CVE-2011-4114
low
CVSS v3
โ
CVSS v4 NEW
โ
VIR risk
3.3
Description
The par_mktmpdir function in the PAR::Packer module before 1.012 for Perl creates temporary files in a directory with a predictable name without verifying ownership and permissions of this directory, which allows local users to overwrite files when another user extracts a PAR packed program. NOTE: a similar vulnerability was reported for PAR, but this has been assigned a different CVE identifier.
Predictions
Exploit likelihood
20%
Patch ETA
โ
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
OS impact
Debian Fixed 5 releases
| Version | Status | Fixed in |
|---|---|---|
| trixie | Fixed | 1.012-1 |
| sid | Fixed | 1.012-1 |
| forky | Fixed | 1.012-1 |
| bullseye | Fixed | 1.012-1 |
| bookworm | Fixed | 1.012-1 |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| roderich_schupp | par-packer_module | {"endIncluding":"1.011"} | |
| roderich_schupp | par-packer_module | 0.63 | |
| roderich_schupp | par-packer_module | 0.64 | |
| roderich_schupp | par-packer_module | 0.65 | |
| roderich_schupp | par-packer_module | 0.66 | |
| roderich_schupp | par-packer_module | 0.67 | |
| roderich_schupp | par-packer_module | 0.68 | |
| roderich_schupp | par-packer_module | 0.69 | |
| roderich_schupp | par-packer_module | 0.70 | |
| roderich_schupp | par-packer_module | 0.71 | |
| roderich_schupp | par-packer_module | 0.72 | |
| roderich_schupp | par-packer_module | 0.73 | |
| roderich_schupp | par-packer_module | 0.74 | |
| roderich_schupp | par-packer_module | 0.75 | |
| roderich_schupp | par-packer_module | 0.76 | |
| roderich_schupp | par-packer_module | 0.77 | |
| roderich_schupp | par-packer_module | 0.78 | |
| roderich_schupp | par-packer_module | 0.79 | |
| roderich_schupp | par-packer_module | 0.80 | |
| roderich_schupp | par-packer_module | 0.81 | |
| roderich_schupp | par-packer_module | 0.82 | |
| roderich_schupp | par-packer_module | 0.83 | |
| roderich_schupp | par-packer_module | 0.85 | |
| roderich_schupp | par-packer_module | 0.86 | |
| roderich_schupp | par-packer_module | 0.87 | |
| roderich_schupp | par-packer_module | 0.88 | |
| roderich_schupp | par-packer_module | 0.89 | |
| roderich_schupp | par-packer_module | 0.90 | |
| roderich_schupp | par-packer_module | 0.91 | |
| roderich_schupp | par-packer_module | 0.92 | |
| roderich_schupp | par-packer_module | 0.93 | |
| roderich_schupp | par-packer_module | 0.94 | |
| roderich_schupp | par-packer_module | 0.941 | |
| roderich_schupp | par-packer_module | 0.942 | |
| roderich_schupp | par-packer_module | 0.951 | |
| roderich_schupp | par-packer_module | 0.952 | |
| roderich_schupp | par-packer_module | 0.953 | |
| roderich_schupp | par-packer_module | 0.954 | |
| roderich_schupp | par-packer_module | 0.955 | |
| roderich_schupp | par-packer_module | 0.956 | |
| roderich_schupp | par-packer_module | 0.957 | |
| roderich_schupp | par-packer_module | 0.958 | |
| roderich_schupp | par-packer_module | 0.959 | |
| roderich_schupp | par-packer_module | 0.960 | |
| roderich_schupp | par-packer_module | 0.970 | |
| roderich_schupp | par-packer_module | 0.973 | |
| roderich_schupp | par-packer_module | 0.975 | |
| roderich_schupp | par-packer_module | 0.976 | |
| roderich_schupp | par-packer_module | 0.977 | |
| roderich_schupp | par-packer_module | 0.978 | |
| roderich_schupp | par-packer_module | 0.979 | |
| roderich_schupp | par-packer_module | 0.980 | |
| roderich_schupp | par-packer_module | 0.981 | |
| roderich_schupp | par-packer_module | 0.982 | |
| roderich_schupp | par-packer_module | 0.991 | |
| roderich_schupp | par-packer_module | 0.992_01 | |
| roderich_schupp | par-packer_module | 0.992_02 | |
| roderich_schupp | par-packer_module | 0.992_03 | |
| roderich_schupp | par-packer_module | 0.992_04 | |
| roderich_schupp | par-packer_module | 0.992_05 | |
| roderich_schupp | par-packer_module | 0.992_06 | |
| roderich_schupp | par-packer_module | 1.000 | |
| roderich_schupp | par-packer_module | 1.001 | |
| roderich_schupp | par-packer_module | 1.002 | |
| roderich_schupp | par-packer_module | 1.003 | |
| roderich_schupp | par-packer_module | 1.004 | |
| roderich_schupp | par-packer_module | 1.005 | |
| roderich_schupp | par-packer_module | 1.006 | |
| roderich_schupp | par-packer_module | 1.007 | |
| roderich_schupp | par-packer_module | 1.008 | |
| roderich_schupp | par-packer_module | 1.009 | |
| roderich_schupp | par-packer_module | 1.010 | |
References
- http://lists.fedoraproject.org/pipermail/package-announce/2011-December/071091.html
- http://lists.fedoraproject.org/pipermail/package-announce/2011-December/071099.html
- http://www.openwall.com/lists/oss-security/2011/11/04/2
- http://www.openwall.com/lists/oss-security/2011/11/04/4
- https://bugzilla.redhat.com/show_bug.cgi?id=753955
- https://rt.cpan.org/Public/Bug/Display.html?id=69560
- https://security-tracker.debian.org/tracker/CVE-2011-4114
CWEs
CWE-264
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.