Hi all.
Note to "Securiteam": there's a link to the possible security problem report
at the bottom.
On Monday 22 September 2008, chromatic wrote:
> On Monday 22 September 2008 08:41:31 Michael G Schwern wrote:
> > Shlomi Fish wrote:
> > > Let's suppose Makefile.PL is world-writable. While the distro is being
> > > unpacked, a malicious user writes something like:
> > >
> > > {{{
> > > system('rm -fr $HOME');
> > > }}}
> > >
> > > to it, and after you come to the "perl Makefile.PL" stage - you lose
> > > your home-directory. ;-)
> >
> > Run that by me again how the Makefile.PL being world-writable has any
> > effect on that? If a Makefile.PL does an "rm -rf $HOME" and you run it,
> > it doesn't matter what permission flags are on the file. Your home
> > directory is gone.
>
> There's a race condition attack between the time the CPAN client *writes*
> the world-writeable file and the time the CPAN client *executes* the
> world-writeable file. During that time, anyone on the system can write
> anything to the file, replacing its legitimate and safe contents with
> malicious contents.
>
> That's completely orthogonal to the problem of the Build.PL/Makefile.PL
> containing malicious code.
>
Right. I decided that it was a major problem with how CPANPLUS handles such
situations (regardless to whether we are smoking or just installing) and
reported it here:
http://rt.cpan.org/Ticket/Display.html?id=39516
Please don't keep it more public than it is already until there's a good fix.
Regards,
Shlomi Fish
-----------------------------------------------------------------
Shlomi Fish http://www.shlomifish.org/
My Aphorisms - http://www.shlomifish.org/humour.html
Shlomi, so what are you working on? Working on a new wiki about unit testing
fortunes in freecell? -- Ran Eilam
