Summary: | <dev-lang/perl-5.8.8-r8 - File::Path multiple symlink attack vulnerabilities (CVE-2008-{5302,5303}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | stupendoussteve |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | wolf31o2 |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=286922#36 | ||
Whiteboard: | A2 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
stupendoussteve
2008-12-02 17:56:41 UTC
CVE-2008-5302: Race condition in the rmtree function in File::Path 1.08 and 2.07 (lib/File/Path.pm) in Perl 5.8.8 and 5.10.0 allows local users to create arbitrary setuid binaries via a symlink attack. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5302 There's a patch in the Debian BTS, please apply. Perl herd, do you know if upstream is tracking these issues? =dev-lang/perl-5.8.8-r6 is in the tree. It hopefully fixes what it is supposed to fix. instead of the old perl-5.8.8-CAN-2005-0448-rmtree.patch it uses the patch from debian's 5.8.8-7etch6 (<http://git.debian.org/?p=perl/perl.git;a=commit;h=785f6c24dac9ad3cd73ad615fc00d522de1f8bec>) @perl-team: wrt https://bugs.gentoo.org/show_bug.cgi?id=79685#c14 and following: do we need to apply this patch during src_install or does src_unpack work? Please comment or help testing! Masked. Any progress here? Perl herd? (In reply to comment #3) > wrt https://bugs.gentoo.org/show_bug.cgi?id=79685#c14 and following: > do we need to apply this patch during src_install or does src_unpack work? > Please comment or help testing! > > Masked. Unmasked. Let's see how it fails in real. If it fails we can remove the check from Errno like <http://git.debian.org/?p=perl/perl.git;a=commitdiff;h=3aeef0d05733293d7bc48c5b235f8bec9c42f420> Security, please proceed. Thanks security: ping, you never replied back after May? 5.8.8-r8 is stable. Added to pending GLSA request. This issue was resolved and addressed in GLSA 201311-17 at http://security.gentoo.org/glsa/glsa-201311-17.xml by GLSA coordinator Sergey Popov (pinkbyte). |