Perl "File::Path::rmtree" Race Condition
SECUNIA ADVISORY ID:
Paul Szabo has reported a vulnerability in Perl "File::Path::rmtree",
allowing malicious, local users to gain escalated privileges.
The vulnerability is caused due to a race condition in the way
"File::Path::rmtree" changes permissions on files before deleting
them. This can be exploited by creating a symbolic link to arbitrary
Successful exploitation may allow changing permissions or removing
arbitrary files, if root uses an application using the vulnerable
code to delete files.
Do not use applications, which use "File::Path::rmtree", on systems
with untrusted users.
PROVIDED AND/OR DISCOVERED BY:
Still looking for a patch for this.
Created attachment 47116 [details, diff]
Patch from Chip Turner (RedHat)
"Fix for CAN-2004-0452. Change chmod's to make files writable/executable
by the current user only and not by the entire world. chmod's necessary
in the first place but at least this makes them less dangerous. If, for
some reason the rm process dies halfway through, at worst some files and
dirs were revoked from others, not made available."
Path tested with success (ignoring whitespace changes):
$ patch --dry-run -l -p3 -d /usr/lib/perl5/5.8.4/File < file_path_rmtree.patch
patching file Path.pm
Hunk #1 succeeded at 196 (offset 12 lines).
Hunk #2 succeeded at 230 (offset 12 lines).
Hunk #3 succeeded at 252 (offset 12 lines).
Perl team: please apply patch.
Just a note that I will be working on this today and post when done/trouble occurs.
OK, ready for posting whenever.
Micheal please commit if ready.
Ebuilds posted. Updated ebuilds are:
Dear Gentoo people,
Just changing the chmod to 0700 and 0600 instead of 0777 and 0666
does NOT solve the issue. The chmod change was for another, but related,
problem. See bugs.debian.org/286905 and 286922.
Paul Szabo firstname.lastname@example.org
Paul thanks for the notification. Back to ebuild status.
Clearing this up...
We applied the RedHat patch (the same Debian applied for DSA-620 and Ubuntu for USN-44) but apparently this is not sufficient to avoid all exploitable race conditions. So this is a new bug, one that currently has no fix... and no CAN number yet, so I'll open another bug about it.