Bug#286922: marked as done (perl-modules: File::Path::rmtree removes arbitrary)

Debian Bug Tracking System Sun, 06 Mar 2005 23:10:20 -0800

Your message dated Mon, 07 Mar 2005 01:47:15 -0500
with message-id <[EMAIL PROTECTED]>
and subject line Bug#286905: fixed in perl 5.8.4-7
has caused the attached Bug report to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 22 Dec 2004 23:00:05 +0000
>From [EMAIL PROTECTED] Wed Dec 22 15:00:05 2004
Return-path: <[EMAIL PROTECTED]>
Received: from talus.maths.usyd.edu.au [129.78.68.1] 
        by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
        id 1ChFSe-0001bR-00; Wed, 22 Dec 2004 15:00:04 -0800
Received: from pisa.maths.usyd.edu.au ([EMAIL PROTECTED]) [129.78.69.136]
        by siv.maths.usyd.edu.au via smtpdoor V18.4
        id 310557 for [EMAIL PROTECTED]; Thu, 23 Dec 2004 10:00:01 +1100
Message-Id: <[EMAIL PROTECTED]>
Received: from [EMAIL PROTECTED] by pisa.maths.usyd.edu.au (8.12.3/8.1/Submit)
        id iBMN00bf011682; Thu, 23 Dec 2004 10:00:00 +1100
From: Paul Szabo <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: perl-modules: File::Path::rmtree removes arbitrary
X-Mailer: reportbug 1.50
Date: Thu, 23 Dec 2004 10:00:00 +1100
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25 
        (1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-5.9 required=4.0 tests=BAYES_00,HAS_PACKAGE,
        MSGID_FROM_MTA_HEADER,WEIRD_PORT autolearn=no 
        version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level: 

Package: perl-modules
Version: 5.6.1-8.7
Severity: critical
File: /usr/share/perl/5.6.1/File/Path.pm
Tags: security
Justification: root security hole

Following on from the "File::Path::rmtree makes setuid" issue, I notice
that rmtree may be tricked into removing arbitrary files.

Example of attack: suppose we know that root uses rmtree to clean up
/tmp directories. Attacker prepares things:

  mkdir /tmp/psz
  perl -e 'open F, ">/tmp/psz/$_" foreach (1..1000)'
  touch /tmp/psz/passwd

While root is busy working on /tmp/psz (and this can be made as slow as
we like), attacker does:

  mv /tmp/psz /tmp/dummy
  ln -s /etc /tmp/psz

Root will then remove /etc/passwd.

Maybe it should be documented that rmtree must only be used if you can
be sure to have exclusive access to the tree.

Cheers,

Paul Szabo - [EMAIL PROTECTED]  http://www.maths.usyd.edu.au:8000/u/psz/
School of Mathematics and Statistics  University of Sydney   2006  Australia


-- System Information
Debian Release: 3.0
Architecture: i386
Kernel: Linux pisa.maths.usyd.edu.au 2.4.22-smssvr1.5.3 #1 SMP Wed Jun 23 
13:01:39 EST 2004 i686
Locale: LANG=C, LC_CTYPE=C

Versions of packages perl-modules depends on:
ii  perl                          5.6.1-8.7  Larry Wall's Practical Extraction 


---------------------------------------
Received: (at 286905-close) by bugs.debian.org; 7 Mar 2005 06:53:04 +0000
>From [EMAIL PROTECTED] Sun Mar 06 22:53:04 2005
Return-path: <[EMAIL PROTECTED]>
Received: from newraff.debian.org [208.185.25.31] (mail)
        by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
        id 1D8C6y-0000XC-00; Sun, 06 Mar 2005 22:53:04 -0800
Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian))
        id 1D8C1L-0001OJ-00; Mon, 07 Mar 2005 01:47:15 -0500
From: Brendan O'Dea <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
X-Katie: $Revision: 1.55 $
Subject: Bug#286905: fixed in perl 5.8.4-7
Message-Id: <[EMAIL PROTECTED]>
Sender: Archive Administrator <[EMAIL PROTECTED]>
Date: Mon, 07 Mar 2005 01:47:15 -0500
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
        (1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER 
        autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level: 
X-CrossAssassin-Score: 11

Source: perl
Source-Version: 5.8.4-7

We believe that the bug you reported is fixed in the latest version of
perl, which is due to be installed in the Debian FTP archive:

libcgi-fast-perl_5.8.4-7_all.deb
  to pool/main/p/perl/libcgi-fast-perl_5.8.4-7_all.deb
libperl-dev_5.8.4-7_i386.deb
  to pool/main/p/perl/libperl-dev_5.8.4-7_i386.deb
libperl-dev_5.8.4-7_powerpc.deb
  to pool/main/p/perl/libperl-dev_5.8.4-7_powerpc.deb
libperl-dev_5.8.4-7_sparc.deb
  to pool/main/p/perl/libperl-dev_5.8.4-7_sparc.deb
libperl5.8_5.8.4-7_i386.deb
  to pool/main/p/perl/libperl5.8_5.8.4-7_i386.deb
libperl5.8_5.8.4-7_powerpc.deb
  to pool/main/p/perl/libperl5.8_5.8.4-7_powerpc.deb
libperl5.8_5.8.4-7_sparc.deb
  to pool/main/p/perl/libperl5.8_5.8.4-7_sparc.deb
perl-base_5.8.4-7_i386.deb
  to pool/main/p/perl/perl-base_5.8.4-7_i386.deb
perl-base_5.8.4-7_powerpc.deb
  to pool/main/p/perl/perl-base_5.8.4-7_powerpc.deb
perl-base_5.8.4-7_sparc.deb
  to pool/main/p/perl/perl-base_5.8.4-7_sparc.deb
perl-debug_5.8.4-7_i386.deb
  to pool/main/p/perl/perl-debug_5.8.4-7_i386.deb
perl-debug_5.8.4-7_powerpc.deb
  to pool/main/p/perl/perl-debug_5.8.4-7_powerpc.deb
perl-debug_5.8.4-7_sparc.deb
  to pool/main/p/perl/perl-debug_5.8.4-7_sparc.deb
perl-doc_5.8.4-7_all.deb
  to pool/main/p/perl/perl-doc_5.8.4-7_all.deb
perl-modules_5.8.4-7_all.deb
  to pool/main/p/perl/perl-modules_5.8.4-7_all.deb
perl-suid_5.8.4-7_i386.deb
  to pool/main/p/perl/perl-suid_5.8.4-7_i386.deb
perl-suid_5.8.4-7_powerpc.deb
  to pool/main/p/perl/perl-suid_5.8.4-7_powerpc.deb
perl-suid_5.8.4-7_sparc.deb
  to pool/main/p/perl/perl-suid_5.8.4-7_sparc.deb
perl_5.8.4-7.diff.gz
  to pool/main/p/perl/perl_5.8.4-7.diff.gz
perl_5.8.4-7.dsc
  to pool/main/p/perl/perl_5.8.4-7.dsc
perl_5.8.4-7_i386.deb
  to pool/main/p/perl/perl_5.8.4-7_i386.deb
perl_5.8.4-7_powerpc.deb
  to pool/main/p/perl/perl_5.8.4-7_powerpc.deb
perl_5.8.4-7_sparc.deb
  to pool/main/p/perl/perl_5.8.4-7_sparc.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Brendan O'Dea <[EMAIL PROTECTED]> (supplier of updated perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon,  7 Mar 2005 10:22:01 +1100
Source: perl
Binary: perl-base libcgi-fast-perl libperl-dev perl-debug perl-modules perl 
libperl5.8 perl-suid perl-doc
Architecture: all i386 powerpc source sparc 
Version: 5.8.4-7
Distribution: unstable
Urgency: low
Maintainer: Brendan O'Dea <[EMAIL PROTECTED]>
Changed-By: Brendan O'Dea <[EMAIL PROTECTED]>
Description: 
 libperl-dev - Perl library: development files
 libperl5.8 - Shared Perl library
 perl       - Larry Wall's Practical Extraction and Report Language
 perl-base  - The Pathologically Eclectic Rubbish Lister
 perl-debug - Debug-enabled Perl interpreter
 perl-suid  - Runs setuid Perl scripts
Closes: 178243 198855 250877 255919 256731 263325 275142 281091 281092 281437 
286905 286922 289709
Changes: 
 perl (5.8.4-7) unstable; urgency=low
 .
   * SECURITY [CAN-2005-0448]: rewrite File::Path::rmtree to avoid race
     condition which allows an attacker with write permission on
     directories in the tree being removed to make files setuid or to
     remove arbitrary files (closes: #286905, #286922).  Supersedes
     the previous patch for CAN-2004-0452.
 .
   * Add PERL_DEBUGGING_MSTATS for debugperl (closes: #178243).
   * Escape dashes in verbatim text to have groff render them as-is
     rather than as \x{2010} (closes: #250877).
 .
   * CGI: handle escaped newlines in URLs (closes: #289709).
   * Net::NNTP: fix precedence error in article routine (closes: #275142).
   * Devel::Dprof: refer to executable as `perl' (closes: #198855).
   * Remove spurious undefined warning in getopts.pl (closes: #255919).
   * Remove XSI-isms from maintainer scripts (closes: #256731).
   * Revise MakeMaker patch to defer expansion of $(MANnEXT) until
     runtime (closes: #263325).
 .
   * Normalise case of a2p man page OPTIONS section, place optional
     filename in brackets (closes: #281091, #281092).
 .
   * Fix octal glitch in perlreref(1) (closes: #281437).
   * Have perl suggest both ReadLine variants (gnu, perl).
   * Upgrade suggestion on perl-doc to recommends now that dselect is
     less pedantic about the latter.
Files: 
 06d6c960bf7c8b7b7ce66e73bc689a86 3509162 perl standard perl_5.8.4-7_powerpc.deb
 11a48c92fe6046185a1003394c28c1f9 7052380 doc optional perl-doc_5.8.4-7_all.deb
 15d16eb40fc29280a13b901aa6f4d70a 775246 base required 
perl-base_5.8.4-7_sparc.deb
 2e89765c8eedf6af4fd3636a3922539c 3547364 perl standard perl_5.8.4-7_sparc.deb
 3692cc87735524ef57ceeed24d60f686 567012 libdevel optional 
libperl-dev_5.8.4-7_i386.deb
 3aa29703d71dbb2fa5f9c4b8b8b203c7 624940 libdevel optional 
libperl-dev_5.8.4-7_powerpc.deb
 463e43a1c602f74a385bd414e5f752a8 3840696 perl optional 
perl-debug_5.8.4-7_sparc.deb
 4e7ab56ca74d59f1d98c3147a3a71138 3736402 perl optional 
perl-debug_5.8.4-7_i386.deb
 61d993933b3a08b0049462a802766220 31698 perl optional perl-suid_5.8.4-7_i386.deb
 6b236605cdb5beb02219ad1f2bb198f8 1034 libs optional 
libperl5.8_5.8.4-7_powerpc.deb
 6dc36144aca73c10ec9f324117f3acde 38036 perl extra 
libcgi-fast-perl_5.8.4-7_all.deb
 c861bb89e40c2723b2ce9f0525b22e6b 726 perl standard perl_5.8.4-7.dsc
 8347b722dbee125c18d631bf5ca474ac 31032 perl optional 
perl-suid_5.8.4-7_sparc.deb
 8d2973686564a7444c23847da092d840 3700708 perl optional 
perl-debug_5.8.4-7_powerpc.deb
 95e330d949521ee026a7148b4ca014d5 2178102 perl standard 
perl-modules_5.8.4-7_all.deb
 987b4cfbb284707e1f84f66a72232b5e 508830 libs optional 
libperl5.8_5.8.4-7_i386.deb
 9db0cfba5fc66c4a0c8279606a91bd94 1034 libs optional 
libperl5.8_5.8.4-7_sparc.deb
 9f4c86deaa8aa3f377d4ce8ccf3cda76 789658 base required 
perl-base_5.8.4-7_powerpc.deb
 ab32aebec33b748b0ccaf0e52cb77a69 582240 libdevel optional 
libperl-dev_5.8.4-7_sparc.deb
 bd4a96454f9a6b6dca5fcc54a24fe350 86680 perl standard perl_5.8.4-7.diff.gz
 e4418c5838c05452631dbd1d561a2312 751654 base required 
perl-base_5.8.4-7_i386.deb
 e69b276f51914a16eb2d6ac5e09f4f96 33576 perl optional 
perl-suid_5.8.4-7_powerpc.deb
 fab241c803816d886180d671ac0334f2 3238062 perl standard perl_5.8.4-7_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)

iD8DBQFCK/Y68NyOALKMWZURAuCYAKCxlPgMf40kHc1sF1iiHMOOiVA7AQCcCA/h
mpgXx7fsS2scjvHL021Ieto=
=8WTG
-----END PGP SIGNATURE-----


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#286922: marked as done (perl-modules: File::Path::rmtree removes arbitrary)

Reply via email to