Two exploitable vulnerabilities involving setuid-enabled perl scripts have been discovered. The package "perl-suid" provides a wrapper around perl which allows to use setuid-root perl scripts, i.e. user-callable Perl scripts which have full root privileges. Previous versions allowed users to overwrite arbitrary files by setting the PERLIO_DEBUG environment variable and calling an arbitrary setuid-root perl script. The file that PERLIO_DEBUG points to was then overwritten by Perl debug messages. This did not allow precise control over the file content, but could destroy important data. PERLIO_DEBUG is now ignored for setuid scripts. (CAN-2005-0155) In addition, calling a setuid-root perl script with a very long path caused a buffer overflow if PERLIO_DEBUG was set. This buffer overflow could be exploited to execute arbitrary code with full root privileges. (CAN-2005-0156)
Perl please provide an updated ebuild.
Created attachment 50223 [details, diff] perl-5.8.6-bug33990.patch Patch from Mandrake
*** Bug 80235 has been marked as a duplicate of this bug. ***
The patch might be valid, but not the severity? We already disable perl-suid by default and force users to explicity local USE it (use flag perlsuid) in order to get it, pointing out these risks. We do have users who use it though, so the patch will be ported over later tonight, just wanted to comment on the severity :)
Decreasing severity, only specific configurations are vulnerable...
I'm ready to commit, but I'd rather do an in-place commit. We've bumped perl more than a few times lately, and I'd rather not have to bump it again for a security fix that only affects a small percentage of users (this local useflag is not enabled by default). Can we leave this as an in-place fix and advise users of the perlsuid USE flag to reinstall?
Michael: I understand your worry. The issue we have is that glsa-check (which more and more of our users use to "be secure" without asking themselves questions) won't make that subtle local use flag difference and can't handle non-revbumped upgrades... So this would really be better if there was a revbump :)
(the changes are already in the tree) Don't suppose we have any other pressing perl ebuild changes on the pipeline? This would be the second (third?) bump in a few weeks. Have you seen how notorious perl is in the gentoo community...?
There is bug 79685. There is no definitive fix, and Owl patched it by patching rmtree documentation. You might want to include this "fix" as well. We'll try hard not having a new Perl security bump for the next month... but time will tell :/
Public now: http://archives.neohapsis.com/archives/fulldisclosure/2005-02/0017.html http://archives.neohapsis.com/archives/fulldisclosure/2005-02/0018.html
Just a heads up, I will be doing the rev bump later today, trying to work through a few other unrelated changes to the perl ebuild since we're doing another bump anyway.
sorry for the delay, RL issues. Bumped.
Thx Michael.
GLSA 200502-13