From 8ef6b073beb72e2e7c1ff97429a4c8a8f5129bb1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppi...@redhat.com>
Date: Thu, 1 Jun 2017 14:34:26 +0200
Subject: Fix CVE-2017-6512
---
...-2.12-Prevent-directory-chmod-race-attack.patch | 165 +++++++++++++++++++++
perl-File-Path.spec | 10 +-
2 files changed, 174 insertions(+), 1 deletion(-)
create mode 100644 File-Path-2.12-Prevent-directory-chmod-race-attack.patch
diff --git a/File-Path-2.12-Prevent-directory-chmod-race-attack.patch
b/File-Path-2.12-Prevent-directory-chmod-race-attack.patch
new file mode 100644
index 0000000..a280818
--- /dev/null
+++ b/File-Path-2.12-Prevent-directory-chmod-race-attack.patch
@@ -0,0 +1,165 @@
+From e9cc25a6109e9191bcbf59a967ed6c60b0156f72 Mon Sep 17 00:00:00 2001
+From: John Lightsey <j...@nixnuts.net>
+Date: Tue, 2 May 2017 12:03:52 -0500
+Subject: [PATCH] Prevent directory chmod race attack.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+CVE-2017-6512 is a race condition attack where the chmod() of directories
+that cannot be entered is misused to change the permissions on other
+files or directories on the system. This has been corrected by limiting
+the directory-permission loosening logic to systems where fchmod() is
+supported.
+
+Petr Písař: Ported to 2.12.
+
+Signed-off-by: Petr Písař <ppi...@redhat.com>
+---
+ lib/File/Path.pm | 39 +++++++++++++++++++++++++--------------
+ t/Path.t | 40 ++++++++++++++++++++++++++--------------
+ 2 files changed, 51 insertions(+), 28 deletions(-)
+
+diff --git a/lib/File/Path.pm b/lib/File/Path.pm
+index 36f12cc..871f43a 100644
+--- a/lib/File/Path.pm
++++ b/lib/File/Path.pm
+@@ -354,21 +354,32 @@ sub _rmtree {
+
+ # see if we can escalate privileges to get in
+ # (e.g. funny protection mask such as -w- instead of rwx)
+- $perm &= oct '7777';
+- my $nperm = $perm | oct '700';
+- if (
+- !(
+- $arg->{safe}
+- or $nperm == $perm
+- or chmod( $nperm, $root )
+- )
+- )
+- {
+- _error( $arg,
+- "cannot make child directory read-write-exec", $canon
);
+- next ROOT_DIR;
++ # This uses fchmod to avoid traversing outside of the proper
++ # location (CVE-2017-6512)
++ my $root_fh;
++ if (open($root_fh, '<', $root)) {
++ my ($fh_dev, $fh_inode) = (stat $root_fh )[0,1];
++ $perm &= oct '7777';
++ my $nperm = $perm | oct '700';
++ local $@;
++ if (
++ !(
++ $arg->{safe}
++ or $nperm == $perm
++ or !-d _
++ or $fh_dev ne $ldev
++ or $fh_inode ne $lino
++ or eval { chmod( $nperm, $root_fh ) }
++ )
++ )
++ {
++ _error( $arg,
++ "cannot make child directory read-write-exec",
$canon );
++ next ROOT_DIR;
++ }
++ close $root_fh;
+ }
+- elsif ( !chdir($root) ) {
++ if ( !chdir($root) ) {
+ _error( $arg, "cannot chdir to child", $canon );
+ next ROOT_DIR;
+ }
+diff --git a/t/Path.t b/t/Path.t
+index 5644f57..fffc49c 100755
+--- a/t/Path.t
++++ b/t/Path.t
+@@ -3,7 +3,7 @@
+
+ use strict;
+
+-use Test::More tests => 127;
++use Test::More tests => 126;
+ use Config;
+ use Fcntl ':mode';
+ use lib 't/';
+@@ -17,6 +17,13 @@ BEGIN {
+
+ my $Is_VMS = $^O eq 'VMS';
+
++my $fchmod_supported = 0;
++if (open my $fh, curdir()) {
++ my ($perm) = (stat($fh))[2];
++ $perm &= 07777;
++ eval { $fchmod_supported = chmod( $perm, $fh); };
++}
++
+ # first check for stupid permissions second for full, so we clean up
+ # behind ourselves
+ for my $perm (0111,0777) {
+@@ -298,16 +305,19 @@ is($created[0], $dir, "created directory (old style 3
mode undef) cross-check");
+
+ is(rmtree($dir, 0, undef), 1, "removed directory 3 verbose undef");
+
+-$dir = catdir($tmp_base,'G');
+-$dir = VMS::Filespec::unixify($dir) if $Is_VMS;
++SKIP: {
++ skip "fchmod of directories not supported on this platform", 3 unless
$fchmod_supported;
++ $dir = catdir($tmp_base,'G');
++ $dir = VMS::Filespec::unixify($dir) if $Is_VMS;
+
+-@created = mkpath($dir, undef, 0200);
++ @created = mkpath($dir, undef, 0400);
+
+-is(scalar(@created), 1, "created write-only dir");
++ is(scalar(@created), 1, "created read-only dir");
+
+-is($created[0], $dir, "created write-only directory cross-check");
++ is($created[0], $dir, "created read-only directory cross-check");
+
+-is(rmtree($dir), 1, "removed write-only dir");
++ is(rmtree($dir), 1, "removed read-only dir");
++}
+
+ # borderline new-style heuristics
+ if (chdir $tmp_base) {
+@@ -449,26 +459,28 @@ SKIP: {
+ }
+
+ SKIP : {
+- my $skip_count = 19;
++ my $skip_count = 18;
+ # this test will fail on Windows, as per:
+ # http://perldoc.perl.org/perlport.html#chmod
+
+ skip "Windows chmod test skipped", $skip_count
+ if $^O eq 'MSWin32';
++ skip "fchmod() on directories is not supported on this platform",
$skip_count
++ unless $fchmod_supported;
+ my $mode;
+ my $octal_mode;
+ my @inputs = (
+- 0777, 0700, 0070, 0007,
+- 0333, 0300, 0030, 0003,
+- 0111, 0100, 0010, 0001,
+- 0731, 0713, 0317, 0371, 0173, 0137,
+- 00 );
++ 0777, 0700, 0470, 0407,
++ 0433, 0400, 0430, 0403,
++ 0111, 0100, 0110, 0101,
++ 0731, 0713, 0317, 0371,
++ 0173, 0137);
+ my $input;
+ my $octal_input;
+- $dir = catdir($tmp_base, 'chmod_test');
+
+ foreach (@inputs) {
+ $input = $_;
++ $dir = catdir($tmp_base, sprintf("chmod_test%04o", $input));
+ # We can skip from here because 0 is last in the list.
+ skip "Mode of 0 means assume user defaults on VMS", 1
+ if ($input == 0 && $Is_VMS);
+--
+2.9.4
+
diff --git a/perl-File-Path.spec b/perl-File-Path.spec
index 0f57792..1601e4f 100644
--- a/perl-File-Path.spec
+++ b/perl-File-Path.spec
@@ -1,11 +1,14 @@
Name: perl-File-Path
Version: 2.12
-Release: 365%{?dist}
+Release: 366%{?dist}
Summary: Create or remove directory trees
License: GPL+ or Artistic
Group: Development/Libraries
URL: http://search.cpan.org/dist/File-Path/
Source0:
http://www.cpan.org/authors/id/R/RI/RICHE/File-Path-%{version}.tar.gz
+# Fix CVE-2017-6512 (setting arbitrary mode on an arbitrary file in rmtree()
+# and remove_tree()), bug #1457834, CPAN RT#121951, in upstream 2.13
+Patch0: File-Path-2.12-Prevent-directory-chmod-race-attack.patch
BuildArch: noarch
BuildRequires: coreutils
BuildRequires: findutils
@@ -41,6 +44,7 @@ depth and to delete an entire directory subtree from the file
system.
%prep
%setup -q -n File-Path-%{version}
+%patch0 -p1
%build
perl Makefile.PL INSTALLDIRS=vendor
@@ -60,6 +64,10 @@ make test
%{_mandir}/man3/*
%changelog
+* Thu Jun 01 2017 Petr Pisar <ppi...@redhat.com> - 2.12-366
+- Fix CVE-2017-6512 (setting arbitrary mode on an arbitrary file in rmtree()
+ and remove_tree()) (bug #1457834)
+
* Sat May 14 2016 Jitka Plesnikova <jples...@redhat.com> - 2.12-365
- Increase release to favour standalone package
--
cgit v1.1
https://src.fedoraproject.org/cgit/perl-File-Path.git/commit/?h=f25&id=8ef6b073beb72e2e7c1ff97429a4c8a8f5129bb1
_______________________________________________
perl-devel mailing list -- perl-devel@lists.fedoraproject.org
To unsubscribe send an email to perl-devel-le...@lists.fedoraproject.org
