[Bug 173793] New: CAN-2005-0448 perl File::Path.pm rmtree race condition

Mon Nov 21 08:54:21 UTC 2005

Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=173793

           Summary: CAN-2005-0448 perl File::Path.pm rmtree race condition
           Product: Fedora Core
           Version: fc4
          Platform: All
        OS/Version: Linux
            Status: NEW
          Severity: security
          Priority: normal
         Component: perl
        AssignedTo: jvdias at redhat.com
        ReportedBy: mjc at redhat.com
         QAContact: dkl at redhat.com
                CC: fedora-perl-devel-list at redhat.com,wtogami at redhat.com

+++ This bug was initially created as a clone of Bug #157695 +++

Race condition in the rmtree function in File::Path.pm in Perl before 5.8.4
allows local users to create arbitrary setuid binaries in the tree being
deleted, a different vulnerability than CAN-2004-0452.

http://marc.theaimsgroup.com/?l=bugtraq&m=111039131424834&w=2

attachment 114350 contains the ubuntu patch (it needs some cleaning up)

-- Additional comment from wtogami at redhat.com on 2005-05-28 02:05 EST --
"Race condition in the rmtree function in File::Path.pm in Perl before 5.8.4
allows local users to create arbitrary setuid binaries"

5.8.4 means FC3 is unaffected because we have perl-5.8.5?  Can someone confirm?

-- Additional comment from bressers at redhat.com on 2005-05-28 08:41 EST --
Warren,

I just took a look at the latest perl source, this issue has not been fixed by
upstream.  It's proving very hard to do right, which is probably why upstream
hasn't done it yet.

-- Additional comment from wtogami at redhat.com on 2005-05-31 06:40 EST --
https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=114350
Attachment to fix this security bug is from Ubuntu, but we require help cleaning
it up and testing before issuing a FC3 update.  Apparently this is a difficult
problem to fix, and this is our second attempt doing so. =(

-- Additional comment from prockai at redhat.com on 2005-06-15 14:01 EST --
Created an attachment (id=115494)
 --> (https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=115494&action=view)
debian's 03_fix_file_path

Why not just use the debian patch? (attached)

-- Additional comment from prockai at redhat.com on 2005-06-16 04:22 EST --
Assigning to self. 

-- Additional comment from prockai at redhat.com on 2005-06-16 08:15 EST --
Patched in CVS. Testing requested - if anyone has an exploit or something like 
that, please try out. The testsuite passes exactly like before patching, but 
regression testing is welcome as well. 

-- Additional comment from prockai at redhat.com on 2005-07-28 09:07 EST --
Fixed in FC3 update perl-5.8.5-14.FC3

-- 
Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.