Race condition in the rmtree function in File::Path 1.08 (lib/File/Path.pm) in Perl 5.8.8 allows local users to allows local users to delete arbitrary files via a symlink attack.
CVE-2008-5302: Race condition in the rmtree function in File::Path 1.08 and 2.07 (lib/File/Path.pm) in Perl 5.8.8 and 5.10.0 allows local users to create arbitrary setuid binaries via a symlink attack.
There's a patch in the Debian BTS, please apply. Perl herd, do you know if upstream is tracking these issues?
=dev-lang/perl-5.8.8-r6 is in the tree. It hopefully fixes what it is supposed to fix.
instead of the old perl-5.8.8-CAN-2005-0448-rmtree.patch it uses the patch from debian's 5.8.8-7etch6 (<http://git.debian.org/?p=perl/perl.git;a=commit;h=785f6c24dac9ad3cd73ad615fc00d522de1f8bec>)
wrt https://bugs.gentoo.org/show_bug.cgi?id=79685#c14 and following:
do we need to apply this patch during src_install or does src_unpack work?
Please comment or help testing!
Any progress here? Perl herd?
(In reply to comment #3)
> wrt https://bugs.gentoo.org/show_bug.cgi?id=79685#c14 and following:
> do we need to apply this patch during src_install or does src_unpack work?
> Please comment or help testing!
Unmasked. Let's see how it fails in real.
If it fails we can remove the check from Errno like
Security, please proceed.
security: ping, you never replied back after May?
5.8.8-r8 is stable.
Added to pending GLSA request.
This issue was resolved and addressed in
GLSA 201311-17 at http://security.gentoo.org/glsa/glsa-201311-17.xml
by GLSA coordinator Sergey Popov (pinkbyte).