Mon Jul 18 22:16:46 2011: Request 69560 was acted upon.
Transaction: Ticket created by lightsey
Queue: PAR-Packer
Subject: PAR packed files are extracted to unsafe and predictable
temporary directories
Broken in: (no value)
Severity: Critical
Owner: Nobody
Requestors: j...@nixnuts.net
Status: new
Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=69560 >
par_mktmpdir() makes no effort to verify that the /tmp/par-<username>
directory is safe to use (owned by the correct UID and GID, not world
writable, no symlinks in the path that are owned by another user.)
This makes PAR packed scripts unsafe on multiuser systems.
Example:
1) start with a clean /tmp (reboot the system, tmpwatch, etc.)
2) attacker does mkdir /tmp/par-victim
3) victim runs a PAR packed program
4) attacker now moves the cache directory aside and copies it back to
its original location so that all she owns all of the files and can
modify them at will.
5) victim runs the PAR packed program again and is now executing
attacker's code.
