Bug#487319: marked as done (perl-modules: File::Path::rmtree sets symlink target permissions to 0777)

Sat, 21 Jun 2008 14:44:50 -0700 

Your message dated Sat, 21 Jun 2008 21:02:38 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#487319: fixed in perl 5.10.0-11
has caused the Debian Bug report #487319,
regarding perl-modules: File::Path::rmtree sets symlink target permissions to 
0777
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)


-- 
487319: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=487319
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message --- 
Package: debsums
Version: 5.10.0-10
Severity: critical
Tags: security
Justification: root security hole

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Fri, 2008-06-20 at 23:26 +0200, Cyril Brulebois wrote:
> Frans Pop <[EMAIL PROTECTED]> (20/06/2008):
> > $ sudo aptitude reinstall ncurses-base
> > $ ls -l /lib/terminfo/*/*
> > -rwxrwxrwx 1 root root 1481 2008-06-16 22:40 /lib/terminfo/a/ansi
> > -rwxrwxrwx 1 root root 1502 2008-06-16 22:40 /lib/terminfo/c/cons25
> > -rwxrwxrwx 1 root root 1529 2008-06-16 22:40 /lib/terminfo/c/cygwin
> > -rwxrwxrwx 1 root root  308 2008-06-16 22:40 /lib/terminfo/d/dumb
> > [...]
> 
> Maybe you could provide us with the part of your dpkg.log relative to
> that particular “aptitude reinstall” run, maybe there are some leads
> there.
>
> You could also strace it, following its childs.

debsums is doing it:

32321 execve("/usr/bin/debsums", ["/usr/bin/debsums", "--generate=nocheck", 
"-sp", "/var/cache/apt/archives"], [/* 18 vars */]) = 0
...
32321 lstat64("wsvt25", {st_mode=S_IFLNK|0777, st_size=22, ...}) = 0
32321 chmod("wsvt25", 0777)             = 0
32321 lstat64("wsvt25", {st_mode=S_IFLNK|0777, st_size=22, ...}) = 0
32321 unlink("wsvt25")                  = 0

It looks like it's unpacking the archive under /tmp, generating
checksums, then deleting the files as it goes.  Before unlinking it uses
chmod, presumably to ensure the unlink will succeed.  But chmod follows
sym-links, and these sym-links are absolute so it chmods the installed
files!

...and a little investigation shows debsums is just using File::Path::rmtree.

Ben.

- -- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'stable'), (100, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.25-2-686 (SMP w/1 CPU core)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages debsums depends on:
ii  debconf [debconf-2.0]         1.5.22     Debian configuration management sy
ii  perl                          5.10.0-10  Larry Wall's Practical Extraction 

debsums recommends no packages.

- -- debconf information:
  debsums/apt-autogen: true

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFIXDED79ZNCRIGYgcRAjqKAKCx2e/tBqjv0VSxmshtCgLwddKKyACghswA
pcsZLTltsPcRMAmBiBW4q0s=
=FSgb
-----END PGP SIGNATURE-----

--- End Message ---
--- Begin Message --- 
Source: perl
Source-Version: 5.10.0-11

We believe that the bug you reported is fixed in the latest version of
perl, which is due to be installed in the Debian FTP archive:

libcgi-fast-perl_5.10.0-11_all.deb
  to pool/main/p/perl/libcgi-fast-perl_5.10.0-11_all.deb
libperl-dev_5.10.0-11_amd64.deb
  to pool/main/p/perl/libperl-dev_5.10.0-11_amd64.deb
libperl5.10_5.10.0-11_amd64.deb
  to pool/main/p/perl/libperl5.10_5.10.0-11_amd64.deb
perl-base_5.10.0-11_amd64.deb
  to pool/main/p/perl/perl-base_5.10.0-11_amd64.deb
perl-debug_5.10.0-11_amd64.deb
  to pool/main/p/perl/perl-debug_5.10.0-11_amd64.deb
perl-doc_5.10.0-11_all.deb
  to pool/main/p/perl/perl-doc_5.10.0-11_all.deb
perl-modules_5.10.0-11_all.deb
  to pool/main/p/perl/perl-modules_5.10.0-11_all.deb
perl-suid_5.10.0-11_amd64.deb
  to pool/main/p/perl/perl-suid_5.10.0-11_amd64.deb
perl_5.10.0-11.diff.gz
  to pool/main/p/perl/perl_5.10.0-11.diff.gz
perl_5.10.0-11.dsc
  to pool/main/p/perl/perl_5.10.0-11.dsc
perl_5.10.0-11_amd64.deb
  to pool/main/p/perl/perl_5.10.0-11_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Niko Tyni <[EMAIL PROTECTED]> (supplier of updated perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 21 Jun 2008 15:18:50 +0300
Source: perl
Binary: perl-base libcgi-fast-perl perl-doc perl-modules perl-debug perl-suid 
libperl5.10 libperl-dev perl
Architecture: source all amd64
Version: 5.10.0-11
Distribution: unstable
Urgency: high
Maintainer: Brendan O'Dea <[EMAIL PROTECTED]>
Changed-By: Niko Tyni <[EMAIL PROTECTED]>
Description: 
 libcgi-fast-perl - CGI::Fast Perl module
 libperl-dev - Perl library: development files
 libperl5.10 - Shared Perl library
 perl       - Larry Wall's Practical Extraction and Report Language
 perl-base  - The Pathologically Eclectic Rubbish Lister
 perl-debug - Debug-enabled Perl interpreter
 perl-doc   - Perl documentation
 perl-modules - Core Perl modules
 perl-suid  - Runs setuid Perl scripts
Closes: 487319
Changes: 
 perl (5.10.0-11) unstable; urgency=high
 .
   * [SECURITY] File::Path::rmtree() no longer makes symlink targets
     world-writable. Patch by Ben Hutchings. (Closes: #487319)
Checksums-Sha1: 
 180aee7d33c7c201afea6d951fffe8c508814a12 1199 perl_5.10.0-11.dsc
 7170d164fae8789945718c4a1af308cb3f34d06d 104976 perl_5.10.0-11.diff.gz
 c9b9efe67d313208c03bfe0e5a187bf67f925b4b 42778 
libcgi-fast-perl_5.10.0-11_all.deb
 2542408dd32c7509018bf5f0650c816554583b30 8241596 perl-doc_5.10.0-11_all.deb
 118c92406e673b2ca90e64ab26cfe21c10eba00e 3293564 perl-modules_5.10.0-11_all.deb
 f74bbf8f355a72fbcb3815a69b96644a756c9551 942998 perl-base_5.10.0-11_amd64.deb
 4d75205dd317893564cefe9150caffc1564be771 5569832 perl-debug_5.10.0-11_amd64.deb
 f811b6c7e6106fa5827a3fa5a4231972a05c180d 31518 perl-suid_5.10.0-11_amd64.deb
 30310f87064e4fc6842c6d092e52448e487bb307 1010 libperl5.10_5.10.0-11_amd64.deb
 e8c315215738c3b005d0e0b97c95ec699cfc40cd 2604354 
libperl-dev_5.10.0-11_amd64.deb
 ca3230b8dd297b277b33469b113a4f0c19aace92 5247880 perl_5.10.0-11_amd64.deb
Checksums-Sha256: 
 de5de0fd5a6d66d40caeb0e9648bc19694c643b76d224f2dbd55c88787ae5907 1199 
perl_5.10.0-11.dsc
 dbe2cb8a93d94fc644fc62f059a6a0b136479771b029ac6887606914a7a464c6 104976 
perl_5.10.0-11.diff.gz
 c5b7cb0a499e002ea58dcb1c3db48e4b8e33f4fee6d7069d7abe118ac6255009 42778 
libcgi-fast-perl_5.10.0-11_all.deb
 a3ee01c6266893623cafac46f6395d9d4f5dcd8222487e533738e07fee8039e4 8241596 
perl-doc_5.10.0-11_all.deb
 1cd0c0c3bc03e67c25af1db6d99efcd54b77cc8938c93bb008a685cd67d61e5a 3293564 
perl-modules_5.10.0-11_all.deb
 24af7655a83e4061a6a178591cdb8e732795e0ef2723e0787ae646147a62a21b 942998 
perl-base_5.10.0-11_amd64.deb
 f5b5679b44cc6604933a2426e11f48daabdc12b62052cd0253d57b9e12a80b82 5569832 
perl-debug_5.10.0-11_amd64.deb
 35e555dbc1f4449732fc23cddd91f7081abd9cf6b643a2128e0916c0d7ca52a4 31518 
perl-suid_5.10.0-11_amd64.deb
 c8e6313e3a29c053a888cf69aeb106d2448cfd13b58d503e6970f7dc8d7334ea 1010 
libperl5.10_5.10.0-11_amd64.deb
 963db0f223b4e99b7d7d8b94e6a6054c28477f6ee62d1fff9424a6059cac22b7 2604354 
libperl-dev_5.10.0-11_amd64.deb
 60a5fdfabe90b026004f35c62a2ea701f5d488a2a5934008e891ce57f25c2fb8 5247880 
perl_5.10.0-11_amd64.deb
Files: 
 a3338006c72eb0a4460c0484bfe8900d 1199 perl standard perl_5.10.0-11.dsc
 e7de340152f447ef938cf2b9ee0ce556 104976 perl standard perl_5.10.0-11.diff.gz
 bd1c326a4ab5d8b8763094f8497e9e33 42778 perl optional 
libcgi-fast-perl_5.10.0-11_all.deb
 b507b555d425fb47221c609bb6c72f77 8241596 doc optional 
perl-doc_5.10.0-11_all.deb
 6e8ce6f30e1041f9cf2da6b14a780b6d 3293564 perl standard 
perl-modules_5.10.0-11_all.deb
 49416b9021c94605e635923898253b0b 942998 perl required 
perl-base_5.10.0-11_amd64.deb
 5dfaac5a33ccef7e77473fea223fb90b 5569832 perl optional 
perl-debug_5.10.0-11_amd64.deb
 b8258115380560368df156a75f293b6d 31518 perl optional 
perl-suid_5.10.0-11_amd64.deb
 0d8548ed8d046e310834f7b5b6467c51 1010 libs optional 
libperl5.10_5.10.0-11_amd64.deb
 8746560858e84381edb048ad592d28f0 2604354 libdevel optional 
libperl-dev_5.10.0-11_amd64.deb
 95421bfd7a344b98bfa239c3a441ba7e 5247880 perl standard perl_5.10.0-11_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFIXVrTiyizGWoHLTkRAoVHAKCQQU5LeOzM+NxTYhy1poOgeeUrPQCgrD4v
aZOVvfaGoXjUg5GZm3zgEK4=
=GTUU
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to