[rt.cpan.org #69560] PAR packed files are extracted to unsafe and predictable temporary directories
Sun Dec 04 12:08:08 2011: Request 69560 was acted upon. Transaction: Correspondence added by RSCHUPP Queue: PAR-Packer Subject: PAR packed files are extracted to unsafe and predictable temporary directories Broken in: (no value) Severity: Critical Owner: Nobody Requestors: j...@nixnuts.net Status: open Ticket URL: https://rt.cpan.org/Ticket/Display.html?id=69560 Fixed in PAR 1.005 and PAR::Packer 1.012 (for *nix only)
[rt.cpan.org #69560] PAR packed files are extracted to unsafe and predictable temporary directories
Sat Nov 05 06:04:02 2011: Request 69560 was acted upon. Transaction: Correspondence added by SMUELLER Queue: PAR-Packer Subject: PAR packed files are extracted to unsafe and predictable temporary directories Broken in: (no value) Severity: Critical Owner: Nobody Requestors: j...@nixnuts.net Status: open Ticket URL: https://rt.cpan.org/Ticket/Display.html?id=69560 Presumably, one could at least have a build-time option for pp (not packaging time, but PAR::Packer compilation time) that enables some extra measures: perl Makefile.PL --paranoid make test make install a) assert ownership of all directories and files under $TMPDIR/par-$USER b) assert that other can't write. (How portable would this be?) Doing this by default would make the cached-startup slow enough to not warrant caching at all. That would make PAR::Packer useless for all but the most trivial scripts. Think about it. If any other executable would have to scan the entire perl source tree before starting, it'd be slower to boot than java. Right now, the proper way to get entirely safe PAR'd executables is to set an alternate extraction/cache directory. See man PAR::Environment.
[rt.cpan.org #69560] PAR packed files are extracted to unsafe and predictable temporary directories
Fri Nov 04 12:21:17 2011: Request 69560 was acted upon. Transaction: Correspondence added by lightsey Queue: PAR-Packer Subject: PAR packed files are extracted to unsafe and predictable temporary directories Broken in: (no value) Severity: Critical Owner: Nobody Requestors: j...@nixnuts.net Status: open Ticket URL: https://rt.cpan.org/Ticket/Display.html?id=69560 This bug has been assigned CVE-2011-4114
[rt.cpan.org #69560] PAR packed files are extracted to unsafe and predictable temporary directories
Mon Jul 18 22:16:46 2011: Request 69560 was acted upon. Transaction: Ticket created by lightsey Queue: PAR-Packer Subject: PAR packed files are extracted to unsafe and predictable temporary directories Broken in: (no value) Severity: Critical Owner: Nobody Requestors: j...@nixnuts.net Status: new Ticket URL: https://rt.cpan.org/Ticket/Display.html?id=69560 par_mktmpdir() makes no effort to verify that the /tmp/par-username directory is safe to use (owned by the correct UID and GID, not world writable, no symlinks in the path that are owned by another user.) This makes PAR packed scripts unsafe on multiuser systems. Example: 1) start with a clean /tmp (reboot the system, tmpwatch, etc.) 2) attacker does mkdir /tmp/par-victim 3) victim runs a PAR packed program 4) attacker now moves the cache directory aside and copies it back to its original location so that all she owns all of the files and can modify them at will. 5) victim runs the PAR packed program again and is now executing attacker's code.