Salvatore Bonaccorso
2011-Dec-02 06:36 UTC
[Secure-testing-team] Bug#650707: libpar-perl: PAR packed files are extracted to unsafe and predictable temporary directories
Package: libpar-perl
Version: 1.002-1
Severity: important
Tags: security
Hi
Changelog for new upstream release of libpar-perl contains:
[Changes for 1.004 - Nov 30, 2011]
- back out r1241: it causes errors in PAR::Packer''s test suite
- change "unsafe directory" error message to match the wording
used by PAR::Packer
- remove "debian" sub directory: it isn''t released to CPAN
and
Debian will supply its own anyway
- remove some cruft from MANIFEST.SKIP
[Changes for 1.003 - Nov 28, 2011]
- RT #69560/CVE-2011-4114: PAR packed files are extracted to unsafe
and predictable temporary directories
(Note: this bug was originally reported against PAR::Packer, but
it applies to PAR as well)
- create parent of cache directory (i.e. /tmp/par-USER) with mode 0700
- if it already exists, make sure that (and bail out if not)
- it''s not a symlink
- it''s mode 0700
- it''s owned by USER
- Fix a problem packing XML::LibXSLT on Windows (see the thread starting
with http://www.nntp.perl.org/group/perl.par/2011/02/msg4919.html)
- Die (with a hopefully useful message) if any error is encountered
during an Archive::Zip extract operation
Version before 1.003 had the issue that PAR packed files are extracted
to unsafe and predictable temporary directories [1].
[1] https://rt.cpan.org/Public/Bug/Display.html?id=69560
This is CVE-2011-4114.
Regards
Salvatore
-- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, ''unstable'')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32-5-amd64 (SMP w/8 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash