devel/p5-Proc-Daemon, CVE-2013-7135

Jérémie Courrèges-Anglas Wed, 18 Dec 2013 15:40:04 -0800

The current consumers of this module in ports don't specify the pid_file
parameter.  Still, a future port could.  This is CVE-2013-7135 btw.


ok?

 http://bugs.debian.org/732283
 https://rt.cpan.org/Ticket/Display.html?id=91450
 
http://anonscm.debian.org/gitweb/?p=pkg-perl/packages/libproc-daemon-perl.git;a=blob;f=debian/patches/pid.patch

Index: Makefile
===================================================================
RCS file: /cvs/ports/devel/p5-Proc-Daemon/Makefile,v
retrieving revision 1.8
diff -u -p -r1.8 Makefile
--- Makefile    11 Mar 2013 10:50:21 -0000      1.8
+++ Makefile    18 Dec 2013 13:58:18 -0000
@@ -4,6 +4,7 @@ COMMENT=        run perl program as a daemon p
 
 MODULES=       cpan
 DISTNAME=      Proc-Daemon-0.14
+REVISION=      0
 CATEGORIES=    devel
 
 # perl
Index: patches/patch-lib_Proc_Daemon_pm
===================================================================
RCS file: patches/patch-lib_Proc_Daemon_pm
diff -N patches/patch-lib_Proc_Daemon_pm
--- /dev/null   1 Jan 1970 00:00:00 -0000
+++ patches/patch-lib_Proc_Daemon_pm    18 Dec 2013 14:01:12 -0000
@@ -0,0 +1,36 @@
+$OpenBSD$
+
+Fix for CVE-2013-7135.
+Upstream ticket: https://rt.cpan.org/Ticket/Display.html?id=91450
+
+--- lib/Proc/Daemon.pm.orig    Fri Jun  3 09:46:44 2011
++++ lib/Proc/Daemon.pm Wed Dec 18 14:58:09 2013
+@@ -281,10 +281,13 @@ sub Init {
+             }
+             # ... the real 'pid_file'.
+             if ( $self->{pid_file} ) {
++              # Deny r/w access to others
++                my $umask = umask(0022);
+                 open( my $FH_PIDFILE, "+>", $self->{pid_file} ) ||
+                     die "Can not open pidfile (pid_file => 
'$self->{pid_file}'): $!";
+                 print $FH_PIDFILE $pid;
+                 close $FH_PIDFILE;
++              umask($umask);
+             }
+ 
+ 
+@@ -514,12 +517,14 @@ sub Kill_Daemon {
+     my $killed = kill( $signal, $pid );
+ 
+     if ( $killed && $pidfile ) {
++        my $umask = umask(0022);
+         # Set PID in pid file to '0'.
+         if ( open( my $FH_PIDFILE, "+>", $pidfile ) ) {
+             print $FH_PIDFILE '0';
+             close $FH_PIDFILE;
+         }
+         else { warn "Can not open pidfile (pid_file => '$pidfile'): $!" }
++      umask($umask);
+     }
+ 
+     return $killed;


-- 
jca | PGP: 0x06A11494 / 61DB D9A0 00A4 67CF 2A90  8961 6191 8FBF 06A1 1494

devel/p5-Proc-Daemon, CVE-2013-7135

Reply via email to