Re: CVE request: unsafe use of /tmp in multiple CPAN modules

[Solar Designer <solar () openwall com>]

On Fri, Nov 04, 2011 at 01:14:46PM -0500, John Lightsey wrote:
> On 11/04/2011 11:36 AM, Solar Designer wrote:
> > On Fri, Nov 04, 2011 at 09:46:45AM -0500, John Lightsey wrote:
> > > PAR::Packer - PAR packed files are extracted to unsafe and predictable
> > > temporary directories
> > >
> > > https://rt.cpan.org/Public/Bug/Display.html?id=69560
> >
> > I think that your description for this one happens to encourage a poor
> > fix for it.  Specifically, starting the description by "par_mktmpdir()
> > makes no effort to verify that the /tmp/par-<username> directory is safe
> > to use" may result in this function being patched to do such checks,
> > which I think would be a poor fix.  A better fix would be to properly
> > create a temporary files directory, with a less predictable name and
> > with due retries (with new names) if the directory already exists -
> > preferably using File::Temp's tempdir().
>
> The problem with using random directory names here is that the
> /tmp/par-user directory is being used as a caching mechanism to avoid
> extracting the PAR contents over and over.

Oh, I did not realize that.

> A better alternative may be
> to use $ENV{'HOME'}/.par or something along those lines.

Makes sense to me.  Use of env vars is unsafe in a potentially SUID
script, but I don't know what the current policy regarding this is in
CPAN.  Are CPAN modules by default supposed to be safe for use in SUID
Perl scripts or not - I guess not, or we'd have plenty of CVE ids for
those issues by now?  An alternative would be to find the home
directory path from the real UID.

Alexander