Michael G Schwern wrote in perl.makemaker : > Rafael Garcia-Suarez wrote: >> Michael G Schwern wrote in perl.makemaker : >>> Before I get a zillion bug reports about this... as a result of a >>> lightly broken security fix, Debian stable ships with a slightly >>> broken File::Path::rmtree() that cannot delete read-only directories. >>> Ubuntu may also be effected. This causes an ExtUtils::Command test to >>> fail. >> >> If I remember correctly, this patch hasn't been applied in blead or in >> maint ? > > I believe an equivalent patch was. > > [ 23953] By: rgs on 2005/02/09 09:28:19 > Log: Patch for CAN-2004-0452 by Jeroen van Wolffelaar. > The rmtree() function in the perl File::Path module would remove > directories in an insecure manner which could lead to the removal > of arbitrary files and directories via a symlink attack. > Branch: perl > ! lib/File/Path.pm
I don't think that this patch is harmful, since it only affects permissions of directories for other group/users; also, since it has been applied to bleadperl, and since ExtUtils::Command is part of bleadperl, a test failure would have been noticed much earlier. > And here's the Debian patch file from perl-base stable for comparison. > http://ftp.debian.org/debian/pool/main/p/perl/perl_5.8.4-8sarge5.diff.gz > > perl-base in testing contains no such patch. > http://ftp.debian.org/debian/pool/main/p/perl/perl_5.8.8-6.1.diff.gz > > I haven't reported this upstream, I don't have a Debian stable box handy at > the moment. -- Somehow "no change" has become the definition du jour of "vendor product" in order to minimize QA and support costs. -- Jeff Johnson in rpm-devel
