Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 80460 - dev-lang/perl Local root through perl-suid (CAN-2005-015{5,6})
Summary: dev-lang/perl Local root through perl-suid (CAN-2005-015{5,6})
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High major
Assignee: Gentoo Security
URL: http://www.ubuntulinux.org/support/do...
Whiteboard: B1 [glsa]
Keywords:
: 80235 (view as bug list)
Depends on:
Blocks:
 
Reported: 2005-02-02 06:59 UTC by Sune Kloppenborg Jeppesen (RETIRED)
Modified: 2005-02-11 13:12 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
perl-5.8.6-bug33990.patch (perl-5.8.6-bug33990.patch,742 bytes, patch)
2005-02-02 10:12 UTC, Thierry Carrez (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-02-02 06:59:30 UTC
Two exploitable vulnerabilities involving setuid-enabled perl scripts 
have been discovered. The package "perl-suid" provides a wrapper 
around perl which allows to use setuid-root perl scripts, i.e. 
user-callable Perl scripts which have full root privileges. 
 
Previous versions allowed users to overwrite arbitrary files by 
setting the PERLIO_DEBUG environment variable and calling an arbitrary 
setuid-root perl script. The file that PERLIO_DEBUG points to was then 
overwritten by Perl debug messages. This did not allow precise control 
over the file content, but could destroy important data. PERLIO_DEBUG 
is now ignored for setuid scripts. (CAN-2005-0155) 
 
In addition, calling a setuid-root perl script with a very long path 
caused a buffer overflow if PERLIO_DEBUG was set. This buffer overflow 
could be exploited to execute arbitrary code with full root 
privileges. (CAN-2005-0156)
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-02-02 07:00:43 UTC
Perl please provide an updated ebuild.
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2005-02-02 10:12:48 UTC
Created attachment 50223 [details, diff]
perl-5.8.6-bug33990.patch

Patch from Mandrake
Comment 3 Thierry Carrez (RETIRED) gentoo-dev 2005-02-02 10:13:25 UTC
*** Bug 80235 has been marked as a duplicate of this bug. ***
Comment 4 Michael Cummings (RETIRED) gentoo-dev 2005-02-03 05:30:09 UTC
The patch might be valid, but not the severity? We already disable perl-suid by default and force users to explicity local USE it (use flag perlsuid) in order to get it, pointing out these risks. We do have users who use it though, so the patch will be ported over later tonight, just wanted to comment on the severity :)

Comment 5 Thierry Carrez (RETIRED) gentoo-dev 2005-02-03 09:20:26 UTC
Decreasing severity, only specific configurations are vulnerable...
Comment 6 Michael Cummings (RETIRED) gentoo-dev 2005-02-05 03:13:18 UTC
I'm ready to commit, but I'd rather do an in-place commit. We've bumped perl more than a few times lately, and I'd rather not have to bump it again for a security fix that only affects a small percentage of users (this local useflag is not enabled by default). Can we leave this as an in-place fix and advise users of the perlsuid USE flag to reinstall?
Comment 7 Thierry Carrez (RETIRED) gentoo-dev 2005-02-06 09:26:30 UTC
Michael: I understand your worry. The issue we have is that glsa-check (which more and more of our users use to "be secure" without asking themselves questions) won't make that subtle local use flag difference and can't handle non-revbumped upgrades... So this would really be better if there was a revbump :)
Comment 8 Michael Cummings (RETIRED) gentoo-dev 2005-02-07 11:14:36 UTC
(the changes are already in the tree)

Don't suppose we have any other pressing perl ebuild changes on the pipeline? This would be the second (third?) bump in a few weeks. 

Have you seen how notorious perl is in the gentoo community...?
Comment 9 Thierry Carrez (RETIRED) gentoo-dev 2005-02-07 11:32:35 UTC
There is bug 79685. There is no definitive fix, and Owl patched it by patching rmtree documentation. You might want to include this "fix" as well. We'll try hard not having a new Perl security bump for the next month... but time will tell :/
Comment 11 Michael Cummings (RETIRED) gentoo-dev 2005-02-09 01:35:27 UTC
Just a heads up, I will be doing the rev bump later today, trying to work through a few other unrelated changes to the perl ebuild since we're doing another bump anyway.
Comment 12 Michael Cummings (RETIRED) gentoo-dev 2005-02-11 04:35:00 UTC
sorry for the delay, RL issues. Bumped.
Comment 13 Thierry Carrez (RETIRED) gentoo-dev 2005-02-11 07:34:27 UTC
Thx Michael.
Comment 14 Thierry Carrez (RETIRED) gentoo-dev 2005-02-11 13:12:30 UTC
GLSA 200502-13