Debian
perl package

perl-modules: File::Path::rmtree removes arbitrary

Bug #11409 reported by Debian Bug Importer
4
Affects Status Importance Assigned to Milestone
perl (Debian)
Fix Released
Unknown
perl (Ubuntu)
Invalid
High
Unassigned

Bug Description

Automatically imported from Debian bug report #286922 http://bugs.debian.org/286922

CVE References

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-Id: <email address hidden>
Date: Thu, 23 Dec 2004 10:00:00 +1100
From: Paul Szabo <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: perl-modules: File::Path::rmtree removes arbitrary

Package: perl-modules
Version: 5.6.1-8.7
Severity: critical
File: /usr/share/perl/5.6.1/File/Path.pm
Tags: security
Justification: root security hole

Following on from the "File::Path::rmtree makes setuid" issue, I notice
that rmtree may be tricked into removing arbitrary files.

Example of attack: suppose we know that root uses rmtree to clean up
/tmp directories. Attacker prepares things:

  mkdir /tmp/psz
  perl -e 'open F, ">/tmp/psz/$_" foreach (1..1000)'
  touch /tmp/psz/passwd

While root is busy working on /tmp/psz (and this can be made as slow as
we like), attacker does:

  mv /tmp/psz /tmp/dummy
  ln -s /etc /tmp/psz

Root will then remove /etc/passwd.

Maybe it should be documented that rmtree must only be used if you can
be sure to have exclusive access to the tree.

Cheers,

Paul Szabo - <email address hidden> http://www.maths.usyd.edu.au:8000/u/psz/
School of Mathematics and Statistics University of Sydney 2006 Australia

-- System Information
Debian Release: 3.0
Architecture: i386
Kernel: Linux pisa.maths.usyd.edu.au 2.4.22-smssvr1.5.3 #1 SMP Wed Jun 23 13:01:39 EST 2004 i686
Locale: LANG=C, LC_CTYPE=C

Versions of packages perl-modules depends on:
ii perl 5.6.1-8.7 Larry Wall's Practical Extraction

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Marking as duplicate based on debbugs merge (286905,286922)

This bug has been marked as a duplicate of bug 11407.

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Fri, 24 Dec 2004 10:30:44 +1100
From: Brendan O'Dea <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: bug twiddling

# reassign to canonical package
reassign 255093 perl
reassign 255919 perl
reassign 257568 perl
reassign 262957 perl
reassign 263279 perl
reassign 263325 perl
reassign 264629 perl
reassign 266194 perl
reassign 266669 perl
reassign 268810 perl
reassign 269879 perl
reassign 269919 perl
reassign 273379 perl
reassign 275142 perl
reassign 278322 perl
reassign 280220 perl
reassign 282110 perl
reassign 283802 perl
reassign 284489 perl
reassign 286905 perl
reassign 286907 perl
reassign 286922 perl

# related security issues with File::Path::rmtree
merge 286905 286922

thanks

Revision history for this message
Debian Bug Importer (debzilla) wrote :
Download full text (6.8 KiB)

Message-Id: <email address hidden>
Date: Mon, 07 Mar 2005 01:47:15 -0500
From: Brendan O'Dea <email address hidden>
To: <email address hidden>
Subject: Bug#286905: fixed in perl 5.8.4-7

Source: perl
Source-Version: 5.8.4-7

We believe that the bug you reported is fixed in the latest version of
perl, which is due to be installed in the Debian FTP archive:

libcgi-fast-perl_5.8.4-7_all.deb
  to pool/main/p/perl/libcgi-fast-perl_5.8.4-7_all.deb
libperl-dev_5.8.4-7_i386.deb
  to pool/main/p/perl/libperl-dev_5.8.4-7_i386.deb
libperl-dev_5.8.4-7_powerpc.deb
  to pool/main/p/perl/libperl-dev_5.8.4-7_powerpc.deb
libperl-dev_5.8.4-7_sparc.deb
  to pool/main/p/perl/libperl-dev_5.8.4-7_sparc.deb
libperl5.8_5.8.4-7_i386.deb
  to pool/main/p/perl/libperl5.8_5.8.4-7_i386.deb
libperl5.8_5.8.4-7_powerpc.deb
  to pool/main/p/perl/libperl5.8_5.8.4-7_powerpc.deb
libperl5.8_5.8.4-7_sparc.deb
  to pool/main/p/perl/libperl5.8_5.8.4-7_sparc.deb
perl-base_5.8.4-7_i386.deb
  to pool/main/p/perl/perl-base_5.8.4-7_i386.deb
perl-base_5.8.4-7_powerpc.deb
  to pool/main/p/perl/perl-base_5.8.4-7_powerpc.deb
perl-base_5.8.4-7_sparc.deb
  to pool/main/p/perl/perl-base_5.8.4-7_sparc.deb
perl-debug_5.8.4-7_i386.deb
  to pool/main/p/perl/perl-debug_5.8.4-7_i386.deb
perl-debug_5.8.4-7_powerpc.deb
  to pool/main/p/perl/perl-debug_5.8.4-7_powerpc.deb
perl-debug_5.8.4-7_sparc.deb
  to pool/main/p/perl/perl-debug_5.8.4-7_sparc.deb
perl-doc_5.8.4-7_all.deb
  to pool/main/p/perl/perl-doc_5.8.4-7_all.deb
perl-modules_5.8.4-7_all.deb
  to pool/main/p/perl/perl-modules_5.8.4-7_all.deb
perl-suid_5.8.4-7_i386.deb
  to pool/main/p/perl/perl-suid_5.8.4-7_i386.deb
perl-suid_5.8.4-7_powerpc.deb
  to pool/main/p/perl/perl-suid_5.8.4-7_powerpc.deb
perl-suid_5.8.4-7_sparc.deb
  to pool/main/p/perl/perl-suid_5.8.4-7_sparc.deb
perl_5.8.4-7.diff.gz
  to pool/main/p/perl/perl_5.8.4-7.diff.gz
perl_5.8.4-7.dsc
  to pool/main/p/perl/perl_5.8.4-7.dsc
perl_5.8.4-7_i386.deb
  to pool/main/p/perl/perl_5.8.4-7_i386.deb
perl_5.8.4-7_powerpc.deb
  to pool/main/p/perl/perl_5.8.4-7_powerpc.deb
perl_5.8.4-7_sparc.deb
  to pool/main/p/perl/perl_5.8.4-7_sparc.deb

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Brendan O'Dea <email address hidden> (supplier of updated perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon, 7 Mar 2005 10:22:01 +1100
Source: perl
Binary: perl-base libcgi-fast-perl libperl-dev perl-debug perl-modules perl libperl5.8 perl-suid perl-doc
Architecture: all i386 powerpc source sparc
Version: 5.8.4-7
Distribution: unstable
Urgency: low
Maintainer: Brendan O'Dea <email address hidden>
Changed-By: Brendan O'Dea <email address hidden>
Description:
 libperl-dev - Perl library: development files
 libperl5.8 - S...

Read more...

Revision history for this message
Debian Bug Importer (debzilla) wrote :
Download full text (6.8 KiB)

Message-Id: <email address hidden>
Date: Mon, 07 Mar 2005 01:47:15 -0500
From: Brendan O'Dea <email address hidden>
To: <email address hidden>
Subject: Bug#286922: fixed in perl 5.8.4-7

Source: perl
Source-Version: 5.8.4-7

We believe that the bug you reported is fixed in the latest version of
perl, which is due to be installed in the Debian FTP archive:

libcgi-fast-perl_5.8.4-7_all.deb
  to pool/main/p/perl/libcgi-fast-perl_5.8.4-7_all.deb
libperl-dev_5.8.4-7_i386.deb
  to pool/main/p/perl/libperl-dev_5.8.4-7_i386.deb
libperl-dev_5.8.4-7_powerpc.deb
  to pool/main/p/perl/libperl-dev_5.8.4-7_powerpc.deb
libperl-dev_5.8.4-7_sparc.deb
  to pool/main/p/perl/libperl-dev_5.8.4-7_sparc.deb
libperl5.8_5.8.4-7_i386.deb
  to pool/main/p/perl/libperl5.8_5.8.4-7_i386.deb
libperl5.8_5.8.4-7_powerpc.deb
  to pool/main/p/perl/libperl5.8_5.8.4-7_powerpc.deb
libperl5.8_5.8.4-7_sparc.deb
  to pool/main/p/perl/libperl5.8_5.8.4-7_sparc.deb
perl-base_5.8.4-7_i386.deb
  to pool/main/p/perl/perl-base_5.8.4-7_i386.deb
perl-base_5.8.4-7_powerpc.deb
  to pool/main/p/perl/perl-base_5.8.4-7_powerpc.deb
perl-base_5.8.4-7_sparc.deb
  to pool/main/p/perl/perl-base_5.8.4-7_sparc.deb
perl-debug_5.8.4-7_i386.deb
  to pool/main/p/perl/perl-debug_5.8.4-7_i386.deb
perl-debug_5.8.4-7_powerpc.deb
  to pool/main/p/perl/perl-debug_5.8.4-7_powerpc.deb
perl-debug_5.8.4-7_sparc.deb
  to pool/main/p/perl/perl-debug_5.8.4-7_sparc.deb
perl-doc_5.8.4-7_all.deb
  to pool/main/p/perl/perl-doc_5.8.4-7_all.deb
perl-modules_5.8.4-7_all.deb
  to pool/main/p/perl/perl-modules_5.8.4-7_all.deb
perl-suid_5.8.4-7_i386.deb
  to pool/main/p/perl/perl-suid_5.8.4-7_i386.deb
perl-suid_5.8.4-7_powerpc.deb
  to pool/main/p/perl/perl-suid_5.8.4-7_powerpc.deb
perl-suid_5.8.4-7_sparc.deb
  to pool/main/p/perl/perl-suid_5.8.4-7_sparc.deb
perl_5.8.4-7.diff.gz
  to pool/main/p/perl/perl_5.8.4-7.diff.gz
perl_5.8.4-7.dsc
  to pool/main/p/perl/perl_5.8.4-7.dsc
perl_5.8.4-7_i386.deb
  to pool/main/p/perl/perl_5.8.4-7_i386.deb
perl_5.8.4-7_powerpc.deb
  to pool/main/p/perl/perl_5.8.4-7_powerpc.deb
perl_5.8.4-7_sparc.deb
  to pool/main/p/perl/perl_5.8.4-7_sparc.deb

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Brendan O'Dea <email address hidden> (supplier of updated perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon, 7 Mar 2005 10:22:01 +1100
Source: perl
Binary: perl-base libcgi-fast-perl libperl-dev perl-debug perl-modules perl libperl5.8 perl-suid perl-doc
Architecture: all i386 powerpc source sparc
Version: 5.8.4-7
Distribution: unstable
Urgency: low
Maintainer: Brendan O'Dea <email address hidden>
Changed-By: Brendan O'Dea <email address hidden>
Description:
 libperl-dev - Perl library: development files
 libperl5.8 - S...

Read more...

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Thu, 17 Mar 2005 23:37:48 -0600
From: Micah Anderson <email address hidden>
To: <email address hidden>
Cc: <email address hidden>
Subject: CAN-2005-0448 and woody

--ed/6oDxOLijJh8b0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

reopen 286905
tag 286905 + woody
thanks

As noted on debian-security:

#286905 fixes CAN-2005-0448 for testing's perl (5.8.4-7), however it
leaves it unfixed in stable's version (5.6.1-8.8), which is also
affected (according to http://www.securityfocus.com/bid/12767), so
this bug should not be closed.=20

--ed/6oDxOLijJh8b0
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)

iD8DBQFCOmks9n4qXRzy1ioRAujTAJ9wdWJhS/sonMZW07iOWjZyG2HmrQCgpXfI
eFDprsdPBoTmbgpDws1QxWk=
=uNwJ
-----END PGP SIGNATURE-----

--ed/6oDxOLijJh8b0--

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-Id: <email address hidden>
Date: Tue, 22 Mar 2005 06:02:30 -0500
From: Brendan O'Dea <email address hidden>
To: <email address hidden>
Cc: Brendan O'Dea <email address hidden>, Martin Schulze <email address hidden>
Subject: Fixed in NMU of perl 5.6.1-8.9

tag 286905 + fixed
tag 286922 + fixed

quit

This message was generated automatically in response to a
non-maintainer upload. The .changes file follows.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Fri, 18 Mar 2005 22:22:25 +1100
Source: perl
Binary: perl-suid perl-modules perl perl-debug perl-base libperl5.6 perl-doc libperl-dev libcgi-fast-perl
Architecture: source i386 all
Version: 5.6.1-8.9
Distribution: stable-security
Urgency: high
Maintainer: Martin Schulze <email address hidden>
Changed-By: Brendan O'Dea <email address hidden>
Description:
 libcgi-fast-perl - CGI::Fast Perl module.
 libperl-dev - Perl library: development files.
 libperl5.6 - Shared Perl library.
 perl - Larry Wall's Practical Extraction and Report Language.
 perl-base - The Pathologically Eclectic Rubbish Lister.
 perl-debug - Debug-enabled Perl interpreter.
 perl-doc - Perl documentation.
 perl-modules - Core Perl modules.
 perl-suid - Runs setuid Perl scripts.
Closes: 286905 286922
Changes:
 perl (5.6.1-8.9) stable-security; urgency=high
 .
   * SECURITY [CAN-2005-0448]: rewrite File::Path::rmtree to avoid race
     condition which allows an attacker with write permission on
     directories in the tree being removed to make files setuid or to
     remove arbitrary files (closes: #286905, #286922). Supersedes
     the previous patch for CAN-2004-0452.
Files:
 bf8f434e157f15546953ae89dfb2f932 687 interpreters standard perl_5.6.1-8.9.dsc
 5f8583904c8f261d31f0935611ca7314 176889 interpreters standard perl_5.6.1-8.9.diff.gz
 2516eb570a001c6a3376042ff85e3ff9 31524 interpreters extra libcgi-fast-perl_5.6.1-8.9_all.deb
 d2ccba71035e7b24bed20b0d50e6cd3c 3885588 doc optional perl-doc_5.6.1-8.9_all.deb
 ba2dbf867e05ce0a238a6bb0655ae88f 1278636 interpreters standard perl-modules_5.6.1-8.9_all.deb
 46ad051a8314caccc5bb58c0c63f21fb 497350 base required perl-base_5.6.1-8.9_i386.deb
 d32af3c6b914565feef67bbc88d26fac 2119332 interpreters optional perl-debug_5.6.1-8.9_i386.deb
 2d35d5c7bf825e4ee402a2ee2d1e9961 28422 interpreters optional perl-suid_5.6.1-8.9_i386.deb
 e896258f9bab36868a62f2d4abf38f3b 347980 libs required libperl5.6_5.6.1-8.9_i386.deb
 325554fce57546f366bd8eb8eae13d0d 424620 devel optional libperl-dev_5.6.1-8.9_i386.deb
 7eb6c4b69d60aa1aa203c8e121001b08 1150462 interpreters standard perl_5.6.1-8.9_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)

iD8DBQFCO8tUW5ql+IAeqTIRAu7qAKC6qAwMAwbg4fhH9HYRE1oKcicFSgCgmAbL
wyU+9UfHXziR0oDFya8hlV0=
=VMJ1
-----END PGP SIGNATURE-----

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-Id: <email address hidden>
Date: Thu, 24 Mar 2005 11:47:07 +1100
From: Brendan O'Dea <email address hidden>
To: <email address hidden>
Subject: closing 286905

# Automatically generated email from bts, devscripts version 2.8.11
close 286905

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-Id: <email address hidden>
Date: Fri, 15 Apr 2005 18:19:59 -0400
From: Brendan O'Dea <email address hidden>
To: <email address hidden>
Cc: Brendan O'Dea <email address hidden>, Martin Schulze <email address hidden>
Subject: Fixed in NMU of perl 5.6.1-8.9

tag 286905 + fixed
tag 286922 + fixed

quit

This message was generated automatically in response to a
non-maintainer upload. The .changes file follows.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Fri, 18 Mar 2005 22:22:25 +1100
Source: perl
Binary: perl-suid perl-modules perl perl-debug perl-base libperl5.6 perl-doc libperl-dev libcgi-fast-perl
Architecture: source i386 all
Version: 5.6.1-8.9
Distribution: stable-security
Urgency: high
Maintainer: Martin Schulze <email address hidden>
Changed-By: Brendan O'Dea <email address hidden>
Description:
 libcgi-fast-perl - CGI::Fast Perl module.
 libperl-dev - Perl library: development files.
 libperl5.6 - Shared Perl library.
 perl - Larry Wall's Practical Extraction and Report Language.
 perl-base - The Pathologically Eclectic Rubbish Lister.
 perl-debug - Debug-enabled Perl interpreter.
 perl-doc - Perl documentation.
 perl-modules - Core Perl modules.
 perl-suid - Runs setuid Perl scripts.
Closes: 286905 286922
Changes:
 perl (5.6.1-8.9) stable-security; urgency=high
 .
   * SECURITY [CAN-2005-0448]: rewrite File::Path::rmtree to avoid race
     condition which allows an attacker with write permission on
     directories in the tree being removed to make files setuid or to
     remove arbitrary files (closes: #286905, #286922). Supersedes
     the previous patch for CAN-2004-0452.
Files:
 bf8f434e157f15546953ae89dfb2f932 687 interpreters standard perl_5.6.1-8.9.dsc
 5f8583904c8f261d31f0935611ca7314 176889 interpreters standard perl_5.6.1-8.9.diff.gz
 2516eb570a001c6a3376042ff85e3ff9 31524 interpreters extra libcgi-fast-perl_5.6.1-8.9_all.deb
 d2ccba71035e7b24bed20b0d50e6cd3c 3885588 doc optional perl-doc_5.6.1-8.9_all.deb
 ba2dbf867e05ce0a238a6bb0655ae88f 1278636 interpreters standard perl-modules_5.6.1-8.9_all.deb
 46ad051a8314caccc5bb58c0c63f21fb 497350 base required perl-base_5.6.1-8.9_i386.deb
 d32af3c6b914565feef67bbc88d26fac 2119332 interpreters optional perl-debug_5.6.1-8.9_i386.deb
 2d35d5c7bf825e4ee402a2ee2d1e9961 28422 interpreters optional perl-suid_5.6.1-8.9_i386.deb
 e896258f9bab36868a62f2d4abf38f3b 347980 libs required libperl5.6_5.6.1-8.9_i386.deb
 325554fce57546f366bd8eb8eae13d0d 424620 devel optional libperl-dev_5.6.1-8.9_i386.deb
 7eb6c4b69d60aa1aa203c8e121001b08 1150462 interpreters standard perl_5.6.1-8.9_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)

iD8DBQFCO8tUW5ql+IAeqTIRAu7qAKC6qAwMAwbg4fhH9HYRE1oKcicFSgCgmAbL
wyU+9UfHXziR0oDFya8hlV0=
=VMJ1
-----END PGP SIGNATURE-----

Bug Watch Updater (bug-watch-updater)
Changed in perl:
status: Unknown → Fix Released
Bug Watch Updater (bug-watch-updater)
Changed in perl:
status: Fix Released → New
Bug Watch Updater (bug-watch-updater)
Changed in perl:
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.