Roger Dover wrote: > The script wants to set a shared library world writable. > This is a security risk.
Thank you for the report. However I am not sure this is actually a
problem. Also please say how you instrumented your system in order to
have received that error notification.
I believe the chmod you are referencing is not actually in sa-compile.
I think it is in Perl's Install.pm which is part of the perl-modules
package. It does this immediately before unlinking the target file.
In /usr/share/perl/5.14.2/ExtUtils/Install.pm file:
sub _unlink_or_rename { #XXX OS-SPECIFIC
my ( $file, $tryhard, $installing )= @_;
_chmod( 0666, $file );
my $unlink_count = 0;
while (unlink $file) { $unlink_count++; }
return $file if $unlink_count > 0;
...
Therefore there isn't much way for an attacker to attack those files
since they are unlinked immediately afterward. However if there is
then this bug should be assigned to the perl-modules package owning
the Install.pm file.
It would be good if you as the issue reporter could verify this since
you have already instrumented your system for the test. I suggest
temporarily setting up the test by editing your local copy of the file
/usr/share/perl/5.14.2/ExtUtils/Install.pm to comment out the chmod
line note above. If after doing that you no longer see those
notifications then you have verified that the issue is the presense of
those lines in the Install.pm file. You can restore the original file
after the completion of the test.
Please report your findings.
Bob
signature.asc
Description: Digital signature
