Bug#863870: marked as done (perl: File-Path rmtree/remove_tree race condition [CVE-2017-6512])

Sun, 11 Jun 2017 18:06:54 -0700 

Your message dated Mon, 12 Jun 2017 01:03:49 +0000
with message-id <[email protected]>
and subject line Bug#863870: fixed in perl 5.26.0-1
has caused the Debian Bug report #863870,
regarding perl: File-Path rmtree/remove_tree race condition [CVE-2017-6512]
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
863870: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863870
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: perl
Version: 5.26.0~rc1-1
Severity: critical
Justification: privilege escalation in library code

Similar to #286905, a new race condition has been reported in File-Path:

https://rt.cpan.org/Public/Bug/Display.html?id=121951

In the rmtree() and remove_tree() functions, the chmod()logic to make
directories traversable can be abused to set the mode on an
attacker-chosen file to an attacker-chosen value.  This is due to the
time-of-check-to-time-of-use (TOCTTOU) race condition
(https://en.wikipedia.org/wiki/Time_of_check_to_time_of_use) between the
stat() that decides the inode is a directory and the chmod() that tries
to make it user-rwx.

Fixed on CPAN with 2.13.

--- End Message ---
--- Begin Message --- 
Source: perl
Source-Version: 5.26.0-1

We believe that the bug you reported is fixed in the latest version of
perl, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Dominic Hargreaves <[email protected]> (supplier of updated perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 11 Jun 2017 23:37:03 +0100
Source: perl
Binary: perl-base perl-doc perl-debug libperl5.26 libperl-dev perl-modules-5.26 
perl
Architecture: source
Version: 5.26.0-1
Distribution: experimental
Urgency: medium
Maintainer: Niko Tyni <[email protected]>
Changed-By: Dominic Hargreaves <[email protected]>
Description:
 libperl-dev - Perl library: development files
 libperl5.26 - shared Perl library
 perl       - Larry Wall's Practical Extraction and Report Language
 perl-base  - minimal Perl system
 perl-debug - debug-enabled Perl interpreter
 perl-doc   - Perl documentation
 perl-modules-5.26 - Core Perl modules
Closes: 863870
Changes:
 perl (5.26.0-1) experimental; urgency=medium
 .
   [ Niko Tyni ]
   * Make perl-base Break debconf (<< 1.5.61) due to POSIX::tmpnam() usage.
     (See #863071)
 .
   [ Dominic Hargreaves ]
   * Remove /etc/perl/sitecustomize.pl as the interpreter's initial @INC
     no longer contains '.'
   * Revert local patch setting sitecustomize path
   * Merged 5.24.1-3 from unstable:
     + [CVE-2017-6512] Fix file permissions race condition in File-Path;
       patch from John Lightsey (Closes: #863870)
     + Also fix test logic in ExtUtils-MakeMaker required for the above
   * New upstream release
Checksums-Sha1:
 10ccdbeac544b9ccf942f007f5d2da92e0409ca5 2316 perl_5.26.0-1.dsc
 50f14ebdaa509ff5ef9b32ad388a1e6237c882dd 11961692 perl_5.26.0.orig.tar.xz
 9a631cff0d4ee230c6a0a5f0cb540646bda74be1 153132 perl_5.26.0-1.debian.tar.xz
Checksums-Sha256:
 8da1c2dd48622fbafb8b32f71b409b46b3bc2ec1965104c596a8a24786dfe865 2316 
perl_5.26.0-1.dsc
 9bf2e3d0d72aad77865c3bdbc20d3b576d769c5c255c4ceb30fdb9335266bf55 11961692 
perl_5.26.0.orig.tar.xz
 9dfee809fd268b1d2ca66c21457d7d2516c576aa0e75970604f5f0cff5f7592d 153132 
perl_5.26.0-1.debian.tar.xz
Files:
 2cb66b3c2479e641f7d001c75eed6bb1 2316 perl standard perl_5.26.0-1.dsc
 8c6995718e4cb62188f0d5e3488cd91f 11961692 perl standard perl_5.26.0.orig.tar.xz
 919ff7f21cb79f0bc1f933fa9264f93f 153132 perl standard 
perl_5.26.0-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJZPeGcAAoJEMAFfnFNaU+yCe4P/3Xy52ZDDyg5178ihkASTy7E
/Tpu2n2wKExrf1vcteN7YzRYBnF9z0kiMXXAQ7Nhlzxj8bN2QfFcJl5j+Z94/rP3
GAps5JwfM5GrlEgc4abe43LpWYQ4BjIcdsE9PRAgnMCboIMQqETE/MBtA7f3Z3Sp
OR08cx1jyXJhIGTI9PY/lk0BrxbsO8vPRkpCgo/5J+H0gWvOZlomBCxcOCJjKtmY
95LTHRtxd5t4Ra3Ogsli5NVg/OU6DbP8DHd4FW4appZ9piXN6X9h10oIdLtF29/y
WhZVbOcD7XI3Ub4Hmt+0ACevxtjG5WQDATbI06mw2O8vZhHgKWt0pPocafuvuem/
qe4KK5LnZIvTzL97PeEyLxstfzmkgsOFqO9fFnzjUQzz7em0H7Fbb29WeNDzcZN7
9M30vfYxL0wQCvLgo1l7oDG1PR7Bvr2ZbWiGUNODMSQpVUe8rruCiPQ5UCvpQT0v
701J4zr1GQJvKuwNJd+q6x/eW1FzkJPYlukAgr33mH74gDdGpwjJ9yeVUfeg5ByX
K9Z89AaYAPDP+mgJg/N0Ay9Mb7c8nc7QJIUu3zeof5IAICQhripCgjN7OVDZ8beq
aX5npH0VHVXOxMhNKwRhE2buNT8ArXY0VbrAVjh26gpLLtFveW86hVp/J8ZI6vjV
+eB8FePqVN1GCvlBAEpj
=dkU4
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to