[Bug 5932] New: audit SA for use of File::Path::rmtree() due to security bug

bugzilla-daemon Tue, 24 Jun 2008 09:03:22 -0700

https://issues.apache.org/SpamAssassin/show_bug.cgi?id=5932


           Summary: audit SA for use of File::Path::rmtree() due to security
                    bug
           Product: Spamassassin
           Version: SVN Trunk (Latest Devel Version)
          Platform: Other
        OS/Version: All
            Status: NEW
          Severity: major
          Priority: P5
         Component: Libraries
        AssignedTo: [email protected]
        ReportedBy: [EMAIL PROTECTED]


http://rt.cpan.org/Public/Bug/Display.html?id=36982 :

'as reported in <http://bugs.debian.org/487319>, when rmtree() encounters
a symlink, it will change the permissions of the link target to the
permissions of the link, usually 0777.

% touch foo
% ln -s foo bar
% ls -l foo bar
lrwxrwxrwx 1 niko niko 3 2008-06-21 09:06 bar -> foo
-rw-r--r-- 1 niko niko 0 2008-06-21 09:06 foo
% perl -e 'use File::Path rmtree; rmtree bar'
% ls -l foo bar
ls: cannot access bar: No such file or directory
-rwxrwxrwx 1 niko niko 0 2008-06-21 09:06 foo

This is with Perl 5.10.0, containing File-Path 2.04, but I have verified
it with the 2.06_04 CPAN version too.'


We should establish that this can't be used to attack other local users via
SA...


-- 
Configure bugmail: 
https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

[Bug 5932] New: audit SA for use of File::Path::rmtree() due to security bug

Reply via email to