Bug 75696

Summary:

dev-lang/perl: File::Path::rmtree tmpfile vulnerability (CAN-2004-0452)

Product:

Gentoo Security

Reporter:

Aarni Honka <aarni.honka>

Component:

Vulnerabilities

Assignee:

Gentoo Security <security>

Status:

RESOLVED FIXED

Severity:

minor

CC:

mcummings, perl

Priority:

High

Version:

unspecified

Hardware:

All

OS:

All

URL:

http://secunia.com/advisories/13643/

Whiteboard:

B3 [gsla] jaervosz

Package list:

Runtime testing required:

---

Bug Depends on:

Bug Blocks:

78634

Attachments:

Description	Flags
file_path_rmtree.patch	none

Description Aarni Honka 2004-12-26 06:01:42 UTC

TITLE:
Perl "File::Path::rmtree" Race Condition

SECUNIA ADVISORY ID:
SA13643

VERIFY ADVISORY:
http://secunia.com/advisories/13643/

CRITICAL:
Less critical

IMPACT:
Privilege escalation

WHERE:
Local system

SOFTWARE:
Perl 5.x
http://secunia.com/product/2647/

DESCRIPTION:
Paul Szabo has reported a vulnerability in Perl "File::Path::rmtree",
allowing malicious, local users to gain escalated privileges.

The vulnerability is caused due to a race condition in the way
"File::Path::rmtree" changes permissions on files before deleting
them. This can be exploited by creating a symbolic link to arbitrary
files.

Successful exploitation may allow changing permissions or removing
arbitrary files, if root uses an application using the vulnerable
code to delete files.

SOLUTION:
Do not use applications, which use "File::Path::rmtree", on systems
with untrusted users.

PROVIDED AND/OR DISCOVERED BY:
Paul Szabo

Comment 1 Thierry Carrez (RETIRED) gentoo-dev

2004-12-28 02:27:44 UTC

Still looking for a patch for this.

Comment 2 Thierry Carrez (RETIRED) gentoo-dev

2004-12-29 06:55:33 UTC

Created attachment 47116 [details, diff]
file_path_rmtree.patch

Patch from Chip Turner (RedHat)

Comment 3 Thierry Carrez (RETIRED) gentoo-dev

2004-12-29 07:06:25 UTC

"Fix for CAN-2004-0452.  Change chmod's to make files writable/executable
by the current user only and not by the entire world.  chmod's necessary
in the first place but at least this makes them less dangerous.  If, for
some reason the rm process dies halfway through, at worst some files and
dirs were revoked from others, not made available."

Path tested with success (ignoring whitespace changes):

$ patch --dry-run -l -p3 -d /usr/lib/perl5/5.8.4/File < file_path_rmtree.patch
patching file Path.pm
Hunk #1 succeeded at 196 (offset 12 lines).
Hunk #2 succeeded at 230 (offset 12 lines).
Hunk #3 succeeded at 252 (offset 12 lines).

Perl team: please apply patch.

Comment 4 Michael Cummings (RETIRED) gentoo-dev

2005-01-26 03:00:25 UTC

Just a note that I will be working on this today and post when done/trouble occurs.

Comment 5 Michael Cummings (RETIRED) gentoo-dev

2005-01-26 07:45:24 UTC

OK, ready for posting whenever.

Comment 6 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-01-26 08:37:06 UTC

Micheal please commit if ready.

Comment 7 Michael Cummings (RETIRED) gentoo-dev

2005-01-26 09:30:23 UTC

Ebuilds posted. Updated ebuilds are:

perl-5.8.2-r2.ebuild
perl-5.8.4-r2.ebuild
perl-5.8.5-r3.ebuild
perl-5.8.6-r2.ebuild

Comment 8 Thierry Carrez (RETIRED) gentoo-dev

2005-01-26 12:42:26 UTC

GLSA 200501-38

Comment 9 Paul Szabo 2005-01-26 13:20:22 UTC

Dear Gentoo people,

Just changing the chmod to 0700 and 0600 instead of 0777 and 0666
does NOT solve the issue. The chmod change was for another, but related,
problem. See bugs.debian.org/286905 and 286922.

Cheers,

Paul Szabo  psz@maths.usyd.edu.au

Comment 10 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-01-26 13:36:42 UTC

Paul thanks for the notification. Back to ebuild status.

Comment 11 Thierry Carrez (RETIRED) gentoo-dev

2005-01-27 02:07:20 UTC

Clearing this up...

We applied the RedHat patch (the same Debian applied for DSA-620 and Ubuntu for USN-44) but apparently this is not sufficient to avoid all exploitable race conditions. So this is a new bug, one that currently has no fix... and no CAN number yet, so I'll open another bug about it.