libcapture-tiny-perl: CVE-2014-1875: insecure use of /tmp

Debian Bug report logs - #737835
libcapture-tiny-perl: CVE-2014-1875: insecure use of /tmp

Toggle useless messages

Message #3 received at submit@bugs.debian.org (full text, mbox, reply):

From: Jakub Wilk <jwilk@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: Capture::Tiny: insecure use of /tmp

Date: Thu, 6 Feb 2014 12:52:21 +0100

[Message part 1 (text/plain, inline)]

Package: libcapture-tiny-perl
Version: 0.23-1
Severity: important
Tags: security

$ strace -f -o '| grep -E open.*/tmp' perl test.pl
11181 open("/tmp/8NDe_c4S_N", O_RDWR|O_CREAT|O_EXCL|O_LARGEFILE|O_NOFOLLOW, 0600) = 5
11183 open("/tmp/5KKGPDNyy0", O_WRONLY|O_CREAT|O_TRUNC|O_LARGEFILE, 0666) = 3

The first temporary file is created securely, but the second open(2) 
call lacks the O_EXCL flag. The vulnerable code appears to be:

  # flag file is used to signal the child is ready
  $stash->{flag_files}{$which} = scalar tmpnam();

The File::temp::tmpnam documentation reads: “When called in scalar 
context, returns the full name (including path) of a temporary file 
(uses mktemp()). The only check is that the file does not already exist, 
but there is no guarantee that that condition will continue to apply.”


-- System Information:
Debian Release: jessie/sid
  APT prefers unstable
  APT policy: (990, 'unstable'), (500, 'experimental')
Architecture: i386 (x86_64)
Foreign Architectures: amd64

Kernel: Linux 3.12-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages libcapture-tiny-perl depends on:
ii  perl  5.18.2-2

-- 
Jakub Wilk

[test.pl (text/x-perl, attachment)]

Message #8 received at 737835@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: oss-security@lists.openwall.com

Cc: Jakub Wilk <jwilk@debian.org>, 737835@bugs.debian.org

Subject: CVE Request: Capture::Tiny: insecure use of /tmp

Date: Thu, 6 Feb 2014 17:04:09 +0100

Hi

Jakub Wilk reported the following insecure use of /tmp on the Debian
BTS at [1].

 [1] http://bugs.debian.org/737835
 
On Thu, Feb 06, 2014 at 12:52:21PM +0100, Jakub Wilk wrote:
> $ strace -f -o '| grep -E open.*/tmp' perl test.pl
> 11181 open("/tmp/8NDe_c4S_N", O_RDWR|O_CREAT|O_EXCL|O_LARGEFILE|O_NOFOLLOW, 0600) = 5
> 11183 open("/tmp/5KKGPDNyy0", O_WRONLY|O_CREAT|O_TRUNC|O_LARGEFILE, 0666) = 3
> 
> The first temporary file is created securely, but the second open(2)
> call lacks the O_EXCL flag. The vulnerable code appears to be:
> 
>   # flag file is used to signal the child is ready
>   $stash->{flag_files}{$which} = scalar tmpnam();
> 
> The File::temp::tmpnam documentation reads: “When called in scalar
> context, returns the full name (including path) of a temporary file
> (uses mktemp()). The only check is that the file does not already
> exist, but there is no guarantee that that condition will continue
> to apply.”

There is no upstream commit to fix this issue yet.

Could a CVE be assigned for this insecure use of /tmp for the
Capture::Tiny module?

Regards,
Salvatore

Message #15 received at 737835@bugs.debian.org (full text, mbox, reply):

From: cve-assign@mitre.org

To: carnil@debian.org

Cc: cve-assign@mitre.org, oss-security@lists.openwall.com, jwilk@debian.org, 737835@bugs.debian.org

Subject: Re: CVE Request: Capture::Tiny: insecure use of /tmp

Date: Thu, 6 Feb 2014 23:37:26 -0500 (EST)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> open("/tmp/5KKGPDNyy0", O_WRONLY|O_CREAT|O_TRUNC|O_LARGEFILE,

Use CVE-2014-1875.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJS9GHnAAoJEKllVAevmvms3t0IAKqhldJQYiAv3EwHVYI5hL7b
CaIDJ4wIQXfSoqs9ewV1phqNVSnKsgYS6WOp5AjqZZ3+CqSDLS2Jz7kThx7g7mo4
fOFcftX4tjrVrZ4dyoiKuCCGL8R/4Mo3ObmomZ1SbaVb4jtFVqxCOc4Kh52Ca/88
C9peyeQqpWV3kzM9+1sEgQatNTVNIonJiTg23XGSAY3wzLMiGP+teVfygZOO6Xxj
4S4IAx1PNg8GFR/qOEywPE3baWNttTL2RejwoqxUZn908+GXfWZdlCJn+Ku5xOeO
Wwawwv4lRRgrPGCPil5rhSdlIeSs08HCoEbcrOLMb5RFsI9FceOpCv7QUt5/gog=
=5gFh
-----END PGP SIGNATURE-----

Message #22 received at 737835-close@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 737835-close@bugs.debian.org

Subject: Bug#737835: fixed in libcapture-tiny-perl 0.24-1

Date: Fri, 07 Feb 2014 07:48:27 +0000

Source: libcapture-tiny-perl
Source-Version: 0.24-1

We believe that the bug you reported is fixed in the latest version of
libcapture-tiny-perl, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 737835@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated libcapture-tiny-perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 07 Feb 2014 08:33:24 +0100
Source: libcapture-tiny-perl
Binary: libcapture-tiny-perl
Architecture: source all
Version: 0.24-1
Distribution: unstable
Urgency: high
Maintainer: Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Description: 
 libcapture-tiny-perl - module to capture STDOUT and STDERR
Closes: 737835
Changes: 
 libcapture-tiny-perl (0.24-1) unstable; urgency=high
 .
   * Imported Upstream version 0.24
     - Fixes CVE-2014-1875: insecure use of /tmp. Opens temporary file in in
       exclusive mode (Closes: #737835)
   * Declare compliance with Debian Policy 3.9.5
   * Update copyright years for debian/* packaging
Checksums-Sha1: 
 e48674c3f391f74cfc512f43d58e2c011f34b152 2235 libcapture-tiny-perl_0.24-1.dsc
 1832229da007eb1a38d2418a7e1a35b8affb5d43 33995 libcapture-tiny-perl_0.24.orig.tar.gz
 6870209e52d1788579fbce0d12591c4a495d72ae 3000 libcapture-tiny-perl_0.24-1.debian.tar.xz
 a9909738a3d9aa69a4c218a8e8295b1d0fcb8bf6 22428 libcapture-tiny-perl_0.24-1_all.deb
Checksums-Sha256: 
 2a1dfe9b4c12f081f241ce61fb4983230f81ce91fa144a117c9e57f8686f0dc8 2235 libcapture-tiny-perl_0.24-1.dsc
 9bcf6f8472f8ea50401536cb070ac0c7770837d155c4d6abe212759863aae065 33995 libcapture-tiny-perl_0.24.orig.tar.gz
 809c851aaa60736d563d7ee99a8f7c239a055e557047c9f0828687d1d07cb218 3000 libcapture-tiny-perl_0.24-1.debian.tar.xz
 a6ab3e0f85bc1ba41804443e9ab71ffc95889215364e99012f43766cf89b814f 22428 libcapture-tiny-perl_0.24-1_all.deb
Files: 
 faf03c37d34f8af5739677443b9cabbf 2235 perl optional libcapture-tiny-perl_0.24-1.dsc
 718e9d62c4a27a3207cf8506cb99d846 33995 perl optional libcapture-tiny-perl_0.24.orig.tar.gz
 2b7e2c86a2ac68a2fa7cb6f3bc731737 3000 perl optional libcapture-tiny-perl_0.24-1.debian.tar.xz
 3d4e066ec77de1326fbd86f5af5bfbce 22428 perl optional libcapture-tiny-perl_0.24-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJS9I7GAAoJEAVMuPMTQ89ETZYQAIEkk1S11pSB1vbWvyWx/B+k
ttsuUFMqMe2+VqsS3+lDXHmXNy4DB7WTNeZXOkdDm/ubZj+jvrxxyqFcJ/hH3EVh
4ym8n4VRaLfc4NRucZXLqdwQY+LGWmjCVXdN9HICs1OBhsjnh6BZOQ0GB0/P5V7U
fEStDcoxik8kn2cfCO/tRYy3i6VluWEzmB/BgZAFxPE+DdlzbKGhibKtCCPGKEFt
t+w4VqXuFHLsXkO2q7cVkL/ftzuvHfuec8BBVjA6XCH1Bimk1OjRolKFDAfMccN4
Xpqaorjr4ceZMX42rw51bMTE3UHrzqqH3OR/u/5ALp/g1SjJaAC7nwao5v8lLWr1
opRPbypv1uEK8JkDo0KUIVTH0QgC/kqtCp9ch4v5Dqawykz3EcFzEuyRKPFkrYe9
8OwxziLAdqtGZoHpHothqyUQhk1hMmiVYhnkGQYRmvjarsu31zi2iSiGz5Lj3/h6
qgDcREprDa2ctbNrKQjCJEVVsOIHYL+T3FPBu8wImYgCpoFjuBZaJpb41HjxAd4V
DMLx9a69r8JHCD9GAW2Ca/hiK5LyDq5n/JJlj7gNL7w1IWoeeXlInLM+greoM5AT
PDNDVjgnJWJ2ersLp8HXB57i6GbWeGJkYa2/mCBxtvLMipHjwnZKMl5iEf/jHJC6
bgQ7aIGqRsNy/DjJYKLZ
=JO2W
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.