Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 75696 - dev-lang/perl: File::Path::rmtree tmpfile vulnerability (CAN-2004-0452)
Summary: dev-lang/perl: File::Path::rmtree tmpfile vulnerability (CAN-2004-0452)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High minor (vote)
Assignee: Gentoo Security
URL: http://secunia.com/advisories/13643/
Whiteboard: B3 [gsla] jaervosz
Keywords:
Depends on:
Blocks: 78634
  Show dependency tree
 
Reported: 2004-12-26 06:01 UTC by Aarni Honka
Modified: 2005-01-27 02:07 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
file_path_rmtree.patch (file_path_rmtree.patch,1.12 KB, patch)
2004-12-29 06:55 UTC, Thierry Carrez (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Aarni Honka 2004-12-26 06:01:42 UTC
TITLE:
Perl "File::Path::rmtree" Race Condition

SECUNIA ADVISORY ID:
SA13643

VERIFY ADVISORY:
http://secunia.com/advisories/13643/

CRITICAL:
Less critical

IMPACT:
Privilege escalation

WHERE:
Local system

SOFTWARE:
Perl 5.x
http://secunia.com/product/2647/

DESCRIPTION:
Paul Szabo has reported a vulnerability in Perl "File::Path::rmtree",
allowing malicious, local users to gain escalated privileges.

The vulnerability is caused due to a race condition in the way
"File::Path::rmtree" changes permissions on files before deleting
them. This can be exploited by creating a symbolic link to arbitrary
files.

Successful exploitation may allow changing permissions or removing
arbitrary files, if root uses an application using the vulnerable
code to delete files.

SOLUTION:
Do not use applications, which use "File::Path::rmtree", on systems
with untrusted users.

PROVIDED AND/OR DISCOVERED BY:
Paul Szabo
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2004-12-28 02:27:44 UTC
Still looking for a patch for this.
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2004-12-29 06:55:33 UTC
Created attachment 47116 [details, diff]
file_path_rmtree.patch

Patch from Chip Turner (RedHat)
Comment 3 Thierry Carrez (RETIRED) gentoo-dev 2004-12-29 07:06:25 UTC
"Fix for CAN-2004-0452.  Change chmod's to make files writable/executable
by the current user only and not by the entire world.  chmod's necessary
in the first place but at least this makes them less dangerous.  If, for
some reason the rm process dies halfway through, at worst some files and
dirs were revoked from others, not made available."

Path tested with success (ignoring whitespace changes):

$ patch --dry-run -l -p3 -d /usr/lib/perl5/5.8.4/File < file_path_rmtree.patch
patching file Path.pm
Hunk #1 succeeded at 196 (offset 12 lines).
Hunk #2 succeeded at 230 (offset 12 lines).
Hunk #3 succeeded at 252 (offset 12 lines).

Perl team: please apply patch.
Comment 4 Michael Cummings (RETIRED) gentoo-dev 2005-01-26 03:00:25 UTC
Just a note that I will be working on this today and post when done/trouble occurs.
Comment 5 Michael Cummings (RETIRED) gentoo-dev 2005-01-26 07:45:24 UTC
OK, ready for posting whenever.
Comment 6 Sune Kloppenborg Jeppesen gentoo-dev 2005-01-26 08:37:06 UTC
Micheal please commit if ready.
Comment 7 Michael Cummings (RETIRED) gentoo-dev 2005-01-26 09:30:23 UTC
Ebuilds posted. Updated ebuilds are:

perl-5.8.2-r2.ebuild
perl-5.8.4-r2.ebuild
perl-5.8.5-r3.ebuild
perl-5.8.6-r2.ebuild
Comment 8 Thierry Carrez (RETIRED) gentoo-dev 2005-01-26 12:42:26 UTC
GLSA 200501-38
Comment 9 Paul Szabo 2005-01-26 13:20:22 UTC
Dear Gentoo people,

Just changing the chmod to 0700 and 0600 instead of 0777 and 0666
does NOT solve the issue. The chmod change was for another, but related,
problem. See bugs.debian.org/286905 and 286922.

Cheers,

Paul Szabo  psz@maths.usyd.edu.au
Comment 10 Sune Kloppenborg Jeppesen gentoo-dev 2005-01-26 13:36:42 UTC
Paul thanks for the notification. Back to ebuild status. 
Comment 11 Thierry Carrez (RETIRED) gentoo-dev 2005-01-27 02:07:20 UTC
Clearing this up...

We applied the RedHat patch (the same Debian applied for DSA-620 and Ubuntu for USN-44) but apparently this is not sufficient to avoid all exploitable race conditions. So this is a new bug, one that currently has no fix... and no CAN number yet, so I'll open another bug about it.