Your message dated Fri, 09 Jan 2009 01:52:21 +0000
with message-id <e1ll6xt-0006a6...@ries.debian.org>
and subject line Bug#286922: fixed in perl 5.8.8-7etch5
has caused the Debian Bug report #286922,
regarding perl-modules: File::Path::rmtree removes arbitrary
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
286922: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=286922
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: perl-modules
Version: 5.6.1-8.7
Severity: critical
File: /usr/share/perl/5.6.1/File/Path.pm
Tags: security
Justification: root security hole
Following on from the "File::Path::rmtree makes setuid" issue, I notice
that rmtree may be tricked into removing arbitrary files.
Example of attack: suppose we know that root uses rmtree to clean up
/tmp directories. Attacker prepares things:
mkdir /tmp/psz
perl -e 'open F, ">/tmp/psz/$_" foreach (1..1000)'
touch /tmp/psz/passwd
While root is busy working on /tmp/psz (and this can be made as slow as
we like), attacker does:
mv /tmp/psz /tmp/dummy
ln -s /etc /tmp/psz
Root will then remove /etc/passwd.
Maybe it should be documented that rmtree must only be used if you can
be sure to have exclusive access to the tree.
Cheers,
Paul Szabo - p...@maths.usyd.edu.au http://www.maths.usyd.edu.au:8000/u/psz/
School of Mathematics and Statistics University of Sydney 2006 Australia
-- System Information
Debian Release: 3.0
Architecture: i386
Kernel: Linux pisa.maths.usyd.edu.au 2.4.22-smssvr1.5.3 #1 SMP Wed Jun 23
13:01:39 EST 2004 i686
Locale: LANG=C, LC_CTYPE=C
Versions of packages perl-modules depends on:
ii perl 5.6.1-8.7 Larry Wall's Practical Extraction
--- End Message ---
--- Begin Message ---
Source: perl
Source-Version: 5.8.8-7etch5
We believe that the bug you reported is fixed in the latest version of
perl, which is due to be installed in the Debian FTP archive:
libcgi-fast-perl_5.8.8-7etch5_all.deb
to pool/main/p/perl/libcgi-fast-perl_5.8.8-7etch5_all.deb
libperl-dev_5.8.8-7etch5_i386.deb
to pool/main/p/perl/libperl-dev_5.8.8-7etch5_i386.deb
libperl5.8_5.8.8-7etch5_i386.deb
to pool/main/p/perl/libperl5.8_5.8.8-7etch5_i386.deb
perl-base_5.8.8-7etch5_i386.deb
to pool/main/p/perl/perl-base_5.8.8-7etch5_i386.deb
perl-debug_5.8.8-7etch5_i386.deb
to pool/main/p/perl/perl-debug_5.8.8-7etch5_i386.deb
perl-doc_5.8.8-7etch5_all.deb
to pool/main/p/perl/perl-doc_5.8.8-7etch5_all.deb
perl-modules_5.8.8-7etch5_all.deb
to pool/main/p/perl/perl-modules_5.8.8-7etch5_all.deb
perl-suid_5.8.8-7etch5_i386.deb
to pool/main/p/perl/perl-suid_5.8.8-7etch5_i386.deb
perl_5.8.8-7etch5.diff.gz
to pool/main/p/perl/perl_5.8.8-7etch5.diff.gz
perl_5.8.8-7etch5.dsc
to pool/main/p/perl/perl_5.8.8-7etch5.dsc
perl_5.8.8-7etch5_i386.deb
to pool/main/p/perl/perl_5.8.8-7etch5_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 286...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Niko Tyni <nt...@debian.org> (supplier of updated perl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Thu, 20 Nov 2008 22:45:54 +0200
Source: perl
Binary: perl-base libcgi-fast-perl libperl-dev perl-debug perl-modules perl
libperl5.8 perl-suid perl-doc
Architecture: source i386 all
Version: 5.8.8-7etch5
Distribution: stable-security
Urgency: high
Maintainer: Brendan O'Dea <b...@debian.org>
Changed-By: Niko Tyni <nt...@debian.org>
Description:
libcgi-fast-perl - CGI::Fast Perl module
libperl-dev - Perl library: development files
libperl5.8 - Shared Perl library
perl - Larry Wall's Practical Extraction and Report Language
perl-base - The Pathologically Eclectic Rubbish Lister
perl-debug - Debug-enabled Perl interpreter
perl-doc - Perl documentation
perl-modules - Core Perl modules
perl-suid - Runs setuid Perl scripts
Closes: 286905 286922
Changes:
perl (5.8.8-7etch5) stable-security; urgency=high
.
* SECURITY [CAN-2005-0448]: re-rewrite File::Path::rmtree to avoid race
condition which allows an attacker with write permission on
directories in the tree being removed to make files setuid or to
remove arbitrary files (Closes: #286905, #286922).
.
The race condition was fixed in 5.8.4-7 but re-introduced in 5.8.8-1.
Files:
a57837967b7420057558cab7efca9202 750 perl standard perl_5.8.8-7etch5.dsc
cfd4c3d27c5a7a342c441383867dae89 105052 perl standard perl_5.8.8-7etch5.diff.gz
9dfa8758852aadcaadb2edbdfa17f942 41082 perl optional
libcgi-fast-perl_5.8.8-7etch5_all.deb
3baade38d4a703ae7db0e2f7d7b2df62 7378812 doc optional
perl-doc_5.8.8-7etch5_all.deb
dc45e7d6fbedf992db42f31326457df2 2316518 perl standard
perl-modules_5.8.8-7etch5_all.deb
40254226d8ae5963a908661350816f0c 762200 perl required
perl-base_5.8.8-7etch5_i386.deb
7149381d9862cc1ebd20092fae76dda9 2491980 perl optional
perl-debug_5.8.8-7etch5_i386.deb
59d70d1ee4f0e7584230095ca079ceb7 32070 perl optional
perl-suid_5.8.8-7etch5_i386.deb
c511226a2cbddb98a170c8f563d6670a 527162 libs optional
libperl5.8_5.8.8-7etch5_i386.deb
f3f34d325de643667d4c12f897a15f48 585396 libdevel optional
libperl-dev_5.8.8-7etch5_i386.deb
bdcb99ed51d06b1639d98a661ce42d58 3589118 perl standard
perl_5.8.8-7etch5_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkkxTPsACgkQiyizGWoHLTn0OgCdGI24OjO5S7gb+Vh2qRcSOJYL
U7gAnRXL7Wbcotrdf0cWNYj4zbMweEj5
=8aRt
-----END PGP SIGNATURE-----
--- End Message ---
