CPANSA-PAR-2011-01: PAR vulnerability

Publisher	giterlizzi	Document category	csaf_security_advisory
Initial release date	2011-07-18T00:00:00	Engine	CSAF Perl Toolkit 0.25
Current release date	2011-07-18T00:00:00	Build Date
Current version	1	Status	final
CVSS v3.1 Base Score		Severity
Original language		Language	en
Also referred to

Vulnerability Description

PAR packed files are extracted to unsafe and predictable temporary directories (this bug was originally reported against PAR::Packer, but it applies to PAR as well).

Vulnerabilities

CVE-2011-4114

Vulnerability Description

The par_mktmpdir function in the PAR::Packer module before 1.012 for Perl creates temporary files in a directory with a predictable name without verifying ownership and permissions of this directory, which allows local users to overwrite files when another user extracts a PAR packed program. NOTE: a similar vulnerability was reported for PAR, but this has been assigned a different CVE identifier.

Weakness	CWE-264 : Permissions, Privileges, and Access Controls

Product status

Known affected

Product

Score

PAR less than 1.003

CVSS Version	CVSS Vector	CVSS Base Score	CVSS Base Severity
2.0	AV:L/AC:M/Au:N/C:N/I:P/A:P	3.3	Low

Fixed

PAR greater than or equal 1.003

giterlizzi

Namespace: https://github.com/giterlizzi/

gdt@cpan.org

References

CPANSA-PAR-2011-01 JSON self
https://raw.githubusercontent.com/giterlizzi/perl-CPANSA-CSAF/develop/csaf/white/2011/cpansa-par-2011-01.json
https://metacpan.org/changes/distribution/PAR external
https://metacpan.org/changes/distribution/PAR
https://rt.cpan.org/Public/Bug/Display.html?id=69560 external
https://rt.cpan.org/Public/Bug/Display.html?id=69560
CVE-2011-4114 (NVD) external
https://nvd.nist.gov/vuln/detail/CVE-2011-4114

Revision history

Version	Date of the revision	Summary of the revision
1	Mon Jul 18 00:00:00 2011	First release

Sharing rules

TLP:WHITE
For the TLP version see: https://www.first.org/tlp/