Skip Menu |

This queue is for tickets about the PAR-Packer CPAN distribution.

Report information
The Basics
Id: 69560
Status: resolved
Priority: 0/
Queue: PAR-Packer
People
Owner: Nobody in particular
Requestors: john [...] nixnuts.net
Cc:
AdminCc:
Bug Information
Severity: Critical
Broken in: (no value)
Fixed in: (no value)

History Show all quoted text
  Mon Jul 18 22:16:46 2011 john [...] nixnuts.net - Ticket created
Subject: PAR packed files are extracted to unsafe and predictable temporary directories
par_mktmpdir() makes no effort to verify that the /tmp/par-<username> directory is safe to use (owned by the correct UID and GID, not world writable, no symlinks in the path that are owned by another user.) This makes PAR packed scripts unsafe on multiuser systems. Example: 1) start with a clean /tmp (reboot the system, tmpwatch, etc.) 2) attacker does mkdir /tmp/par-victim 3) victim runs a PAR packed program 4) attacker now moves the cache directory aside and copies it back to its original location so that all she owns all of the files and can modify them at will. 5) victim runs the PAR packed program again and is now executing attacker's code.
  Tue Jul 19 02:41:23 2011 RSCHUPP [...] cpan.org - Correspondence added
On 2011-07-18 22:16:46, lightsey wrote: Show quoted text
> par_mktmpdir() makes no effort to verify that the /tmp/par-<username> > directory is safe to use (owned by the correct UID and GID, not world > writable, no symlinks in the path that are owned by another user.) > > This makes PAR packed scripts unsafe on multiuser systems.
Yawn. Where does it say that they are safe? If you're really concerned about safety you should use per-user temp directories, not for PAR::Packer, but in general. Cheers, Roderich
  Tue Jul 19 02:41:24 2011 The RT System itself - Status changed from 'new' to 'open'
  Fri Nov 04 12:21:17 2011 john [...] nixnuts.net - Correspondence added
This bug has been assigned CVE-2011-4114
  Sat Nov 05 06:04:02 2011 smueller [...] cpan.org - Correspondence added
Presumably, one could at least have a build-time option for pp (not packaging time, but PAR::Packer compilation time) that enables some extra measures: perl Makefile.PL --paranoid make test && make install a) assert ownership of all directories and files under $TMPDIR/par-$USER b) assert that other can't write. (How portable would this be?) Doing this by default would make the cached-startup slow enough to not warrant caching at all. That would make PAR::Packer useless for all but the most trivial scripts. Think about it. If any other executable would have to scan the entire perl source tree before starting, it'd be slower to boot than java. Right now, the proper way to get entirely safe PAR'd executables is to set an alternate extraction/cache directory. See "man PAR::Environment".
  Sun Nov 06 13:11:15 2011 RSCHUPP [...] cpan.org - Correspondence added
On 2011-11-05 06:04:02, SMUELLER wrote: Show quoted text
> a) assert ownership of all directories and files under $TMPDIR/par-$USER > b) assert that other can't write. (How portable would this be?)
I dont't think that's really necessary. We should (on *nix): - create $TMPDIR/par-$USER with mode 0700 if it doesn't already exist - if it exists, check that it's owned by $USER and still mode 0700 (otherwise we bail out) Am I overlooking something obvious here? I checked what Gnome's orbit daemon does (it creates sockets for clients to connect to under /tmp/orbit-$USER) and it does the above. Cheers, Roderich
  Sun Dec 04 12:08:08 2011 RSCHUPP [...] cpan.org - Correspondence added
Fixed in PAR 1.005 and PAR::Packer 1.012 (for *nix only)
  Sun Dec 04 12:08:09 2011 RSCHUPP [...] cpan.org - Status changed from 'open' to 'resolved'