Rafael Garcia-Suarez wrote:
> Michael G Schwern wrote in perl.makemaker :
>> Before I get a zillion bug reports about this... as a result of a
>> lightly broken security fix, Debian stable ships with a slightly
>> broken File::Path::rmtree() that cannot delete read-only directories.
>> Ubuntu may also be effected. This causes an ExtUtils::Command test to
>> fail.
>
> If I remember correctly, this patch hasn't been applied in blead or in
> maint ?
I believe an equivalent patch was.
[ 23953] By: rgs on 2005/02/09 09:28:19
Log: Patch for CAN-2004-0452 by Jeroen van Wolffelaar.
The rmtree() function in the perl File::Path module would remove
directories in an insecure manner which could lead to the removal
of arbitrary files and directories via a symlink attack.
Branch: perl
! lib/File/Path.pm
And here's the Debian patch file from perl-base stable for comparison.
http://ftp.debian.org/debian/pool/main/p/perl/perl_5.8.4-8sarge5.diff.gz
perl-base in testing contains no such patch.
http://ftp.debian.org/debian/pool/main/p/perl/perl_5.8.8-6.1.diff.gz
I haven't reported this upstream, I don't have a Debian stable box handy at the
moment.
