On Thu, Jun 01, 2017 at 10:41:56AM +0100, Dominic Hargreaves wrote: > Similar to #286905, a new race condition has been reported in File-Path: > > https://rt.cpan.org/Public/Bug/Display.html?id=121951 > > In the rmtree() and remove_tree() functions, the chmod()logic to make > directories traversable can be abused to set the mode on an > attacker-chosen file to an attacker-chosen value. This is due to the > time-of-check-to-time-of-use (TOCTTOU) race condition > (https://en.wikipedia.org/wiki/Time_of_check_to_time_of_use) between the > stat() that decides the inode is a directory and the chmod() that tries > to make it user-rwx. > > Fixed on CPAN with 2.13.
I've uploaded a fix to sid. As evidenced by the additional patch I included, and upstream's testing, one package out of the CPAN top 2000 was broken by the change: a test in ExtUtils::MakeMaker; see https://github.com/Perl-Toolchain-Gang/ExtUtils-MakeMaker/pull/294 Given the potential for other code to be affected, we are running a rebuild of all perl rdeps with the new package. The results are available here: http://perl.debian.net/rebuild-logs/experimental/report.html (ignore everything with a date older than today). Assuming that no breakage that we can't live with is found, I'll file an unblock request. Work on jessie is still ongoing. Dominic.