From 8ef6b073beb72e2e7c1ff97429a4c8a8f5129bb1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppi...@redhat.com> Date: Thu, 1 Jun 2017 14:34:26 +0200 Subject: Fix CVE-2017-6512
--- ...-2.12-Prevent-directory-chmod-race-attack.patch | 165 +++++++++++++++++++++ perl-File-Path.spec | 10 +- 2 files changed, 174 insertions(+), 1 deletion(-) create mode 100644 File-Path-2.12-Prevent-directory-chmod-race-attack.patch diff --git a/File-Path-2.12-Prevent-directory-chmod-race-attack.patch b/File-Path-2.12-Prevent-directory-chmod-race-attack.patch new file mode 100644 index 0000000..a280818 --- /dev/null +++ b/File-Path-2.12-Prevent-directory-chmod-race-attack.patch @@ -0,0 +1,165 @@ +From e9cc25a6109e9191bcbf59a967ed6c60b0156f72 Mon Sep 17 00:00:00 2001 +From: John Lightsey <j...@nixnuts.net> +Date: Tue, 2 May 2017 12:03:52 -0500 +Subject: [PATCH] Prevent directory chmod race attack. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +CVE-2017-6512 is a race condition attack where the chmod() of directories +that cannot be entered is misused to change the permissions on other +files or directories on the system. This has been corrected by limiting +the directory-permission loosening logic to systems where fchmod() is +supported. + +Petr Písař: Ported to 2.12. + +Signed-off-by: Petr Písař <ppi...@redhat.com> +--- + lib/File/Path.pm | 39 +++++++++++++++++++++++++-------------- + t/Path.t | 40 ++++++++++++++++++++++++++-------------- + 2 files changed, 51 insertions(+), 28 deletions(-) + +diff --git a/lib/File/Path.pm b/lib/File/Path.pm +index 36f12cc..871f43a 100644 +--- a/lib/File/Path.pm ++++ b/lib/File/Path.pm +@@ -354,21 +354,32 @@ sub _rmtree { + + # see if we can escalate privileges to get in + # (e.g. funny protection mask such as -w- instead of rwx) +- $perm &= oct '7777'; +- my $nperm = $perm | oct '700'; +- if ( +- !( +- $arg->{safe} +- or $nperm == $perm +- or chmod( $nperm, $root ) +- ) +- ) +- { +- _error( $arg, +- "cannot make child directory read-write-exec", $canon ); +- next ROOT_DIR; ++ # This uses fchmod to avoid traversing outside of the proper ++ # location (CVE-2017-6512) ++ my $root_fh; ++ if (open($root_fh, '<', $root)) { ++ my ($fh_dev, $fh_inode) = (stat $root_fh )[0,1]; ++ $perm &= oct '7777'; ++ my $nperm = $perm | oct '700'; ++ local $@; ++ if ( ++ !( ++ $arg->{safe} ++ or $nperm == $perm ++ or !-d _ ++ or $fh_dev ne $ldev ++ or $fh_inode ne $lino ++ or eval { chmod( $nperm, $root_fh ) } ++ ) ++ ) ++ { ++ _error( $arg, ++ "cannot make child directory read-write-exec", $canon ); ++ next ROOT_DIR; ++ } ++ close $root_fh; + } +- elsif ( !chdir($root) ) { ++ if ( !chdir($root) ) { + _error( $arg, "cannot chdir to child", $canon ); + next ROOT_DIR; + } +diff --git a/t/Path.t b/t/Path.t +index 5644f57..fffc49c 100755 +--- a/t/Path.t ++++ b/t/Path.t +@@ -3,7 +3,7 @@ + + use strict; + +-use Test::More tests => 127; ++use Test::More tests => 126; + use Config; + use Fcntl ':mode'; + use lib 't/'; +@@ -17,6 +17,13 @@ BEGIN { + + my $Is_VMS = $^O eq 'VMS'; + ++my $fchmod_supported = 0; ++if (open my $fh, curdir()) { ++ my ($perm) = (stat($fh))[2]; ++ $perm &= 07777; ++ eval { $fchmod_supported = chmod( $perm, $fh); }; ++} ++ + # first check for stupid permissions second for full, so we clean up + # behind ourselves + for my $perm (0111,0777) { +@@ -298,16 +305,19 @@ is($created[0], $dir, "created directory (old style 3 mode undef) cross-check"); + + is(rmtree($dir, 0, undef), 1, "removed directory 3 verbose undef"); + +-$dir = catdir($tmp_base,'G'); +-$dir = VMS::Filespec::unixify($dir) if $Is_VMS; ++SKIP: { ++ skip "fchmod of directories not supported on this platform", 3 unless $fchmod_supported; ++ $dir = catdir($tmp_base,'G'); ++ $dir = VMS::Filespec::unixify($dir) if $Is_VMS; + +-@created = mkpath($dir, undef, 0200); ++ @created = mkpath($dir, undef, 0400); + +-is(scalar(@created), 1, "created write-only dir"); ++ is(scalar(@created), 1, "created read-only dir"); + +-is($created[0], $dir, "created write-only directory cross-check"); ++ is($created[0], $dir, "created read-only directory cross-check"); + +-is(rmtree($dir), 1, "removed write-only dir"); ++ is(rmtree($dir), 1, "removed read-only dir"); ++} + + # borderline new-style heuristics + if (chdir $tmp_base) { +@@ -449,26 +459,28 @@ SKIP: { + } + + SKIP : { +- my $skip_count = 19; ++ my $skip_count = 18; + # this test will fail on Windows, as per: + # http://perldoc.perl.org/perlport.html#chmod + + skip "Windows chmod test skipped", $skip_count + if $^O eq 'MSWin32'; ++ skip "fchmod() on directories is not supported on this platform", $skip_count ++ unless $fchmod_supported; + my $mode; + my $octal_mode; + my @inputs = ( +- 0777, 0700, 0070, 0007, +- 0333, 0300, 0030, 0003, +- 0111, 0100, 0010, 0001, +- 0731, 0713, 0317, 0371, 0173, 0137, +- 00 ); ++ 0777, 0700, 0470, 0407, ++ 0433, 0400, 0430, 0403, ++ 0111, 0100, 0110, 0101, ++ 0731, 0713, 0317, 0371, ++ 0173, 0137); + my $input; + my $octal_input; +- $dir = catdir($tmp_base, 'chmod_test'); + + foreach (@inputs) { + $input = $_; ++ $dir = catdir($tmp_base, sprintf("chmod_test%04o", $input)); + # We can skip from here because 0 is last in the list. + skip "Mode of 0 means assume user defaults on VMS", 1 + if ($input == 0 && $Is_VMS); +-- +2.9.4 + diff --git a/perl-File-Path.spec b/perl-File-Path.spec index 0f57792..1601e4f 100644 --- a/perl-File-Path.spec +++ b/perl-File-Path.spec @@ -1,11 +1,14 @@ Name: perl-File-Path Version: 2.12 -Release: 365%{?dist} +Release: 366%{?dist} Summary: Create or remove directory trees License: GPL+ or Artistic Group: Development/Libraries URL: http://search.cpan.org/dist/File-Path/ Source0: http://www.cpan.org/authors/id/R/RI/RICHE/File-Path-%{version}.tar.gz +# Fix CVE-2017-6512 (setting arbitrary mode on an arbitrary file in rmtree() +# and remove_tree()), bug #1457834, CPAN RT#121951, in upstream 2.13 +Patch0: File-Path-2.12-Prevent-directory-chmod-race-attack.patch BuildArch: noarch BuildRequires: coreutils BuildRequires: findutils @@ -41,6 +44,7 @@ depth and to delete an entire directory subtree from the file system. %prep %setup -q -n File-Path-%{version} +%patch0 -p1 %build perl Makefile.PL INSTALLDIRS=vendor @@ -60,6 +64,10 @@ make test %{_mandir}/man3/* %changelog +* Thu Jun 01 2017 Petr Pisar <ppi...@redhat.com> - 2.12-366 +- Fix CVE-2017-6512 (setting arbitrary mode on an arbitrary file in rmtree() + and remove_tree()) (bug #1457834) + * Sat May 14 2016 Jitka Plesnikova <jples...@redhat.com> - 2.12-365 - Increase release to favour standalone package -- cgit v1.1 https://src.fedoraproject.org/cgit/perl-File-Path.git/commit/?h=f25&id=8ef6b073beb72e2e7c1ff97429a4c8a8f5129bb1 _______________________________________________ perl-devel mailing list -- perl-devel@lists.fedoraproject.org To unsubscribe send an email to perl-devel-le...@lists.fedoraproject.org