Your message dated Sun, 10 Feb 2013 14:48:39 +0000
with message-id <[email protected]>
and subject line Bug#650500: fixed in libproc-processtable-perl 0.45-6
has caused the Debian Bug report #650500,
regarding libproc-processtable-perl: [CVE-2011-4363] unsafe use of /tmp
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
650500: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=650500
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: libproc-processtable-perl
Version: 0.45-1
Severity: important
Tags: security

Proc::ProcessTable can cache TTY information (not enabled by default).
For this it uses the file /tmp/TTYDEVS.

If caching is enabled, there is a race condition that allows to
overwrite arbitrary files in ProcessTable.pm:

102       if( -r $TTYDEVSFILE )
103       {
104         $_ = Storable::retrieve($TTYDEVSFILE);
  [...]
107       else
108       {
  [...]
112         Storable::store(\%Proc::ProcessTable::TTYDEVS, $TTYDEVSFILE);

If a symlink /tmp/TTYDEVS is created between line 102 and 112, the file the
link points to is overwritten.  Alternatively wrong information can be
provided.

The relevant code path can be reached with

  perl -MProc::ProcessTable -e 'my $t = Proc::ProcessTable->new(cache_ttys => 
1, enable_ttys => 1); $t->table;'

Ansgar



--- End Message ---
--- Begin Message ---
Source: libproc-processtable-perl
Source-Version: 0.45-6

We believe that the bug you reported is fixed in the latest version of
libproc-processtable-perl, which is due to be installed in the Debian FTP 
archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <[email protected]> (supplier of updated 
libproc-processtable-perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 10 Feb 2013 15:01:30 +0100
Source: libproc-processtable-perl
Binary: libproc-processtable-perl
Architecture: source amd64
Version: 0.45-6
Distribution: unstable
Urgency: low
Maintainer: Debian Perl Group <[email protected]>
Changed-By: Salvatore Bonaccorso <[email protected]>
Description: 
 libproc-processtable-perl - Perl library for accessing process table 
information
Closes: 650500
Changes: 
 libproc-processtable-perl (0.45-6) unstable; urgency=low
 .
   * Add CVE-2011-4363.patch patch
     [SECURITY] CVE-2011-4363: Fix unsafe temporary file usage. (Closes: 
#650500)
Checksums-Sha1: 
 7faec375cd6481c19adecce29bbcf9c5bf468ccc 2230 
libproc-processtable-perl_0.45-6.dsc
 d4de5e85ca234ed3a294a853502cf74d9105d127 8620 
libproc-processtable-perl_0.45-6.debian.tar.gz
 2238bc73ae3fa8cd2d90eebad02ca20f3840a524 48866 
libproc-processtable-perl_0.45-6_amd64.deb
Checksums-Sha256: 
 8ea19379534ec7404c9110dbb208961d4e1e2bf98dc71175dbad5a48dab33b5c 2230 
libproc-processtable-perl_0.45-6.dsc
 ad1a95b47b8080b227377de861432c32d49fd14909dbaa18a8226344ec7d6350 8620 
libproc-processtable-perl_0.45-6.debian.tar.gz
 2e2499c179e7116f1ba8017251a1f8819b391a921cb3c0b633916ccde7218f5f 48866 
libproc-processtable-perl_0.45-6_amd64.deb
Files: 
 fe0aefd22c971b79c21f4354eef66976 2230 perl optional 
libproc-processtable-perl_0.45-6.dsc
 a4a2d435652f48b100a9b34133118ce3 8620 perl optional 
libproc-processtable-perl_0.45-6.debian.tar.gz
 f213b7dcb1ee488a3596ea7c040a5cee 48866 perl optional 
libproc-processtable-perl_0.45-6_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCgAGBQJRF6yEAAoJEHidbwV/2GP+w9oP/iW22tOYsIcKbUoJt3fkS6f5
22BGecOL/o7nLApIhMv6of4RSZqvUs9NgvJqdSCnkqjNMKBd1zUklBt8xuSwOQKD
grFjynUwlU4qAic8t1KvKWx0hGe57mpjn7vYX7FJON63s5S5NM17MaG8yy4sNXyb
TB6+7gBK7zuoWNChie8zjrze4Cr/wefyOej6fI7bT/waIp2GqjIfZwWx02MwXgUN
Yw6SYgiWynj2161+4q6R6YfvwrH5DNA/1rBY6Lip7pY0RBgaiIOdnrzQYvm4e+3f
8COMsA0stXjK5xJbIzCuC37zllH/uMwcQYL4q2UipmkG49i4KVmSOBzi5CQpfnYy
bTL8Pd3bhl0y00o6dyM84wuwG17j+1Rc1GfAaojsZsqxLxdFuiUEHYcHIHj02AZZ
1zr0uwh4hZck4O5ZLCybr3GniOd5G2VkUhSQf71uCwje+7OoDIkBSPtPP0gLW9oW
Pjd0aT+YEOPAKLHO6ZaBh/LkQ0Kq+GdSOiLUyyWm/PUyUSXq8iRnR79VwOW2oNsn
0gJ/G7Ej6Knm7uTn/C7C3W25bSyNSyF4O2POF/b84uAq2fTjU92RoBlOfXw0+P4P
mByPa30zCBsdTBq6KAh6xhRNXyA44syHYaMSEmrbIBW9Rk7E8KQOGeXhRfodYzZ3
GIaSRiT3P7YZ9VmrxrQe
=vjgH
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to