[Bug 2043711] Re: Open3.pm tries to run code in /tmp when updating ubuntu-drivers-common

Steve Langasek 2043711 at bugs.launchpad.net
Tue Nov 21 15:55:57 UTC 2023 

On Mon, Nov 20, 2023 at 08:50:05PM -0000, Andrew J. Caines wrote:
> You are of course quite right that the risk associated with a file
> created with a "random" six character case-insensitive alphanumeric
> suffix and run a moment later is far smaller than more obviously risky
> misuses of /tmp.

No.  The use of a random filename is not a security feature; it is a
mechanism to avoid filename *collisions* (either accidental or as part of a
denial of service).

> or if the code checks for the presence of the file before trying to create
> it (which I trust it does)

That is not how you securely handle temp files.

I'm sorry, but you have a very incomplete understanding of how secure temp
file handling works.

You have /tmp mounted noexec on your system.  This is fine, and
supported.

It is not a protection against vulnerable system code.  It is a mechanism to
protect against attackers from writing payload code to /tmp and then
executing it.

System software must handle temp files under /tmp securely *independently of
whether the files it's writing are intended to be executed*.

You have something on your system trying to write a file to /tmp and then
execute it.  That should be fixed.  But it's not a bug in perl, and it's not
a bug in apt-utils, and it's entirely unclear what code is doing this since
this in not part of the standard debconf code path.

If you can identify where this is coming from in Ubuntu, we can reassign the
bug report and get it fixed.

The rest is off-topic for an Ubuntu bug report.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                   https://www.debian.org/
slangasek at ubuntu.com                                     vorlon at debian.org

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to perl in Ubuntu.
https://bugs.launchpad.net/bugs/2043711

Title:
  Open3.pm tries to run code in /tmp when updating ubuntu-drivers-common

Status in perl package in Ubuntu:
  Invalid

Bug description:
  During update of ubuntu-drivers-common:

    Can't exec "/tmp/ubuntu-drivers-common.config.55GJ8b": Permission denied at /usr/lib/x86_64-linux-gnu/perl-base/IPC/Open3.pm line 178, <GEN0> line 1.
  open2: exec of /tmp/ubuntu-drivers-common.config.55GJ8b configure 1:0.9.6.2~0.22.04.4 failed: Permission 
    denied at /usr/share/perl5/Debconf/ConfModule.pm line 59.
    Preconfiguring packages ...
    Can't exec "/tmp/ubuntu-drivers-common.config.uSPrCH": Permission denied at /usr/lib/x86_64-linux-gnu/perl-base/IPC/Open3.pm line 178, <GEN0> line 1.
    open2: exec of /tmp/ubuntu-drivers-common.config.uSPrCH configure 1:0.9.6.2~0.22.04.4 failed: Permission 
    denied at /usr/share/perl5/Debconf/ConfModule.pm line 59.

  /tmp is mounted with noexec because running code from /tmp has been a
  vulnerability vector for several decades, hence reporting this as a
  vulnerability in perl-base.

  This error did not appear to prevent the update of ubuntu-drivers-
  common and "dpkg --verify ubuntu-drivers-common" returns 0.

  ___________________________________________________________________________________________________________

  Attempting to use the package search on this form by clicking the 🔍
  created a modal in which there is an error

    Sorry, something went wrong with your search. We've recorded what
  happened, and we'll fix it as soon as possible. (Error ID:
  OOPS-c80f71590b02908a1187b9f743c53eac)

  which is repeated with any attempt to search for a package.

  ___________________________________________________________________________________________________________

  Submitting this form gives an error

    "perl-base" does not exist in Ubuntu. Please choose a different
  package. If you're unsure, please select "I don't know"

    $ dpkg -S /usr/lib/x86_64-linux-gnu/perl-base/IPC/Open3.pm
    perl-base: /usr/lib/x86_64-linux-gnu/perl-base/IPC/Open3.pm
    $ dpkg -l perl-base
    Desired=Unknown/Install/Remove/Purge/Hold
    | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
    |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
    ||/ Name           Version           Architecture Description
    +++-==============-=================-============-=============================>
    ii  perl-base      5.34.0-3ubuntu1.2 amd64        minimal Perl system

  Looks like a package to me. Nevertheless, using "Did you mean..."
  offers "perl".

  ProblemType: Bug
  DistroRelease: Ubuntu 22.04
  Package: perl-base 5.34.0-3ubuntu1.2
  ProcVersionSignature: Ubuntu 6.5.0-1007.7-oem 6.5.3
  Uname: Linux 6.5.0-1007-oem x86_64
  ApportVersion: 2.20.11-0ubuntu82.5
  Architecture: amd64
  CasperMD5CheckResult: unknown
  CurrentDesktop: ubuntu:GNOME
  Date: Thu Nov 16 10:08:48 2023
  InstallationDate: Installed on 2016-04-23 (2763 days ago)
  InstallationMedia: Ubuntu 16.04 LTS "Xenial Xerus" - Release amd64 (20160420.1)
  ProcEnviron:
   TERM=rxvt
   PATH=(custom, no user)
   XDG_RUNTIME_DIR=<set>
   LANG=en_US.UTF-8
   SHELL=/bin/bash
  SourcePackage: perl
  UpgradeStatus: Upgraded to jammy on 2022-08-19 (453 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/perl/+bug/2043711/+subscriptions

More information about the foundations-bugs mailing list