Bug#286922: marked as done (perl-modules: File::Path::rmtree removes arbitrary)
Your message dated Fri, 09 Jan 2009 01:52:21 + with message-id e1ll6xt-0006a6...@ries.debian.org and subject line Bug#286922: fixed in perl 5.8.8-7etch5 has caused the Debian Bug report #286922, regarding perl-modules: File::Path::rmtree removes arbitrary to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 286922: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=286922 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ---BeginMessage--- Package: perl-modules Version: 5.6.1-8.7 Severity: critical File: /usr/share/perl/5.6.1/File/Path.pm Tags: security Justification: root security hole Following on from the File::Path::rmtree makes setuid issue, I notice that rmtree may be tricked into removing arbitrary files. Example of attack: suppose we know that root uses rmtree to clean up /tmp directories. Attacker prepares things: mkdir /tmp/psz perl -e 'open F, /tmp/psz/$_ foreach (1..1000)' touch /tmp/psz/passwd While root is busy working on /tmp/psz (and this can be made as slow as we like), attacker does: mv /tmp/psz /tmp/dummy ln -s /etc /tmp/psz Root will then remove /etc/passwd. Maybe it should be documented that rmtree must only be used if you can be sure to have exclusive access to the tree. Cheers, Paul Szabo - p...@maths.usyd.edu.au http://www.maths.usyd.edu.au:8000/u/psz/ School of Mathematics and Statistics University of Sydney 2006 Australia -- System Information Debian Release: 3.0 Architecture: i386 Kernel: Linux pisa.maths.usyd.edu.au 2.4.22-smssvr1.5.3 #1 SMP Wed Jun 23 13:01:39 EST 2004 i686 Locale: LANG=C, LC_CTYPE=C Versions of packages perl-modules depends on: ii perl 5.6.1-8.7 Larry Wall's Practical Extraction ---End Message--- ---BeginMessage--- Source: perl Source-Version: 5.8.8-7etch5 We believe that the bug you reported is fixed in the latest version of perl, which is due to be installed in the Debian FTP archive: libcgi-fast-perl_5.8.8-7etch5_all.deb to pool/main/p/perl/libcgi-fast-perl_5.8.8-7etch5_all.deb libperl-dev_5.8.8-7etch5_i386.deb to pool/main/p/perl/libperl-dev_5.8.8-7etch5_i386.deb libperl5.8_5.8.8-7etch5_i386.deb to pool/main/p/perl/libperl5.8_5.8.8-7etch5_i386.deb perl-base_5.8.8-7etch5_i386.deb to pool/main/p/perl/perl-base_5.8.8-7etch5_i386.deb perl-debug_5.8.8-7etch5_i386.deb to pool/main/p/perl/perl-debug_5.8.8-7etch5_i386.deb perl-doc_5.8.8-7etch5_all.deb to pool/main/p/perl/perl-doc_5.8.8-7etch5_all.deb perl-modules_5.8.8-7etch5_all.deb to pool/main/p/perl/perl-modules_5.8.8-7etch5_all.deb perl-suid_5.8.8-7etch5_i386.deb to pool/main/p/perl/perl-suid_5.8.8-7etch5_i386.deb perl_5.8.8-7etch5.diff.gz to pool/main/p/perl/perl_5.8.8-7etch5.diff.gz perl_5.8.8-7etch5.dsc to pool/main/p/perl/perl_5.8.8-7etch5.dsc perl_5.8.8-7etch5_i386.deb to pool/main/p/perl/perl_5.8.8-7etch5_i386.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 286...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Niko Tyni nt...@debian.org (supplier of updated perl package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Format: 1.7 Date: Thu, 20 Nov 2008 22:45:54 +0200 Source: perl Binary: perl-base libcgi-fast-perl libperl-dev perl-debug perl-modules perl libperl5.8 perl-suid perl-doc Architecture: source i386 all Version: 5.8.8-7etch5 Distribution: stable-security Urgency: high Maintainer: Brendan O'Dea b...@debian.org Changed-By: Niko Tyni nt...@debian.org Description: libcgi-fast-perl - CGI::Fast Perl module libperl-dev - Perl library: development files libperl5.8 - Shared Perl library perl - Larry Wall's Practical Extraction and Report Language perl-base - The Pathologically Eclectic Rubbish Lister perl-debug - Debug-enabled Perl interpreter perl-doc - Perl documentation perl-modules - Core Perl modules perl-suid - Runs setuid Perl scripts Closes: 286905 286922 Changes: perl (5.8.8-7etch5) stable-security; urgency=high . * SECURITY [CAN-2005-0448]: re-rewrite File::Path::rmtree to avoid race condition which allows an attacker with write permission on directories in the tree being removed to make files setuid or to remove arbitrary files (Closes: #286905, #286922). .
Bug#286922: marked as done (perl-modules: File::Path::rmtree removes arbitrary)
Your message dated Mon, 07 Mar 2005 01:47:15 -0500 with message-id [EMAIL PROTECTED] and subject line Bug#286905: fixed in perl 5.8.4-7 has caused the attached Bug report to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database) -- Received: (at submit) by bugs.debian.org; 22 Dec 2004 23:00:05 + From [EMAIL PROTECTED] Wed Dec 22 15:00:05 2004 Return-path: [EMAIL PROTECTED] Received: from talus.maths.usyd.edu.au [129.78.68.1] by spohr.debian.org with esmtp (Exim 3.35 1 (Debian)) id 1ChFSe-0001bR-00; Wed, 22 Dec 2004 15:00:04 -0800 Received: from pisa.maths.usyd.edu.au ([EMAIL PROTECTED]) [129.78.69.136] by siv.maths.usyd.edu.au via smtpdoor V18.4 id 310557 for [EMAIL PROTECTED]; Thu, 23 Dec 2004 10:00:01 +1100 Message-Id: [EMAIL PROTECTED] Received: from [EMAIL PROTECTED] by pisa.maths.usyd.edu.au (8.12.3/8.1/Submit) id iBMN00bf011682; Thu, 23 Dec 2004 10:00:00 +1100 From: Paul Szabo [EMAIL PROTECTED] To: Debian Bug Tracking System [EMAIL PROTECTED] Subject: perl-modules: File::Path::rmtree removes arbitrary X-Mailer: reportbug 1.50 Date: Thu, 23 Dec 2004 10:00:00 +1100 Delivered-To: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Status: No, hits=-5.9 required=4.0 tests=BAYES_00,HAS_PACKAGE, MSGID_FROM_MTA_HEADER,WEIRD_PORT autolearn=no version=2.60-bugs.debian.org_2004_03_25 X-Spam-Level: Package: perl-modules Version: 5.6.1-8.7 Severity: critical File: /usr/share/perl/5.6.1/File/Path.pm Tags: security Justification: root security hole Following on from the File::Path::rmtree makes setuid issue, I notice that rmtree may be tricked into removing arbitrary files. Example of attack: suppose we know that root uses rmtree to clean up /tmp directories. Attacker prepares things: mkdir /tmp/psz perl -e 'open F, /tmp/psz/$_ foreach (1..1000)' touch /tmp/psz/passwd While root is busy working on /tmp/psz (and this can be made as slow as we like), attacker does: mv /tmp/psz /tmp/dummy ln -s /etc /tmp/psz Root will then remove /etc/passwd. Maybe it should be documented that rmtree must only be used if you can be sure to have exclusive access to the tree. Cheers, Paul Szabo - [EMAIL PROTECTED] http://www.maths.usyd.edu.au:8000/u/psz/ School of Mathematics and Statistics University of Sydney 2006 Australia -- System Information Debian Release: 3.0 Architecture: i386 Kernel: Linux pisa.maths.usyd.edu.au 2.4.22-smssvr1.5.3 #1 SMP Wed Jun 23 13:01:39 EST 2004 i686 Locale: LANG=C, LC_CTYPE=C Versions of packages perl-modules depends on: ii perl 5.6.1-8.7 Larry Wall's Practical Extraction --- Received: (at 286905-close) by bugs.debian.org; 7 Mar 2005 06:53:04 + From [EMAIL PROTECTED] Sun Mar 06 22:53:04 2005 Return-path: [EMAIL PROTECTED] Received: from newraff.debian.org [208.185.25.31] (mail) by spohr.debian.org with esmtp (Exim 3.35 1 (Debian)) id 1D8C6y-XC-00; Sun, 06 Mar 2005 22:53:04 -0800 Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian)) id 1D8C1L-0001OJ-00; Mon, 07 Mar 2005 01:47:15 -0500 From: Brendan O'Dea [EMAIL PROTECTED] To: [EMAIL PROTECTED] X-Katie: $Revision: 1.55 $ Subject: Bug#286905: fixed in perl 5.8.4-7 Message-Id: [EMAIL PROTECTED] Sender: Archive Administrator [EMAIL PROTECTED] Date: Mon, 07 Mar 2005 01:47:15 -0500 Delivered-To: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER autolearn=no version=2.60-bugs.debian.org_2005_01_02 X-Spam-Level: X-CrossAssassin-Score: 11 Source: perl Source-Version: 5.8.4-7 We believe that the bug you reported is fixed in the latest version of perl, which is due to be installed in the Debian FTP archive: libcgi-fast-perl_5.8.4-7_all.deb to pool/main/p/perl/libcgi-fast-perl_5.8.4-7_all.deb libperl-dev_5.8.4-7_i386.deb to pool/main/p/perl/libperl-dev_5.8.4-7_i386.deb libperl-dev_5.8.4-7_powerpc.deb to pool/main/p/perl/libperl-dev_5.8.4-7_powerpc.deb libperl-dev_5.8.4-7_sparc.deb to pool/main/p/perl/libperl-dev_5.8.4-7_sparc.deb libperl5.8_5.8.4-7_i386.deb to pool/main/p/perl/libperl5.8_5.8.4-7_i386.deb libperl5.8_5.8.4-7_powerpc.deb to pool/main/p/perl/libperl5.8_5.8.4-7_powerpc.deb libperl5.8_5.8.4-7_sparc.deb to