Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 249629 (CVE-2008-5303)

Summary: <dev-lang/perl-5.8.8-r8 - File::Path multiple symlink attack vulnerabilities (CVE-2008-{5302,5303})
Product: Gentoo Security Reporter: stupendoussteve
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: wolf31o2
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=286922#36
Whiteboard: A2 [glsa]
Package list:
Runtime testing required: ---

Description stupendoussteve 2008-12-02 17:56:41 UTC 
Race condition in the rmtree function in File::Path 1.08 (lib/File/Path.pm) in Perl 5.8.8 allows local users to allows local users to delete arbitrary files via a symlink attack.

Ref: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=286905
http://www.gossamer-threads.com/lists/perl/porters/233695
http://www.openwall.com/lists/oss-security/2008/11/28/2

Reproducible: Always
Comment 1 stupendoussteve 2008-12-02 18:13:02 UTC 
CVE-2008-5302: Race condition in the rmtree function in File::Path 1.08 and 2.07 (lib/File/Path.pm) in Perl 5.8.8 and 5.10.0 allows local users to create arbitrary setuid binaries via a symlink attack.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5302
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2009-01-13 18:31:16 UTC 
There's a patch in the Debian BTS, please apply. Perl herd, do you know if upstream is tracking these issues?
Comment 3 Torsten Veller (RETIRED) gentoo-dev 2009-01-28 10:02:47 UTC 
=dev-lang/perl-5.8.8-r6 is in the tree. It hopefully fixes what it is supposed to fix.

instead of the old perl-5.8.8-CAN-2005-0448-rmtree.patch it uses the patch from debian's 5.8.8-7etch6 (<http://git.debian.org/?p=perl/perl.git;a=commit;h=785f6c24dac9ad3cd73ad615fc00d522de1f8bec>)

@perl-team:
wrt https://bugs.gentoo.org/show_bug.cgi?id=79685#c14 and following:
do we need to apply this patch during src_install or does src_unpack work?
Please comment or help testing!

Masked.
Comment 4 Thomas Sachau gentoo-dev 2009-04-09 13:31:16 UTC 
Any progress here? Perl herd?
Comment 5 Torsten Veller (RETIRED) gentoo-dev 2009-05-27 08:19:52 UTC 
(In reply to comment #3)
> wrt https://bugs.gentoo.org/show_bug.cgi?id=79685#c14 and following:
> do we need to apply this patch during src_install or does src_unpack work?
> Please comment or help testing!
> 
> Masked.

Unmasked. Let's see how it fails in real.

If it fails we can remove the check from Errno like
<http://git.debian.org/?p=perl/perl.git;a=commitdiff;h=3aeef0d05733293d7bc48c5b235f8bec9c42f420>


Security, please proceed.

Thanks
Comment 6 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2009-11-14 09:14:01 UTC 
security: ping, you never replied back after May?
Comment 7 Torsten Veller (RETIRED) gentoo-dev 2009-12-11 08:15:48 UTC 
5.8.8-r8 is stable.
Comment 8 Stefan Behte (RETIRED) gentoo-dev Security 2011-10-08 22:11:14 UTC 
Added to pending GLSA request.
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2013-11-28 08:33:09 UTC 
This issue was resolved and addressed in
 GLSA 201311-17 at http://security.gentoo.org/glsa/glsa-201311-17.xml
by GLSA coordinator Sergey Popov (pinkbyte).