Rafael Garcia-Suarez wrote: > Michael G Schwern wrote in perl.makemaker : >> Rafael Garcia-Suarez wrote: >>> Michael G Schwern wrote in perl.makemaker : >>>> Before I get a zillion bug reports about this... as a result of a >>>> lightly broken security fix, Debian stable ships with a slightly >>>> broken File::Path::rmtree() that cannot delete read-only directories. >>>> Ubuntu may also be effected. This causes an ExtUtils::Command test to >>>> fail. >>> If I remember correctly, this patch hasn't been applied in blead or in >>> maint ? >> I believe an equivalent patch was. >> >> [ 23953] By: rgs on 2005/02/09 09:28:19 >> Log: Patch for CAN-2004-0452 by Jeroen van Wolffelaar. >> The rmtree() function in the perl File::Path module would remove >> directories in an insecure manner which could lead to the >> removal >> of arbitrary files and directories via a symlink attack. >> Branch: perl >> ! lib/File/Path.pm > > I don't think that this patch is harmful, since it only affects > permissions of directories for other group/users; also, since it has > been applied to bleadperl, and since ExtUtils::Command is part of > bleadperl, a test failure would have been noticed much earlier.
Sorry if I wasn't clear, I didn't mean to imply 23953 was harmful. By "equivalent" I mean "fixes the same security hole Debian fixed" but without breaking things. The Debian and bleadperl patch code are rather different.
