Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 04 Mar 2014 13:49:35 +1100
From: Murray McAllister <mmcallis@...hat.com>
To: oss-security@...ts.openwall.com
CC: 740670@...s.debian.org
Subject: possible CVE requests: perltidy insecure temporary file usage

Good morning,

Jakub Wilk and Don Armstrong are discussing in 
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=740670 1) perltidy 
creating a temporary file with default permissions instead of 0600 2) 
the use of tmpnam().

 From that bug:

     my $name = "perltidy.TMP";
     if ( $^O =~ /win32|dos/i || $^O eq 'VMS' || $^O eq 'MacOs' ) {
         return $name;
     }

Would this be a separate issue on those platforms (predictable temporary 
file in current working directory, run perltidy in attacker-controlled 
directory...)? On perltidy-20090616-2.1.el6.src.rpm this was only called 
when using the "-html" option and a pod file as input, and looks to then 
possibly open it insecurely:

     else {
         $tmpfile = Perl::Tidy::make_temporary_filename();
     }
     my $fh_tmp = IO::File->new( $tmpfile, 'w' );

Trying with a much newer version on Fedora, I received errors about 
tmpnam not working and it didn't appear to be called, but haven't spent 
time debugging that yet.

Regarding other platforms:

     my $name = "perltidy.TMP";
     if ( $^O =~ /win32|dos/i || $^O eq 'VMS' || $^O eq 'MacOs' ) {
         return $name;
     }
     eval "use POSIX qw(tmpnam)";
     if ($@) { return $name }

Is the POSIX module a core part of Perl, as in, the "return $name" part 
will never be called?

Regarding the use of tmpnam, is it safe/not an issue if you open the 
resulting filename with O_CREAT and O_EXCL (as perltidy does)?

I am not sure if these 	qualify for CVEs but I believe the 
"perltidy.TMP" on Windows or Mac OS X etc would.

Thanks,

--
Murray McAllister / Red Hat Security Response Team

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ