Bug#863870: marked as done (perl: File-Path rmtree/remove_tree race condition [CVE-2017-6512])

[Debian Bug Tracking System]

Your message dated Mon, 12 Jun 2017 18:02:10 +0000
with message-id <e1dktfg-000ave...@fasolo.debian.org>
and subject line Bug#863870: fixed in perl 5.20.2-3+deb8u7
has caused the Debian Bug report #863870,
regarding perl: File-Path rmtree/remove_tree race condition [CVE-2017-6512]
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
863870: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863870
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: perl
Version: 5.26.0~rc1-1
Severity: critical
Justification: privilege escalation in library code

Similar to #286905, a new race condition has been reported in File-Path:

https://rt.cpan.org/Public/Bug/Display.html?id=121951

In the rmtree() and remove_tree() functions, the chmod()logic to make
directories traversable can be abused to set the mode on an
attacker-chosen file to an attacker-chosen value.  This is due to the
time-of-check-to-time-of-use (TOCTTOU) race condition
(https://en.wikipedia.org/wiki/Time_of_check_to_time_of_use) between the
stat() that decides the inode is a directory and the chmod() that tries
to make it user-rwx.

Fixed on CPAN with 2.13.

--- End Message ---

--- Begin Message ---

Source: perl
Source-Version: 5.20.2-3+deb8u7

We believe that the bug you reported is fixed in the latest version of
perl, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 863...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Dominic Hargreaves <d...@earth.li> (supplier of updated perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 03 Jun 2017 13:11:53 +0100
Source: perl
Binary: perl-base perl-doc perl-debug libperl5.20 libperl-dev perl-modules perl
Architecture: all amd64 source
Version: 5.20.2-3+deb8u7
Distribution: jessie-security
Urgency: high
Maintainer: Niko Tyni <nt...@debian.org>
Changed-By: Dominic Hargreaves <d...@earth.li>
Closes: 863870
Description: 
 libperl5.20 - shared Perl library
 libperl-dev - Perl library: development files
 perl-base  - minimal Perl system
 perl-debug - debug-enabled Perl interpreter
 perl-doc   - Perl documentation
 perl       - Larry Wall's Practical Extraction and Report Language
 perl-modules - Core Perl modules
Changes:
 perl (5.20.2-3+deb8u7) jessie-security; urgency=high
 .
   * [CVE-2017-6512] Fix file permissions race condition in File-Path;
     patch from John Lightsey (Closes: #863870)
   * Also fix test logic in ExtUtils-MakeMaker required for the above
Checksums-Sha1: 
 85aa2fd0cc9d5a63f47f31ae7026ef7d36510be7 2324 perl_5.20.2-3+deb8u7.dsc
 c768a8ade4b984ab76cccf0d29d2fe1d2e867941 150676 
perl_5.20.2-3+deb8u7.debian.tar.xz
 7fd92cd9ff20c3b77b31bf7b5c3925d69ea83c32 7345710 
perl-doc_5.20.2-3+deb8u7_all.deb
 5f3c41e0dfe8f3182910020c32b94a19ef693180 2546608 
perl-modules_5.20.2-3+deb8u7_all.deb
 22a8fb2eb2fb2a4fd9a47c521107bf0851fba3bb 1227242 
perl-base_5.20.2-3+deb8u7_amd64.deb
 070eb899a563bba702d4c8a059d61b3fd4eb7d02 4484114 
perl-debug_5.20.2-3+deb8u7_amd64.deb
 bc05767443bc8dd06ee605015939133d77c16a7f 1354 
libperl5.20_5.20.2-3+deb8u7_amd64.deb
 4af9575361689a82a5ba47a63e43a12d24dda5e9 2144054 
libperl-dev_5.20.2-3+deb8u7_amd64.deb
 9167cdac7db030266afd74a25457e78708d301dc 2631362 perl_5.20.2-3+deb8u7_amd64.deb
Checksums-Sha256: 
 f073cef0fa155c02dc84cc2d70477ea467142c4cd2b298874e960210592a519a 2324 
perl_5.20.2-3+deb8u7.dsc
 645fd8fd5470f9b2570f75956e03afaee0b2f769cbc66f7fd71b98777e9e3798 150676 
perl_5.20.2-3+deb8u7.debian.tar.xz
 10e31601de91d454a012ebfb65f8c2391334c17937b8334940329162e87f1224 7345710 
perl-doc_5.20.2-3+deb8u7_all.deb
 4e9c1d96f557005fd71625d2ba061d9701047557f454eb0a4ec3989dba8c663b 2546608 
perl-modules_5.20.2-3+deb8u7_all.deb
 b74abf873885167725d221129eb2583402b4715de033029a542f73c1b590d0b2 1227242 
perl-base_5.20.2-3+deb8u7_amd64.deb
 825508d391dbd85e1367e50d7945d8694d736ec220d68a233b475942aff2dc7b 4484114 
perl-debug_5.20.2-3+deb8u7_amd64.deb
 568876f3b20261c45715ab298ab279a41a67d19fe455290b924f850a9bce2243 1354 
libperl5.20_5.20.2-3+deb8u7_amd64.deb
 fca2f44f54ca2f1fb09a57ef22b5f152066686a82d482ad02bde90495219cc77 2144054 
libperl-dev_5.20.2-3+deb8u7_amd64.deb
 662366ec4e5de23c88e36ed415e86da073d5b519088b5765c895cffbbdaae129 2631362 
perl_5.20.2-3+deb8u7_amd64.deb
Files: 
 19da000b2a8bf074fff6af5149fe5f38 2324 perl standard perl_5.20.2-3+deb8u7.dsc
 2341c7ae6a80a12374108a8736eb7d12 150676 perl standard 
perl_5.20.2-3+deb8u7.debian.tar.xz
 192b8252f96a5a03bbe075b8df761917 7345710 doc optional 
perl-doc_5.20.2-3+deb8u7_all.deb
 d6390333ef67a4f5cb3780906d02ab78 2546608 perl standard 
perl-modules_5.20.2-3+deb8u7_all.deb
 830ec0021db5e005868e92a1e988f7fb 1227242 perl required 
perl-base_5.20.2-3+deb8u7_amd64.deb
 45eafe8a3fb6fc8fccfb4ffefb3f1355 4484114 debug extra 
perl-debug_5.20.2-3+deb8u7_amd64.deb
 e1b819f595edd4100f389c9e47134fe4 1354 libs optional 
libperl5.20_5.20.2-3+deb8u7_amd64.deb
 49be7d89b874b3738195a1b749d3a784 2144054 libdevel optional 
libperl-dev_5.20.2-3+deb8u7_amd64.deb
 e3472f95894e5f778a9f4635a4e5225d 2631362 perl standard 
perl_5.20.2-3+deb8u7_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJZM+LqAAoJEMAFfnFNaU+yPicP/iCUnUjmFSSE8ruL/aWsASRn
QoWXH2ZNnD9A7xj1Sn5ksivc7tg2wcZhKBl475kf53wwwwfx4uDGuD0KxzRmowax
R5rxVnyNgmsFAD9YI7rTdhy8W7HD3xqrhu2SH8ACWmW8FydeHFrDQsYnVzywjIDp
SGriABO0MpEQO6qT2tfzd49wlLbWdx52hPWJL1fZv0JfDV53P2Um17qqYOqj1SOZ
iJCyhRXmdxinyRQhsByMZbaUMWMEaTxnmoQ2O4Tiw6nIccBHSevTumDaluNfh7EJ
CfbLmmTWYFei0ok1Fkmf7O3Bp+ZXDukl4PmkYKSLeDrPOIfOiwQakd0FF0Y6myDS
Pd0eRFHyOgD5FvuWvVyX+woZ4DrS/vukS4DKutYmc/SK8ZC8VmrvmRivEKSfMXSU
i9EiAkLUhGwRjKtFl2h22lgzQB7kVA9mqPRYDGsqhU85mF1usBBORuOWmuEAOf1j
ZOrGkZQNCYlv6tmEMKqJ5NWBJ8POMRqxAAx8+zVfeOQdjp0kOyuT+CwyNl8+lHsh
+pR4/Eag8SNwxJJHxOwDBj9JM5MUzSt84jWGgp1JcDxhJTI9fqi21ZIKASLsHohQ
J47H83DfClOddAkjZNRi2kRqeBO7M2xe9GGCW0jSlwDQWjrJh9Bb29fV85wm4N9y
IaU8eS7BEnLDoHHXMvKk
=b2w/
-----END PGP SIGNATURE-----

--- End Message ---