Your message dated Sun, 10 Feb 2013 17:17:04 +0000
with message-id <[email protected]>
and subject line Bug#650500: fixed in libproc-processtable-perl 0.45-1+squeeze1
has caused the Debian Bug report #650500,
regarding libproc-processtable-perl: [CVE-2011-4363] unsafe use of /tmp
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
650500: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=650500
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: libproc-processtable-perl
Version: 0.45-1
Severity: important
Tags: security

Proc::ProcessTable can cache TTY information (not enabled by default).
For this it uses the file /tmp/TTYDEVS.

If caching is enabled, there is a race condition that allows to
overwrite arbitrary files in ProcessTable.pm:

102       if( -r $TTYDEVSFILE )
103       {
104         $_ = Storable::retrieve($TTYDEVSFILE);
  [...]
107       else
108       {
  [...]
112         Storable::store(\%Proc::ProcessTable::TTYDEVS, $TTYDEVSFILE);

If a symlink /tmp/TTYDEVS is created between line 102 and 112, the file the
link points to is overwritten.  Alternatively wrong information can be
provided.

The relevant code path can be reached with

  perl -MProc::ProcessTable -e 'my $t = Proc::ProcessTable->new(cache_ttys => 
1, enable_ttys => 1); $t->table;'

Ansgar



--- End Message ---
--- Begin Message ---
Source: libproc-processtable-perl
Source-Version: 0.45-1+squeeze1

We believe that the bug you reported is fixed in the latest version of
libproc-processtable-perl, which is due to be installed in the Debian FTP 
archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <[email protected]> (supplier of updated 
libproc-processtable-perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 10 Feb 2013 16:16:41 +0100
Source: libproc-processtable-perl
Binary: libproc-processtable-perl libproc-process-perl
Architecture: source amd64 all
Version: 0.45-1+squeeze1
Distribution: stable
Urgency: low
Maintainer: Debian Perl Group <[email protected]>
Changed-By: Salvatore Bonaccorso <[email protected]>
Description: 
 libproc-process-perl - Dummy package for libproc-processtable-perl rename
 libproc-processtable-perl - Perl library for accessing process table 
information
Closes: 650500
Changes: 
 libproc-processtable-perl (0.45-1+squeeze1) stable; urgency=low
 .
   * Team upload.
   * [SECURITY] CVE-2011-4363: Fix unsafe temporary file usage (Closes: #650500)
Checksums-Sha1: 
 4e18641f46d616d5457b2f12ccf42eed3c2c86ce 2183 
libproc-processtable-perl_0.45-1+squeeze1.dsc
 3c409fe6be688de7195135f7e33e38c9a880030d 5680 
libproc-processtable-perl_0.45-1+squeeze1.diff.gz
 9912e7115d1b40ec3315a4459abf1412dd5eba02 49400 
libproc-processtable-perl_0.45-1+squeeze1_amd64.deb
 af315467053b405e10629cf65b6f3cded4babac6 11966 
libproc-process-perl_0.45-1+squeeze1_all.deb
Checksums-Sha256: 
 3bfe1b20ecfc30480d65ceb90d553681b30d92c4b8d28a8d3855b315d30b1334 2183 
libproc-processtable-perl_0.45-1+squeeze1.dsc
 7a3507ac3a11601b554a5797e0b7d104bfef26696b23c6cdde95c140ddfde07c 5680 
libproc-processtable-perl_0.45-1+squeeze1.diff.gz
 56460e24a9b951b590261df95d2ec80979a06d45f3089995c6ee31294703c56a 49400 
libproc-processtable-perl_0.45-1+squeeze1_amd64.deb
 d578af11e9829ed39da2a65430570c8e38a669119442e8f6848ad4bd6ba3a827 11966 
libproc-process-perl_0.45-1+squeeze1_all.deb
Files: 
 7079b3a62b7edc5c0ac8afce6bd4dc48 2183 perl optional 
libproc-processtable-perl_0.45-1+squeeze1.dsc
 f22cd0cb7e1246a627ae17cc4404bba7 5680 perl optional 
libproc-processtable-perl_0.45-1+squeeze1.diff.gz
 ca4432e9471c28bd0148b1d05ed33719 49400 perl optional 
libproc-processtable-perl_0.45-1+squeeze1_amd64.deb
 da7f77a2c99d6e789807c424188e3cae 11966 perl optional 
libproc-process-perl_0.45-1+squeeze1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCgAGBQJRF8CVAAoJEHidbwV/2GP+xvcQALzdK5pzBKlhQ05f4TUgdP/2
jI+IFFiZX3pgmp5F4DZ9DpgkQ3rF80vdOscrirqt/RD4CWd+C0NTY6ZbXrqyf44m
verN4yMP0Ptav/2eNR/UyUgA/sgdvh881IQ50tIOkG2QaZmhsKwKx3FCwqyCuaFS
Ep9pbk93q3NSA32xHszwHs389adHjNbyc/nOM4NgobdLjqHwVMrTg15mMZR52Edo
ur4D8qhbloM5PF+0faXCFbHL16rv6dvpR3uQjA6Qau412xBjk7R3H8Hj9rOUwxRG
G7uLOisDobxeBDOaSVBxAcj66tQIiIU4UD7lY++/cpdr45GJfeiolN4Y5dN2btJk
TgHt85/KlO4QHg6/O5GRxWIh+x2zROZMEoSZ8FZKCaqVzJCyCINxvcEUFXF5S7Vz
y6zCsvPY4YuJrSfo3Q0atziYD2/IH1HK2UlV5Tnp49iMxgp5PlSDKzxP4AtMQHYH
hxcOCF3GeO5wrfP1YMY+hCHAkC5zo5/TwV5VGp4jUmJncQno76Lf/3rurTvWXpWQ
BC46CjYIMwP0PQ/sl1KpGVqCrqB+uCF+5/OwDyxLEVh9hHLSj3a2WwuL8gt302qg
VS4evBO9B111O1tasBD5fQ8A8aRshi2sxbTnNg6J0cy8fuelDpHw5YJS10A6cq1k
SulBP1cxgoVSjV/RQ+Si
=V4HG
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to