35:55 +0000

Source: libxml-dt-perl
Source-Version: 0.65-1

We believe that the bug you reported is fixed in the latest version of
libxml-dt-perl, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 756566@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
gregor herrmann <gregoa@debian.org> (supplier of updated libxml-dt-perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 02 Aug 2014 00:19:20 +0200
Source: libxml-dt-perl
Binary: libxml-dt-perl
Architecture: source all
Version: 0.65-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>
Changed-By: gregor herrmann <gregoa@debian.org>
Description:
 libxml-dt-perl - module for down translation of XML files
Closes: 756566
Changes:
 libxml-dt-perl (0.65-1) unstable; urgency=medium
 .
   * Team upload.
 .
   [ gregor herrmann ]
   * Strip trailing slash from metacpan URLs.
 .
   [ Damyan Ivanov ]
   * Imported Upstream version 0.64
   * Standards-Version: 3.9.5 (no changes needed)
 .
   [ gregor herrmann ]
   * New upstream release 0.65.
     Fixes insecure usage of temporary files.
     Thanks to Steve Kemp. Closes: #756566
   * Update years of packaging copyright.
Checksums-Sha1:
 a6c69d96a2c64678140ab48311a38f0af03f3e6e 2224 libxml-dt-perl_0.65-1.dsc
 9b30be10ad6bc561cdd8d7d22a49f1ed7b9f9f32 30834 libxml-dt-perl_0.65.orig.tar.gz
 3796f93e0680aab9d4799de70de9c8a11100443b 2292 libxml-dt-perl_0.65-1.debian.tar.xz
 b7ff732127eba644301b942a1c1882141cffeb8a 40396 libxml-dt-perl_0.65-1_all.deb
Checksums-Sha256:
 3003c29cf5adc55dbfb16a81b9615f59c44bc7fe2eeda79204b75865c59566b3 2224 libxml-dt-perl_0.65-1.dsc
 ab3e6ddec24ca602d82fc8a9bc7714424bc104638a699e9273b4b0c1dfedd683 30834 libxml-dt-perl_0.65.orig.tar.gz
 140b1b0c035a8f3bd1fccd890c1d41ec8a3adc7bd6321c8d97ee0e602dd55591 2292 libxml-dt-perl_0.65-1.debian.tar.xz
 58f6934214eb0b8845a516fb51b82ff45afb86f203acbed5aa67f24b9e72e755 40396 libxml-dt-perl_0.65-1_all.deb
Files:
 1e33a90895fbece16e11f38b674ffe8a 40396 perl optional libxml-dt-perl_0.65-1_all.deb
 19bf45ac0f6bc649747d9ca0f36098ab 2224 perl optional libxml-dt-perl_0.65-1.dsc
 07ecc85931231b9dc791de6481fc6793 30834 perl optional libxml-dt-perl_0.65.orig.tar.gz
 6e3d0f36da6eb6ca4cbe373aa93fa6d2 2292 perl optional libxml-dt-perl_0.65-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQJ8BAEBCgBmBQJT3BKTXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXREMUUxMzE2RTkzQTc2MEE4MTA0RDg1RkFC
QjNBNjgwMTg2NDlBQTA2AAoJELs6aAGGSaoGvmQQALAuq7IoG7mgbVAfwE7TmcTd
qk/KJJyxsvruJ5Zq1SREzWUjWRuZ0sEnQkXTEH/7dHcq6DhlAmNWb0bQF2QaX4oS
vB5EMDbXCnmnS5psBpe2UwCgxqJGB8oVVI0QJ0jPzw95Tnx3zYdp/e2fah4f8Kne
gG/fvh4chr/a+pL6YH7UW65VUJLa7ombs0Z2+nJksP+5XOimofM5PS5Dxx3cvMxb
jp8TwLBt1Z5T+YkzaiCc8crT7b1L9DFtpcUQMK3llS3U9fgN6xLQ7lOIQyfRuvdj
HR2Gej07bG8lSchB6Pwld8+GakkTOOHx/yf5MmbOlWFsBgKXfm37QNmLVOqNO/Le
++yrN+wZ1M59MEQH0wKiqMBbsCuG8mLXE+W3SzNt0Hb5SJOWNctfMAsVjAFb4Tw+
UWBFp4dxIiBhm31Rr3NXtKZtA5WZIrxjM+ioe40GNVhhhlX91dN9mGG++P+wfvVl
RHZq8oBycvmxqxLvOhKchHFrodMTPZ1e+2bAU4tgiCTejmSEXtsZUDlmC6e3VHYv
qwTu/D1QGC2X4ofyGOy35sQUAvAPDUKM+7abyYiknLd9muesH5JXje5yjDB981KK
Ke7gLaAmQtJbpsPPlX/e48rIkoBkgpBS4IkHxt020jCHZ/EcvsuQFWE+HvrIAhhy
RkkGpKpUyYkRUI3qQfxr
=isUn
-----END PGP SIGNATURE-----

Message #29 received at 756566@bugs.debian.org (full text, mbox, reply):

From: cve-assign@mitre.org

To: carnil@debian.org

Cc: cve-assign@mitre.org, oss-security@lists.openwall.com, steve@steve.org.uk, ambs@perl-hackers.net, 756566@bugs.debian.org

Subject: Re: CVE Request: XML-DT: Insecure use of temporary files

Date: Fri, 15 Aug 2014 16:10:12 -0400 (EDT)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> mkdtskel and mkxmltype using insecurely temporary files using the pid
> of the process in the temporary file name.
> 
> /tmp/_xml_$$
> 
> https://bugs.debian.org/756566

Use CVE-2014-5260.


> fixed in XML-DT 0.65 upstream, see
> 
> https://metacpan.org/diff/file?target=AMBS/XML-DT-0.65/&source=AMBS/XML-DT-0.63/

This actually doesn't seem to be fixed. However, we don't immediately
see a security problem in version 0.65 (only a usability problem), so
a second CVE ID isn't assigned at this point.

Specifically, the latest version has:

  https://metacpan.org/source/AMBS/XML-DT-0.65/mkxmltype

  system("head -$lines $fname | xmllint --recover - > $fname");

which looks unintended (maybe $fname will always end up as a
zero-length file?). 

This apparently also affects libxml-dt-perl (0.65-1) from the
https://packages.debian.org/sid/libxml-dt-perl page.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJT7mhqAAoJEKllVAevmvmsd6wH/1kq/+SPIZPj73hx7gHdF6Bs
apbtdF7zITzl+o9sNkiq/PR8a8Hln6ZvqCuyZMinQu9xv1mfanpheSsCw810q5ou
dP1Bhv+4zN91ukEMKnugYH3xnLn3GXnm0XXDL+mN90I4ev/CKJbKzLoeqHWxy0Ah
k1YDC1dG5eS9EIT6OhOWAZKX1zYB5SJ8SiyIhomp94Jymtnqd6IKs7kTkinaeoJ6
AgSEFugTT6pr46rRKf+dkZ+KhsrhTLYVUGVajwYVOSQRPKLaMdIfdAwcM99fhfrX
k81O1GIO2CPRXslzzdqTTgoqaPjx9TqXQZdCA2CCKrDH1RHIpyPQCNrGAbTOeMk=
=dNlw
-----END PGP SIGNATURE-----

Message #34 received at 756566@bugs.debian.org (full text, mbox, reply):

From: Alberto Simoes <ambs@perl-hackers.net>

To: cve-assign@mitre.org, carnil@debian.org

Cc: oss-security@lists.openwall.com, steve@steve.org.uk, 756566@bugs.debian.org, Nuno Carvalho <mestre.smash@gmail.com>

Subject: Re: CVE Request: XML-DT: Insecure use of temporary files

Date: Fri, 15 Aug 2014 21:19:12 +0100

Hello all,

This was fixed in XML-DT-0.66 fixing that issue.
It was just released to CPAN.

Thank you
alberto

On 15/08/14, 21:10, cve-assign@mitre.org wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>> mkdtskel and mkxmltype using insecurely temporary files using the pid
>> of the process in the temporary file name.
>>
>> /tmp/_xml_$$
>>
>> https://bugs.debian.org/756566
>
> Use CVE-2014-5260.
>
>
>> fixed in XML-DT 0.65 upstream, see
>>
>> https://metacpan.org/diff/file?target=AMBS/XML-DT-0.65/&source=AMBS/XML-DT-0.63/
>
> This actually doesn't seem to be fixed. However, we don't immediately
> see a security problem in version 0.65 (only a usability problem), so
> a second CVE ID isn't assigned at this point.
>
> Specifically, the latest version has:
>
>    https://metacpan.org/source/AMBS/XML-DT-0.65/mkxmltype
>
>    system("head -$lines $fname | xmllint --recover - > $fname");
>
> which looks unintended (maybe $fname will always end up as a
> zero-length file?).
>
> This apparently also affects libxml-dt-perl (0.65-1) from the
> https://packages.debian.org/sid/libxml-dt-perl page.
>
> - --
> CVE assignment team, MITRE CVE Numbering Authority
> M/S M300
> 202 Burlington Road, Bedford, MA 01730 USA
> [ PGP key available through http://cve.mitre.org/cve/request_id.html ]
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.14 (SunOS)
>
> iQEcBAEBAgAGBQJT7mhqAAoJEKllVAevmvmsd6wH/1kq/+SPIZPj73hx7gHdF6Bs
> apbtdF7zITzl+o9sNkiq/PR8a8Hln6ZvqCuyZMinQu9xv1mfanpheSsCw810q5ou
> dP1Bhv+4zN91ukEMKnugYH3xnLn3GXnm0XXDL+mN90I4ev/CKJbKzLoeqHWxy0Ah
> k1YDC1dG5eS9EIT6OhOWAZKX1zYB5SJ8SiyIhomp94Jymtnqd6IKs7kTkinaeoJ6
> AgSEFugTT6pr46rRKf+dkZ+KhsrhTLYVUGVajwYVOSQRPKLaMdIfdAwcM99fhfrX
> k81O1GIO2CPRXslzzdqTTgoqaPjx9TqXQZdCA2CCKrDH1RHIpyPQCNrGAbTOeMk=
> =dNlw
> -----END PGP SIGNATURE-----
>

Message #45 received at 756566-close@bugs.debian.org (full text, mbox, reply):

From: gregor herrmann <gregoa@debian.org>

To: 756566-close@bugs.debian.org

Subject: Bug#756566: fixed in libxml-dt-perl 0.66-1

Date: Fri, 15 Aug 2014 21:43:07 +0000

Source: libxml-dt-perl
Source-Version: 0.66-1

We believe that the bug you reported is fixed in the latest version of
libxml-dt-perl, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 756566@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
gregor herrmann <gregoa@debian.org> (supplier of updated libxml-dt-perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 15 Aug 2014 22:56:46 +0200
Source: libxml-dt-perl
Binary: libxml-dt-perl
Architecture: source all
Version: 0.66-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>
Changed-By: gregor herrmann <gregoa@debian.org>
Description:
 libxml-dt-perl - module for down translation of XML files
Closes: 756566
Changes:
 libxml-dt-perl (0.66-1) unstable; urgency=medium
 .
   * Team upload.
   * New upstream release.
     [CVE-2014-5260] Add missing part to the fix for the insecure useage of
     tempfile issue. Closes: #756566.
Checksums-Sha1:
 d6b46be65b20df619e86500af8d46aa7564c338f 2224 libxml-dt-perl_0.66-1.dsc
 3995ad29bf87e47078b256bac20c23b03569197b 30852 libxml-dt-perl_0.66.orig.tar.gz
 e968a887dec8fb4c751245151e629cc4c6bb9260 2360 libxml-dt-perl_0.66-1.debian.tar.xz
 f8183330c30703f8674e7cdbfddcd7d4fcc30caa 40470 libxml-dt-perl_0.66-1_all.deb
Checksums-Sha256:
 cee4b94526459aeaa2d485b190b97caa2ce0d6e0a43623b822cf36ec52d8569b 2224 libxml-dt-perl_0.66-1.dsc
 bf3229984c00cbf2d7b2a66c21bbf4835573f99f84bc9bca4e22ee2d831638bb 30852 libxml-dt-perl_0.66.orig.tar.gz
 d2b2043a6018a7ff78d7159137e42faa98fbf987892a684369ffefba677b5dcc 2360 libxml-dt-perl_0.66-1.debian.tar.xz
 029994dc40e5db5b8f5dfc9dc3c1e52615d2c034fe636eb6b99bea84c7c52d00 40470 libxml-dt-perl_0.66-1_all.deb
Files:
 63d2bb3157fc1f19dba08d072a591747 40470 perl optional libxml-dt-perl_0.66-1_all.deb
 bd241d32d1a80e5c02f0a18e6f30605d 2224 perl optional libxml-dt-perl_0.66-1.dsc
 4460093484d0132637473e4388a3976e 30852 perl optional libxml-dt-perl_0.66.orig.tar.gz
 45ba74c58609d90904d52a6098d72eb8 2360 perl optional libxml-dt-perl_0.66-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQJ8BAEBCgBmBQJT7nRCXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXREMUUxMzE2RTkzQTc2MEE4MTA0RDg1RkFC
QjNBNjgwMTg2NDlBQTA2AAoJELs6aAGGSaoGcIoQAKnitajK7yM1Rdy5YD5APatx
WOGo0Uqv7jYcdBKJFKC5Eg0zSFTq8OtiVglcijHTK4XWVEb/pa37Xm/esiqNBD1F
adQF1f4RWiLobnIuwMa4P2MdKHLS58F6HlIqiOTgpBI2thoXfqotmqHdT918do01
+A6s6aNhEM1bmbimgWaRlDM7q0+3j0r3gaFne2Z3Y1dkAHSun7MrK7nf4OP6UGDz
ElYpe63R5BONMrQNhobuEue+7OIXmrFWlEfHr7eU14noOu4rxok16txiVvfudrbI
/cuvAErPkud10NUuGyNU7xJ60Ap5T7m82/hO8uz89K4Tv01ki832QqZOR5+/Z1A9
1QuNdHtewqzAhfpQCui1gAFTtnumYToDzNJ8ewEMp8pZ1laoMu9hcyL14dkEuLuN
D4MkCno+vKQf4QHsnFJW/hLtehZD1TtBiouiKX03phYdGn5tkz6lu/OBMPNW94cM
zdZcWMoqZ9f+xBVc4mK3Hw98wkchwppG2MA456Rb9thR1cmz4mFYHZ6gQ9me0tAY
X3m4xJIoJWpI2MuAi4wLn+EaRNu7xYvPaiTQXMhnYcCW+PtIOjy99MMSXhUbasKc
U7c/tGzX0EYewSzUmLI/ekIovTIHcV6MPwF/vDChVv5y466jHcgm6rxAA/HUMzcc
Mb4soX1d70rjHk2RlxDK
=NMnK
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.