Debian Bug report logs -
#737835
libcapture-tiny-perl: CVE-2014-1875: insecure use of /tmp
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, jwilk@debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>
:
Bug#737835
; Package libcapture-tiny-perl
.
(Thu, 06 Feb 2014 11:57:07 GMT) (full text, mbox, link).
Message #3 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: libcapture-tiny-perl
Version: 0.23-1
Severity: important
Tags: security
$ strace -f -o '| grep -E open.*/tmp' perl test.pl
11181 open("/tmp/8NDe_c4S_N", O_RDWR|O_CREAT|O_EXCL|O_LARGEFILE|O_NOFOLLOW, 0600) = 5
11183 open("/tmp/5KKGPDNyy0", O_WRONLY|O_CREAT|O_TRUNC|O_LARGEFILE, 0666) = 3
The first temporary file is created securely, but the second open(2)
call lacks the O_EXCL flag. The vulnerable code appears to be:
# flag file is used to signal the child is ready
$stash->{flag_files}{$which} = scalar tmpnam();
The File::temp::tmpnam documentation reads: “When called in scalar
context, returns the full name (including path) of a temporary file
(uses mktemp()). The only check is that the file does not already exist,
but there is no guarantee that that condition will continue to apply.”
-- System Information:
Debian Release: jessie/sid
APT prefers unstable
APT policy: (990, 'unstable'), (500, 'experimental')
Architecture: i386 (x86_64)
Foreign Architectures: amd64
Kernel: Linux 3.12-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages libcapture-tiny-perl depends on:
ii perl 5.18.2-2
--
Jakub Wilk
[test.pl (text/x-perl, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>
:
Bug#737835
; Package libcapture-tiny-perl
.
(Thu, 06 Feb 2014 16:09:23 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>
.
(Thu, 06 Feb 2014 16:09:23 GMT) (full text, mbox, link).
Message #8 received at 737835@bugs.debian.org (full text, mbox, reply):
Hi
Jakub Wilk reported the following insecure use of /tmp on the Debian
BTS at [1].
[1] http://bugs.debian.org/737835
On Thu, Feb 06, 2014 at 12:52:21PM +0100, Jakub Wilk wrote:
> $ strace -f -o '| grep -E open.*/tmp' perl test.pl
> 11181 open("/tmp/8NDe_c4S_N", O_RDWR|O_CREAT|O_EXCL|O_LARGEFILE|O_NOFOLLOW, 0600) = 5
> 11183 open("/tmp/5KKGPDNyy0", O_WRONLY|O_CREAT|O_TRUNC|O_LARGEFILE, 0666) = 3
>
> The first temporary file is created securely, but the second open(2)
> call lacks the O_EXCL flag. The vulnerable code appears to be:
>
> # flag file is used to signal the child is ready
> $stash->{flag_files}{$which} = scalar tmpnam();
>
> The File::temp::tmpnam documentation reads: “When called in scalar
> context, returns the full name (including path) of a temporary file
> (uses mktemp()). The only check is that the file does not already
> exist, but there is no guarantee that that condition will continue
> to apply.”
There is no upstream commit to fix this issue yet.
Could a CVE be assigned for this insecure use of /tmp for the
Capture::Tiny module?
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>
:
Bug#737835
; Package libcapture-tiny-perl
.
(Fri, 07 Feb 2014 04:51:05 GMT) (full text, mbox, link).
Acknowledgement sent
to cve-assign@mitre.org
:
Extra info received and forwarded to list. Copy sent to Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>
.
(Fri, 07 Feb 2014 04:51:05 GMT) (full text, mbox, link).
Message #15 received at 737835@bugs.debian.org (full text, mbox, reply):
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
> open("/tmp/5KKGPDNyy0", O_WRONLY|O_CREAT|O_TRUNC|O_LARGEFILE,
Use CVE-2014-1875.
- --
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)
iQEcBAEBAgAGBQJS9GHnAAoJEKllVAevmvms3t0IAKqhldJQYiAv3EwHVYI5hL7b
CaIDJ4wIQXfSoqs9ewV1phqNVSnKsgYS6WOp5AjqZZ3+CqSDLS2Jz7kThx7g7mo4
fOFcftX4tjrVrZ4dyoiKuCCGL8R/4Mo3ObmomZ1SbaVb4jtFVqxCOc4Kh52Ca/88
C9peyeQqpWV3kzM9+1sEgQatNTVNIonJiTg23XGSAY3wzLMiGP+teVfygZOO6Xxj
4S4IAx1PNg8GFR/qOEywPE3baWNttTL2RejwoqxUZn908+GXfWZdlCJn+Ku5xOeO
Wwawwv4lRRgrPGCPil5rhSdlIeSs08HCoEbcrOLMb5RFsI9FceOpCv7QUt5/gog=
=5gFh
-----END PGP SIGNATURE-----
Changed Bug title to 'libcapture-tiny-perl: CVE-2014-1875: insecure use of /tmp' from 'Capture::Tiny: insecure use of /tmp'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Fri, 07 Feb 2014 07:42:17 GMT) (full text, mbox, link).
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>
:
You have taken responsibility.
(Fri, 07 Feb 2014 07:51:15 GMT) (full text, mbox, link).
Notification sent
to Jakub Wilk <jwilk@debian.org>
:
Bug acknowledged by developer.
(Fri, 07 Feb 2014 07:51:15 GMT) (full text, mbox, link).
Message #22 received at 737835-close@bugs.debian.org (full text, mbox, reply):
Source: libcapture-tiny-perl
Source-Version: 0.24-1
We believe that the bug you reported is fixed in the latest version of
libcapture-tiny-perl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 737835@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated libcapture-tiny-perl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 07 Feb 2014 08:33:24 +0100
Source: libcapture-tiny-perl
Binary: libcapture-tiny-perl
Architecture: source all
Version: 0.24-1
Distribution: unstable
Urgency: high
Maintainer: Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Description:
libcapture-tiny-perl - module to capture STDOUT and STDERR
Closes: 737835
Changes:
libcapture-tiny-perl (0.24-1) unstable; urgency=high
.
* Imported Upstream version 0.24
- Fixes CVE-2014-1875: insecure use of /tmp. Opens temporary file in in
exclusive mode (Closes: #737835)
* Declare compliance with Debian Policy 3.9.5
* Update copyright years for debian/* packaging
Checksums-Sha1:
e48674c3f391f74cfc512f43d58e2c011f34b152 2235 libcapture-tiny-perl_0.24-1.dsc
1832229da007eb1a38d2418a7e1a35b8affb5d43 33995 libcapture-tiny-perl_0.24.orig.tar.gz
6870209e52d1788579fbce0d12591c4a495d72ae 3000 libcapture-tiny-perl_0.24-1.debian.tar.xz
a9909738a3d9aa69a4c218a8e8295b1d0fcb8bf6 22428 libcapture-tiny-perl_0.24-1_all.deb
Checksums-Sha256:
2a1dfe9b4c12f081f241ce61fb4983230f81ce91fa144a117c9e57f8686f0dc8 2235 libcapture-tiny-perl_0.24-1.dsc
9bcf6f8472f8ea50401536cb070ac0c7770837d155c4d6abe212759863aae065 33995 libcapture-tiny-perl_0.24.orig.tar.gz
809c851aaa60736d563d7ee99a8f7c239a055e557047c9f0828687d1d07cb218 3000 libcapture-tiny-perl_0.24-1.debian.tar.xz
a6ab3e0f85bc1ba41804443e9ab71ffc95889215364e99012f43766cf89b814f 22428 libcapture-tiny-perl_0.24-1_all.deb
Files:
faf03c37d34f8af5739677443b9cabbf 2235 perl optional libcapture-tiny-perl_0.24-1.dsc
718e9d62c4a27a3207cf8506cb99d846 33995 perl optional libcapture-tiny-perl_0.24.orig.tar.gz
2b7e2c86a2ac68a2fa7cb6f3bc731737 3000 perl optional libcapture-tiny-perl_0.24-1.debian.tar.xz
3d4e066ec77de1326fbd86f5af5bfbce 22428 perl optional libcapture-tiny-perl_0.24-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJS9I7GAAoJEAVMuPMTQ89ETZYQAIEkk1S11pSB1vbWvyWx/B+k
ttsuUFMqMe2+VqsS3+lDXHmXNy4DB7WTNeZXOkdDm/ubZj+jvrxxyqFcJ/hH3EVh
4ym8n4VRaLfc4NRucZXLqdwQY+LGWmjCVXdN9HICs1OBhsjnh6BZOQ0GB0/P5V7U
fEStDcoxik8kn2cfCO/tRYy3i6VluWEzmB/BgZAFxPE+DdlzbKGhibKtCCPGKEFt
t+w4VqXuFHLsXkO2q7cVkL/ftzuvHfuec8BBVjA6XCH1Bimk1OjRolKFDAfMccN4
Xpqaorjr4ceZMX42rw51bMTE3UHrzqqH3OR/u/5ALp/g1SjJaAC7nwao5v8lLWr1
opRPbypv1uEK8JkDo0KUIVTH0QgC/kqtCp9ch4v5Dqawykz3EcFzEuyRKPFkrYe9
8OwxziLAdqtGZoHpHothqyUQhk1hMmiVYhnkGQYRmvjarsu31zi2iSiGz5Lj3/h6
qgDcREprDa2ctbNrKQjCJEVVsOIHYL+T3FPBu8wImYgCpoFjuBZaJpb41HjxAd4V
DMLx9a69r8JHCD9GAW2Ca/hiK5LyDq5n/JJlj7gNL7w1IWoeeXlInLM+greoM5AT
PDNDVjgnJWJ2ersLp8HXB57i6GbWeGJkYa2/mCBxtvLMipHjwnZKMl5iEf/jHJC6
bgQ7aIGqRsNy/DjJYKLZ
=JO2W
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Mon, 10 Mar 2014 07:29:17 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:42:37 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.