Reported by: Paul Szabo <psz@maths.usyd.edu.au>
Date: Wed, 30 Jul 2003 00:03:03 UTC
Severity: critical
Tags: security
Found in version 5.6.1-8.2
Fixed in versions perl/5.8.0-20, perl/5.8.0-21
Done: Brendan O'Dea <bod@debian.org>
Bug is archived. No further changes may be made.
View this report as an mbox folder, status mbox, maintainer mbox
Report forwarded to debian-bugs-dist@lists.debian.org, Brendan O'Dea <bod@debian.org>:
Bug#203426; Package perl-suid.
(full text, mbox, link).
Acknowledgement sent to Paul Szabo <psz@maths.usyd.edu.au>:
New Bug report received and forwarded. Copy sent to Brendan O'Dea <bod@debian.org>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: perl-suid Version: 5.6.1-8.2 Severity: critical Tags: security Justification: root security hole suidperl can be used for path disclosure (to verify if a file exists when the user has no access to the directories above). The error messages that suidperl gives are too revealing: in the examples below I expected a uniform 'permission denied' or similar. This problem was reported to perlbug@perl.com on 23 Mar 2001 (but no response whatsoever). Set things up as one user (e.g. root): # pwd /root/ptest # ls -al total 8 drwx------ 2 root root 4096 Jul 30 09:36 . drwx------ 13 root root 4096 Jul 30 09:35 .. -rwx------ 1 root root 0 Jul 30 09:36 file -rws------ 1 root root 0 Jul 30 09:36 sfile As another (normal) user, use suidperl to disclose path info: $ id uid=1001(psz) gid=1001(amstaff) groups=1001(amstaff),109(tutsols) $ for n in nosuch file sfile; do > echo ''; echo Test $n; suidperl /root/ptest/$n > done Test nosuch Can't open perl script "/root/ptest/nosuch": No such file or directory Test file Script is not setuid/setgid in suidperl Test sfile Permission denied. -- System Information Debian Release: 3.0 Architecture: i386 Kernel: Linux pisa.maths.usyd.edu.au 2.4.19 #1 SMP Wed Nov 13 10:02:38 EST 2002 i686 Locale: LANG=C, LC_CTYPE=C Versions of packages perl-suid depends on: ii libc6 2.2.5-11.5 GNU C Library: Shared libraries an ii libperl5.6 5.6.1-8.2 Shared Perl library. ii perl 5.6.1-8.2 Larry Wall's Practical Extraction
Information forwarded to debian-bugs-dist@lists.debian.org, Brendan O'Dea <bod@debian.org>:
Bug#203426; Package perl-suid.
(full text, mbox, link).
Acknowledgement sent to Matt Zimmerman <mdz@debian.org>:
Extra info received and forwarded to list. Copy sent to Brendan O'Dea <bod@debian.org>.
(full text, mbox, link).
Message #10 received at 203426@bugs.debian.org (full text, mbox, reply):
On Wed, Jul 30, 2003 at 09:52:06AM +1000, Paul Szabo wrote: > Package: perl-suid > Version: 5.6.1-8.2 > Severity: critical > Tags: security > Justification: root security hole > > suidperl can be used for path disclosure (to verify if a file exists > when the user has no access to the directories above). The error > messages that suidperl gives are too revealing: in the examples below I > expected a uniform 'permission denied' or similar. If you have a patch for this, I will roll it into the pending perl security update. -- - mdz
Information forwarded to debian-bugs-dist@lists.debian.org, Brendan O'Dea <bod@debian.org>:
Bug#203426; Package perl-suid.
(full text, mbox, link).
Acknowledgement sent to psz@maths.usyd.edu.au (Paul Szabo):
Extra info received and forwarded to list. Copy sent to Brendan O'Dea <bod@debian.org>.
(full text, mbox, link).
Message #15 received at 203426@bugs.debian.org (full text, mbox, reply):
Matt Zimmerman wrote on 30 Jul 2003: > If you have a patch for this, I will roll it into the pending perl security > update. (Was that meant for me? I never received that message, but am seeing it at http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=203426.) Sorry no, I do not have a patch, never had one: see my original report at http://rt.perl.org/rt2/Ticket/Display.html?id=6511 Cheers, Paul Szabo - psz@maths.usyd.edu.au http://www.maths.usyd.edu.au:8000/u/psz/ School of Mathematics and Statistics University of Sydney 2006 Australia
Information forwarded to debian-bugs-dist@lists.debian.org, Brendan O'Dea <bod@debian.org>:
Bug#203426; Package perl-suid.
(full text, mbox, link).
Acknowledgement sent to psz@maths.usyd.edu.au (Paul Szabo):
Extra info received and forwarded to list. Copy sent to Brendan O'Dea <bod@debian.org>.
(full text, mbox, link).
Message #20 received at 203426@bugs.debian.org (full text, mbox, reply):
Seems this bug is not being worked on. I propose to publicize the issue on BugTraq and FullDisclosure on 27 Aug (four weeks after reporting). Cheers, Paul Szabo - psz@maths.usyd.edu.au http://www.maths.usyd.edu.au:8000/u/psz/ School of Mathematics and Statistics University of Sydney 2006 Australia
Information forwarded to debian-bugs-dist@lists.debian.org, Brendan O'Dea <bod@debian.org>:
Bug#203426; Package perl-suid.
(full text, mbox, link).
Acknowledgement sent to Matt Zimmerman <mdz@debian.org>:
Extra info received and forwarded to list. Copy sent to Brendan O'Dea <bod@debian.org>.
(full text, mbox, link).
Message #25 received at 203426@bugs.debian.org (full text, mbox, reply):
On Fri, Aug 22, 2003 at 08:39:00AM +1000, Paul Szabo wrote: > Seems this bug is not being worked on. I propose to publicize the issue > on BugTraq and FullDisclosure on 27 Aug (four weeks after reporting). The Debian bug tracking system is public, and I consider any information reported there to be disclosed to the public. So I see no reason to delay an announcement to other mailing lists. -- - mdz
Information forwarded to debian-bugs-dist@lists.debian.org, Brendan O'Dea <bod@debian.org>:
Bug#203426; Package perl-suid.
(full text, mbox, link).
Acknowledgement sent to psz@maths.usyd.edu.au (Paul Szabo):
Extra info received and forwarded to list. Copy sent to Brendan O'Dea <bod@debian.org>.
(full text, mbox, link).
Message #30 received at 203426@bugs.debian.org (full text, mbox, reply):
Matt, >> Seems this bug is not being worked on. I propose to publicize the issue >> on BugTraq and FullDisclosure on 27 Aug (four weeks after reporting). > > The Debian bug tracking system is public, and I consider any information > reported there to be disclosed to the public. So I see no reason to delay > an announcement to other mailing lists. Publicizing on those mailing list has embarrassment value. "Bug has been reported a month ago, but those uncaring, lazy people have done nothing." Cheers, Paul Szabo - psz@maths.usyd.edu.au http://www.maths.usyd.edu.au:8000/u/psz/ School of Mathematics and Statistics University of Sydney 2006 Australia
Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#203426; Package perl-suid.
(full text, mbox, link).
Acknowledgement sent to Brendan O'Dea <bod@debian.org>:
Extra info received and forwarded to list.
(full text, mbox, link).
Message #35 received at 203426@bugs.debian.org (full text, mbox, reply):
On Fri, Sep 05, 2003 at 06:47:36PM +0300, Jarkko Hietaniemi wrote: >http://www.xray.mpe.mpg.de/mailing-lists/perl5-porters/2003-09/msg00346.html > >If you could test the suidperl thingie... Looks good to me: [londo:/var/tmp/perl@21050] do echo $f; ./suidperl /tmp/test/$f; done nosuch Permission denied file Permission denied sfile Permission denied Thanks! --bod
Information forwarded to debian-bugs-dist@lists.debian.org, Brendan O'Dea <bod@debian.org>:
Bug#203426; Package perl-suid.
(full text, mbox, link).
Acknowledgement sent to Matt Zimmerman <mdz@debian.org>:
Extra info received and forwarded to list. Copy sent to Brendan O'Dea <bod@debian.org>.
(full text, mbox, link).
Message #40 received at 203426@bugs.debian.org (full text, mbox, reply):
The Common Vulnerabilities and Exposures project has assigned the name "CAN-2003-0618" to this issue. Please reference that name in any changelogs or announcements having to do with this issue. Thank you. -- - mdz
Reply sent to Brendan O'Dea <bod@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Paul Szabo <psz@maths.usyd.edu.au>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #45 received at 203426-close@bugs.debian.org (full text, mbox, reply):
Source: perl
Source-Version: 5.8.0-20
We believe that the bug you reported is fixed in the latest version of
perl, which is due to be installed in the Debian FTP archive:
libcgi-fast-perl_5.8.0-20_all.deb
to pool/main/p/perl/libcgi-fast-perl_5.8.0-20_all.deb
libperl-dev_5.8.0-20_i386.deb
to pool/main/p/perl/libperl-dev_5.8.0-20_i386.deb
libperl-dev_5.8.0-20_powerpc.deb
to pool/main/p/perl/libperl-dev_5.8.0-20_powerpc.deb
libperl-dev_5.8.0-20_sparc.deb
to pool/main/p/perl/libperl-dev_5.8.0-20_sparc.deb
libperl5.8_5.8.0-20_i386.deb
to pool/main/p/perl/libperl5.8_5.8.0-20_i386.deb
libperl5.8_5.8.0-20_powerpc.deb
to pool/main/p/perl/libperl5.8_5.8.0-20_powerpc.deb
libperl5.8_5.8.0-20_sparc.deb
to pool/main/p/perl/libperl5.8_5.8.0-20_sparc.deb
perl-base_5.8.0-20_i386.deb
to pool/main/p/perl/perl-base_5.8.0-20_i386.deb
perl-base_5.8.0-20_powerpc.deb
to pool/main/p/perl/perl-base_5.8.0-20_powerpc.deb
perl-base_5.8.0-20_sparc.deb
to pool/main/p/perl/perl-base_5.8.0-20_sparc.deb
perl-debug_5.8.0-20_i386.deb
to pool/main/p/perl/perl-debug_5.8.0-20_i386.deb
perl-debug_5.8.0-20_powerpc.deb
to pool/main/p/perl/perl-debug_5.8.0-20_powerpc.deb
perl-debug_5.8.0-20_sparc.deb
to pool/main/p/perl/perl-debug_5.8.0-20_sparc.deb
perl-doc_5.8.0-20_all.deb
to pool/main/p/perl/perl-doc_5.8.0-20_all.deb
perl-modules_5.8.0-20_all.deb
to pool/main/p/perl/perl-modules_5.8.0-20_all.deb
perl-suid_5.8.0-20_i386.deb
to pool/main/p/perl/perl-suid_5.8.0-20_i386.deb
perl-suid_5.8.0-20_powerpc.deb
to pool/main/p/perl/perl-suid_5.8.0-20_powerpc.deb
perl-suid_5.8.0-20_sparc.deb
to pool/main/p/perl/perl-suid_5.8.0-20_sparc.deb
perl_5.8.0-20.diff.gz
to pool/main/p/perl/perl_5.8.0-20.diff.gz
perl_5.8.0-20.dsc
to pool/main/p/perl/perl_5.8.0-20.dsc
perl_5.8.0-20_i386.deb
to pool/main/p/perl/perl_5.8.0-20_i386.deb
perl_5.8.0-20_powerpc.deb
to pool/main/p/perl/perl_5.8.0-20_powerpc.deb
perl_5.8.0-20_sparc.deb
to pool/main/p/perl/perl_5.8.0-20_sparc.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 203426@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Brendan O'Dea <bod@debian.org> (supplier of updated perl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Wed, 10 Sep 2003 17:25:10 +1000
Source: perl
Binary: perl-base libcgi-fast-perl libperl-dev perl-debug perl-modules perl libperl5.8 perl-suid perl-doc
Architecture: all i386 powerpc source sparc
Version: 5.8.0-20
Distribution: unstable
Urgency: high
Maintainer: Brendan O'Dea <bod@debian.org>
Changed-By: Brendan O'Dea <bod@debian.org>
Description:
libperl-dev - Perl library: development files.
libperl5.8 - Shared Perl library.
perl - Larry Wall's Practical Extraction and Report Language.
perl-base - The Pathologically Eclectic Rubbish Lister.
perl-debug - Debug-enabled Perl interpreter.
perl-suid - Runs setuid Perl scripts.
Closes: 182089 187372 203426 204859 207332 210096
Changes:
perl (5.8.0-20) unstable; urgency=high
.
* Security: path disclosure via suidperl [CAN-2003-0618] fixed by
application of upstream change 21045 (thanks Jarkko; closes:
#203426).
.
* Add dependency on the exact version of perl-base to libperl5.8 to
ensure that the correct base modules are available to programs
embedding an interpreter (closes: 182089).
.
Move shared library to the perl-base package on architectures
where /usr/bin/perl is dynamically linked to the library
(everything other than i386) to avoid a dependency loop.
.
* Change sections to match overrides (new perl and libdevel sections).
* Apply upstream change 18471 to correct behaviour of tell on files
opened O_APPEND (reported by Sergio Rua).
.
* Apply upstream change 21031 to alter the distribution conditions
of perlreftut(1) (see #202723). Include this manual page in
perl-doc once again. Many thanks to Kevin Carlson of TPJ and to
Mark Jason Dominus for their cooperation and assistance with this
licence change.
.
* Apply patch from Matt Kraai making braced-group macro expressions
conditional on !__cplusplus (fixes abiword build on m68k; closes:
#204859).
.
* Ensure all dependencies of libperl are directly linked (previously
-lm and -lpthread were not) for prelink (closes: #187372).
.
* Fix permissions on DEBIAN directories in build (closes: #207332).
* Expand perl-modules description (closes: #210096).
* Add some documentation to README.Debian about the source package.
* Backport some changes from DB_File 1.806 to set some tie argument
defaults (reported by Sergio Rua).
.
* Apply upstream fix for h2ph from Kurt Starsinic to suppress
redefinition warnings.
Files:
0161611cedfd4ca12184222354742e64 4328644 perl optional perl-debug_5.8.0-20_powerpc.deb
0395e7fd2864879519df39cc5dfe078c 767820 base required perl-base_5.8.0-20_i386.deb
0c832b17bf44fd971f5e0346b3ee358b 34552 perl extra libcgi-fast-perl_5.8.0-20_all.deb
26c3f9ee8abf6ad94a48a1899bbe26c7 83262 perl standard perl_5.8.0-20.diff.gz
331192d4a81bfef31e07072dc3a0e36d 735084 base required perl-base_5.8.0-20_sparc.deb
3b702ba7a079fff8b594eac82e62feb3 1002 libs optional libperl5.8_5.8.0-20_powerpc.deb
48aae08415799888e16038120b6cbb4e 3968304 perl optional perl-debug_5.8.0-20_sparc.deb
53be27e468bf8ece1610c4500675d1fc 35570 perl optional perl-suid_5.8.0-20_powerpc.deb
5cebab93c0135b37ae3929813fc28061 3886062 perl standard perl_5.8.0-20_i386.deb
71973af1bf67c6171cf68daf82c8d82b 554756 libdevel optional libperl-dev_5.8.0-20_sparc.deb
758cc3407129cb6856ed57f8b0591b25 29224 perl optional perl-suid_5.8.0-20_sparc.deb
7e32c9d7af105409470e29b71511fe60 3823496 perl optional perl-debug_5.8.0-20_i386.deb
8b1e432ba0f1971be5d85d1036709710 1947432 perl standard perl-modules_5.8.0-20_all.deb
a59ce57f997b51a9f4e83fb3d39abd91 4336174 perl standard perl_5.8.0-20_powerpc.deb
b7a756e2a714410b8804eb9ddd762778 594102 libdevel optional libperl-dev_5.8.0-20_i386.deb
c25e5558181dbbccd1936e488e85c45b 4256464 perl standard perl_5.8.0-20_sparc.deb
c6cdadf5b25530c55f23bb4ee3813ad9 521856 libs optional libperl5.8_5.8.0-20_i386.deb
cafa6d13f10c290b1a88be4429d65f71 867136 base required perl-base_5.8.0-20_powerpc.deb
cd4dfaf0b736660c0835a1d2ebcad9fa 5602744 doc optional perl-doc_5.8.0-20_all.deb
d0e01fbefdf18d0a1311e241a048ccef 1000 libs optional libperl5.8_5.8.0-20_sparc.deb
eb8f46191f940f2b6f7cc148577d51a0 740836 libdevel optional libperl-dev_5.8.0-20_powerpc.deb
38538540fd304a6fb2cde88a49dce335 711 perl standard perl_5.8.0-20.dsc
f44b2c88633c5576628c510068efeb7c 31338 perl optional perl-suid_5.8.0-20_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
iD8DBQE/Xxdf8NyOALKMWZURAlnMAJ4i7aKzSs1eFJO7vzCBlO8+Hfn9+gCcCdPn
oM+ULR8qusy0c3jxYZT+Uts=
=hSXD
-----END PGP SIGNATURE-----
Information forwarded to debian-bugs-dist@lists.debian.org, Brendan O'Dea <bod@debian.org>:
Bug#203426; Package perl-suid.
(full text, mbox, link).
Acknowledgement sent to psz@maths.usyd.edu.au (Paul Szabo):
Extra info received and forwarded to list. Copy sent to Brendan O'Dea <bod@debian.org>.
(full text, mbox, link).
Message #50 received at 203426@bugs.debian.org (full text, mbox, reply):
You wrote: > We believe that the bug you reported is fixed in [5.8.0-20] ... Have you tested your fix? I tried, but "dpkg -i" on your .deb said Depends: libc6 (>= 2.3.2-1) but 2.2.5-11.5 is to be installed and I am far too lazy... so looked in perl_5.8.0-20.diff.gz instead. Re-doing my original test but showing errno, I get (with version 5.6.1): > $ for n in nosuch file sfile; do > > echo ''; echo Test $n; suidperl /root/ptest/$n; echo $? > > done > > Test nosuch > Can't open perl script "/root/ptest/nosuch": No such file or directory > 2 > > Test file > Script is not setuid/setgid in suidperl > 2 > > Test sfile > Permission denied. > 13 Looking in perl.c from perl_5.8.0.orig, the problem messages come from lines 2920 and 3236: 2915 # ifdef IAMSUID 2916 errno = EPERM; 2917 Perl_croak(aTHX_ "Can't open perl script: %s\n", 2918 Strerror(errno)); 2919 # else 2920 Perl_croak(aTHX_ "Can't open perl script \"%s\": %s\n", 2921 CopFILE(PL_curcop), Strerror(errno)); 2922 # endif ... 3235 else 3236 Perl_croak(aTHX_ "Script is not setuid/setgid in suidperl\n"); Your changes uselessly "attacked" line 2917, and missed a period and setting errno. With your perl_5.8.0-20 changes, the above test would surely output something like: > Test nosuch > Can't open perl script "/root/ptest/nosuch": No such file or directory > 2 > > Test file > Permission denied > 2 > > Test sfile > Permission denied. > 13 Please show me that I am wrong. Or fix it... Cheers, Paul Szabo - psz@maths.usyd.edu.au http://www.maths.usyd.edu.au:8000/u/psz/ School of Mathematics and Statistics University of Sydney 2006 Australia
Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#203426; Package perl-suid.
(full text, mbox, link).
Acknowledgement sent to Brendan O'Dea <bod@debian.org>:
Extra info received and forwarded to list.
(full text, mbox, link).
Message #55 received at 203426@bugs.debian.org (full text, mbox, reply):
reopen 203426
thanks
On Thu, Sep 11, 2003 at 01:52:02PM +1000, Paul Szabo wrote:
>You wrote:
>
>> We believe that the bug you reported is fixed in [5.8.0-20] ...
>
>Have you tested your fix? I tried, but "dpkg -i" on your .deb said
> Depends: libc6 (>= 2.3.2-1) but 2.2.5-11.5 is to be installed
>and I am far too lazy... so looked in perl_5.8.0-20.diff.gz instead.
Yes, I tested it. Take a look at the bug report at
http://bugs.debian.org/203426 and note message id
<20030905232047.GA9820@londo.c47.org> I verified the upstream patch
provided with your original test.
>Re-doing my original test but showing errno, I get (with version 5.6.1):
>
>> $ for n in nosuch file sfile; do
>> > echo ''; echo Test $n; suidperl /root/ptest/$n; echo $?
>> > done
>>
>> Test nosuch
>> Can't open perl script "/root/ptest/nosuch": No such file or directory
>> 2
>>
>> Test file
>> Script is not setuid/setgid in suidperl
>> 2
>>
>> Test sfile
>> Permission denied.
>> 13
>
>Looking in perl.c from perl_5.8.0.orig, the problem messages come from
>lines 2920 and 3236:
>
> 2915 # ifdef IAMSUID
> 2916 errno = EPERM;
> 2917 Perl_croak(aTHX_ "Can't open perl script: %s\n",
> 2918 Strerror(errno));
> 2919 # else
> 2920 Perl_croak(aTHX_ "Can't open perl script \"%s\": %s\n",
> 2921 CopFILE(PL_curcop), Strerror(errno));
> 2922 # endif
> ...
> 3235 else
> 3236 Perl_croak(aTHX_ "Script is not setuid/setgid in suidperl\n");
>
>Your changes uselessly "attacked" line 2917, and missed a period and
>setting errno. [...]
Uselessly? Attacked?
Jarrko's change modifies line 2917 which you've quoted above from the
original 5.8.0 sources to read:
Perl_croak(aTHX_ "Permission denied\n");
which corrects your "nosuch" case.
>[...] With your perl_5.8.0-20 changes, the above test would
>surely output something like:
>
>> Test nosuch
>> Can't open perl script "/root/ptest/nosuch": No such file or directory
>> 2
>>
>> Test file
>> Permission denied
>> 2
>>
>> Test sfile
>> Permission denied.
>> 13
The actual output is:
Test nosuch
Permission denied
1
Test file
Permission denied
25
Test sfile
Permission denied.
13
Didn't think to check the return value I'm afraid, I just re-ran your
original test case.
It appears that I did miss that trailing period when I re-tested the
patch on 5.8.0.
>Please show me that I am wrong. Or fix it...
Of course I'll fix it, especially since you've so politely phrased your
request in the imperative.
--bod
Bug reopened, originator not changed.
Request was from Brendan O'Dea <bod@debian.org>
to control@bugs.debian.org.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Brendan O'Dea <bod@debian.org>:
Bug#203426; Package perl-suid.
(full text, mbox, link).
Acknowledgement sent to psz@maths.usyd.edu.au (Paul Szabo):
Extra info received and forwarded to list. Copy sent to Brendan O'Dea <bod@debian.org>.
(full text, mbox, link).
Message #62 received at 203426@bugs.debian.org (full text, mbox, reply):
Dear bod, I already realized a little while ago that I blabbered off too soon. I did not expect any changes to suidperl error messages between 5.6.1 and 5.8.0 (you were happy with my original report). I did not expect any info on the Debian bug site (assumed common courtesy, or default action, was to send to reporter). Mea maxima culpa. Humble apologies. > Of course I'll fix it ... Thanks. Paul Szabo - psz@maths.usyd.edu.au http://www.maths.usyd.edu.au:8000/u/psz/ School of Mathematics and Statistics University of Sydney 2006 Australia
Reply sent to Brendan O'Dea <bod@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Paul Szabo <psz@maths.usyd.edu.au>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #67 received at 203426-close@bugs.debian.org (full text, mbox, reply):
Source: perl
Source-Version: 5.8.0-21
We believe that the bug you reported is fixed in the latest version of
perl, which is due to be installed in the Debian FTP archive:
libcgi-fast-perl_5.8.0-21_all.deb
to pool/main/p/perl/libcgi-fast-perl_5.8.0-21_all.deb
libperl-dev_5.8.0-21_i386.deb
to pool/main/p/perl/libperl-dev_5.8.0-21_i386.deb
libperl-dev_5.8.0-21_powerpc.deb
to pool/main/p/perl/libperl-dev_5.8.0-21_powerpc.deb
libperl-dev_5.8.0-21_sparc.deb
to pool/main/p/perl/libperl-dev_5.8.0-21_sparc.deb
libperl5.8_5.8.0-21_i386.deb
to pool/main/p/perl/libperl5.8_5.8.0-21_i386.deb
libperl5.8_5.8.0-21_powerpc.deb
to pool/main/p/perl/libperl5.8_5.8.0-21_powerpc.deb
libperl5.8_5.8.0-21_sparc.deb
to pool/main/p/perl/libperl5.8_5.8.0-21_sparc.deb
perl-base_5.8.0-21_i386.deb
to pool/main/p/perl/perl-base_5.8.0-21_i386.deb
perl-base_5.8.0-21_powerpc.deb
to pool/main/p/perl/perl-base_5.8.0-21_powerpc.deb
perl-base_5.8.0-21_sparc.deb
to pool/main/p/perl/perl-base_5.8.0-21_sparc.deb
perl-debug_5.8.0-21_i386.deb
to pool/main/p/perl/perl-debug_5.8.0-21_i386.deb
perl-debug_5.8.0-21_powerpc.deb
to pool/main/p/perl/perl-debug_5.8.0-21_powerpc.deb
perl-debug_5.8.0-21_sparc.deb
to pool/main/p/perl/perl-debug_5.8.0-21_sparc.deb
perl-doc_5.8.0-21_all.deb
to pool/main/p/perl/perl-doc_5.8.0-21_all.deb
perl-modules_5.8.0-21_all.deb
to pool/main/p/perl/perl-modules_5.8.0-21_all.deb
perl-suid_5.8.0-21_i386.deb
to pool/main/p/perl/perl-suid_5.8.0-21_i386.deb
perl-suid_5.8.0-21_powerpc.deb
to pool/main/p/perl/perl-suid_5.8.0-21_powerpc.deb
perl-suid_5.8.0-21_sparc.deb
to pool/main/p/perl/perl-suid_5.8.0-21_sparc.deb
perl_5.8.0-21.diff.gz
to pool/main/p/perl/perl_5.8.0-21.diff.gz
perl_5.8.0-21.dsc
to pool/main/p/perl/perl_5.8.0-21.dsc
perl_5.8.0-21_i386.deb
to pool/main/p/perl/perl_5.8.0-21_i386.deb
perl_5.8.0-21_powerpc.deb
to pool/main/p/perl/perl_5.8.0-21_powerpc.deb
perl_5.8.0-21_sparc.deb
to pool/main/p/perl/perl_5.8.0-21_sparc.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 203426@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Brendan O'Dea <bod@debian.org> (supplier of updated perl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Thu, 11 Sep 2003 17:58:19 +1000
Source: perl
Binary: perl-base libcgi-fast-perl libperl-dev perl-debug perl-modules perl libperl5.8 perl-suid perl-doc
Architecture: all i386 powerpc source sparc
Version: 5.8.0-21
Distribution: unstable
Urgency: high
Maintainer: Brendan O'Dea <bod@debian.org>
Changed-By: Brendan O'Dea <bod@debian.org>
Description:
libperl-dev - Perl library: development files.
libperl5.8 - Shared Perl library.
perl - Larry Wall's Practical Extraction and Report Language.
perl-base - The Pathologically Eclectic Rubbish Lister.
perl-debug - Debug-enabled Perl interpreter.
perl-suid - Runs setuid Perl scripts.
Closes: 203426
Changes:
perl (5.8.0-21) unstable; urgency=high
.
* Security: further changes for suidperl path disclosure [CAN-2003-0618]
to correct exit values and removes extraneous period (closes: #203426).
Files:
00e358ebcfa81175f8b4ea7ab2c0b0ef 867244 base required perl-base_5.8.0-21_powerpc.deb
022a3fff13ce80c7203d1c87a49678e1 3824330 perl optional perl-debug_5.8.0-21_i386.deb
08692e414afab2d63063e4a00588b7c1 3968346 perl optional perl-debug_5.8.0-21_sparc.deb
1c7b0bdbfc2dc3c813c96c517888555b 554758 libdevel optional libperl-dev_5.8.0-21_sparc.deb
22fe2ca2d9e7a32752c8ad5da310556b 735182 base required perl-base_5.8.0-21_sparc.deb
263ce77f8fe31eac7ee363eec53ed2fe 4256504 perl standard perl_5.8.0-21_sparc.deb
3254e1b9cb4b7d2619db3a6279c61ffb 35586 perl optional perl-suid_5.8.0-21_powerpc.deb
3351ba4c3eb2a5a1426eba32c698d7ac 3890820 perl standard perl_5.8.0-21_i386.deb
375af38159ce599aafb24fcaf0518785 604902 libdevel optional libperl-dev_5.8.0-21_i386.deb
3cc738aa85ccb12825ccbc2fe6aac076 1002 libs optional libperl5.8_5.8.0-21_powerpc.deb
4e8f4af0383d7da25d30e38ea69460ee 711 perl standard perl_5.8.0-21.dsc
55c8b4ba69624e974a514efed6651906 527688 libs optional libperl5.8_5.8.0-21_i386.deb
56e00fb697f21176d01ccb0e32d4bb93 29210 perl optional perl-suid_5.8.0-21_sparc.deb
6a1a7e25b6078dca5b7b763493ed4d9f 1947472 perl standard perl-modules_5.8.0-21_all.deb
70516a7389f3932c5c98a9fef74d6d13 5602826 doc optional perl-doc_5.8.0-21_all.deb
b983bd1009464883ba3581ae63b770e0 34582 perl extra libcgi-fast-perl_5.8.0-21_all.deb
c42d888b29db964b0fcbcbd884dbf0d3 4336142 perl standard perl_5.8.0-21_powerpc.deb
db1995b9b433c3470843341e1514cef8 4327744 perl optional perl-debug_5.8.0-21_powerpc.deb
defbd9cdb4510ee2b1dea049cfd9a1e1 776330 base required perl-base_5.8.0-21_i386.deb
e436b77d9cf20f7238be52d0bfdc355a 740824 libdevel optional libperl-dev_5.8.0-21_powerpc.deb
f8f76cc3bbb9896ff5647c78202cba0f 1002 libs optional libperl5.8_5.8.0-21_sparc.deb
f9fcbb3d8df97839c56dc9d39baf1f00 84860 perl standard perl_5.8.0-21.diff.gz
fe7333b0d9531e5cabb506aa1a6ae455 32050 perl optional perl-suid_5.8.0-21_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
iD8DBQE/YGwA8NyOALKMWZURAh1nAJ9y0kzYrGoXS1ppogy2hDIinhxsrACgmKYY
MPtnqw267LayPLS2iDYwzt8=
=cxQ4
-----END PGP SIGNATURE-----
Information forwarded to debian-bugs-dist@lists.debian.org, Brendan O'Dea <bod@debian.org>:
Bug#203426; Package perl-suid.
(full text, mbox, link).
Acknowledgement sent to psz@maths.usyd.edu.au (Paul Szabo):
Extra info received and forwarded to list. Copy sent to Brendan O'Dea <bod@debian.org>.
(full text, mbox, link).
Message #72 received at 203426@bugs.debian.org (full text, mbox, reply):
Dear bod, > We believe that the bug you reported is fixed in [5.8.0-21] ... (Not on http://www.debian.org/debian/pool/main/p/perl/ yet, so could not check changes.) I expect that now you changed all those meaningful error messages to fake "Permission denied" with matching errno returns (and that looks a tad silly when you actually have rights to the file). Trouble is that suidperl does things the wrong way: it does things (as root), then as an afterthought checks permissions. This approach, as we all know, does not work. (We keep telling Microsoft but they do not listen.) As I do not have ready access to a 5.8.0 installation, could you please test something for me? On 5.6.1 I get: $ /usr/bin/time -v suidperl /root/ptest/nosuch 2>&1 | grep Major Major (requiring I/O) page faults: 192 $ /usr/bin/time -v suidperl /root/ptest/file 2>&1 | grep Major Major (requiring I/O) page faults: 190 Are there such differences (still) also in 5.8.0-21? Thanks, Paul Szabo - psz@maths.usyd.edu.au http://www.maths.usyd.edu.au:8000/u/psz/ School of Mathematics and Statistics University of Sydney 2006 Australia
Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#203426; Package perl-suid.
(full text, mbox, link).
Acknowledgement sent to Brendan O'Dea <bod@debian.org>:
Extra info received and forwarded to list.
(full text, mbox, link).
Message #77 received at 203426@bugs.debian.org (full text, mbox, reply):
On Fri, Sep 12, 2003 at 06:52:06AM +1000, Paul Szabo wrote:
>> We believe that the bug you reported is fixed in [5.8.0-21] ...
>
>(Not on http://www.debian.org/debian/pool/main/p/perl/ yet, so could not
>check changes.)
It's there now. Bugs closed in the changelog are processed by a process
which periodically clears the incoming directory into accepted (a change
made to support crypto in main). A side-effect is that bugs can be
closed up to a day before the installer runs :|
>I expect that now you changed all those meaningful error messages to fake
>"Permission denied" with matching errno returns (and that looks a tad silly
>when you actually have rights to the file).
>
>Trouble is that suidperl does things the wrong way: it does things (as
>root), then as an afterthought checks permissions. This approach, as we all
>know, does not work. (We keep telling Microsoft but they do not listen.)
Well, part of the reason that the tests are done in that order is that
it is not possible on all architectures to switch back to the saved uid
once you've given it up.
The real trouble with suidperl is that it's overly complex and rather
than being stand-alone is interleaved through the normal non-suid source
which makes it harder to audit. It has been deprecated upstream and
will likely be removed in 5.10.
>As I do not have ready access to a 5.8.0 installation, could you please
>test something for me? On 5.6.1 I get:
>
>$ /usr/bin/time -v suidperl /root/ptest/nosuch 2>&1 | grep Major
> Major (requiring I/O) page faults: 192
>$ /usr/bin/time -v suidperl /root/ptest/file 2>&1 | grep Major
> Major (requiring I/O) page faults: 190
>
>Are there such differences (still) also in 5.8.0-21?
It appears not:
$ for file in nosuch file sfile
> do
> echo "[$file]"
> suidperl /tmp/test/$file
> echo $?
> /usr/bin/time -v suidperl /tmp/test/$file 2>&1 | grep Major
> done
[nosuch]
Permission denied
1
Major (requiring I/O) page faults: 165
[file]
Permission denied
1
Major (requiring I/O) page faults: 165
[sfile]
Permission denied
1
Major (requiring I/O) page faults: 165
There is however a minor difference between "nosuch" and "file"/"sfile"
in the Minor page faults:
[nosuch]
Minor (reclaiming a frame) page faults: 56
[file]
Minor (reclaiming a frame) page faults: 57
[sfile]
Minor (reclaiming a frame) page faults: 57
Although I've no idea how to change that, nor even if the results would
be consistent across different architectures (tests above on sparc).
At this point I'm tempted to "fix" this problem by withdrawing the
package. Or at least changing the package description to warn of the
possibility of path disclosure.
--bod
Information forwarded to debian-bugs-dist@lists.debian.org, Brendan O'Dea <bod@debian.org>:
Bug#203426; Package perl-suid.
(full text, mbox, link).
Acknowledgement sent to psz@maths.usyd.edu.au (Paul Szabo):
Extra info received and forwarded to list. Copy sent to Brendan O'Dea <bod@debian.org>.
(full text, mbox, link).
Message #82 received at 203426@bugs.debian.org (full text, mbox, reply):
Dear bod, >> ... wrong way ... as an afterthought checks permissions. > > Well, part of the reason that the tests are done in that order is that > it is not possible on all architectures to switch back to the saved uid > once you've given it up. Why cannot you do the not-switching-back code earlier? Use subprocesses? > The real trouble with suidperl is that it's overly complex ... Time for a re-write? > It has been deprecated upstream and will likely be removed in 5.10. I hope it will not be removed: I use it in a couple of places. >> ... could you please test something for me? On 5.6.1 I get ... > > [similar results on 5.8 on sparc] > > At this point I'm tempted to "fix" this problem by withdrawing the > package. Or at least changing the package description to warn of the > possibility of path disclosure. Please do not withdraw suidperl: I use it. I wish you would fix it; if that is not possible then warn. Paul Szabo - psz@maths.usyd.edu.au http://www.maths.usyd.edu.au:8000/u/psz/ School of Mathematics and Statistics University of Sydney 2006 Australia
Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#203426; Package perl-suid.
(full text, mbox, link).
Acknowledgement sent to Brendan O'Dea <bod@debian.org>:
Extra info received and forwarded to list.
(full text, mbox, link).
Message #87 received at 203426@bugs.debian.org (full text, mbox, reply):
On Fri, Sep 12, 2003 at 03:02:22PM +1000, Paul Szabo wrote:
>> The real trouble with suidperl is that it's overly complex ...
>
>Time for a re-write?
It's not really something which can be fixed by a re-write, since the
process in addition to the code is complex: perl runs, notes that bits
are set but euid doesn't match, re-executes suidperl which then performs
a bunch of checks...
Note perldelta(1) for 5.8.0:
* After years of trying, suidperl is considered to be too complex to
ever be considered truly secure. The suidperl functionality is
likely to be removed in a future release.
>> It has been deprecated upstream and will likely be removed in 5.10.
>
>I hope it will not be removed: I use it in a couple of places.
I appreciate that people do, and wouldn't remove it without providing an
alternative. I posted a preliminary implementation of a program here:
http://www.xray.mpe.mpg.de/mailing-lists/perl5-porters/2003-09/msg00750.html
which creates a C wrapper for a perl script. There are also other
options, google for wrapsuid.pl for example.
>>> ... could you please test something for me? On 5.6.1 I get ...
>>
>> [similar results on 5.8 on sparc]
>>
>> At this point I'm tempted to "fix" this problem by withdrawing the
>> package. Or at least changing the package description to warn of the
>> possibility of path disclosure.
>
>Please do not withdraw suidperl: I use it. I wish you would fix it; if that
>is not possible then warn.
I will add a warning to the package description for the next upload.
--bod
Information forwarded to debian-bugs-dist@lists.debian.org, Brendan O'Dea <bod@debian.org>:
Bug#203426; Package perl-suid.
(full text, mbox, link).
Acknowledgement sent to psz@maths.usyd.edu.au (Paul Szabo):
Extra info received and forwarded to list. Copy sent to Brendan O'Dea <bod@debian.org>.
(full text, mbox, link).
Message #92 received at 203426@bugs.debian.org (full text, mbox, reply):
Dear bod,
Quoting from a much earlier message:
>> Trouble is that suidperl does things the wrong way: it does things (as
>> root), then as an afterthought checks permissions. This approach, as we all
>> know, does not work. ...
Thought of other ways of abusing suidperl's "shoot first, ask questions
later" approach. Just the act of opening a file may do bad things:
Special files can do anything:
Reposition backup tapes with suidperl /dev/st0
(Cannot think of any others, but there must be more in /dev or /proc;
pipe waiting for a reader?)
Regular files update access times:
Interfere with backup regimes and /tmp cleaning
Interfere with whodunnit forensics
Autofs directories could be mounted or kept from expiring (though mostly
are world-accessible anyway)
Hold files open, interfere with updates
>>> [suidperl] has been deprecated upstream and will likely be removed ...
>>I hope it will not be removed: I use it in a couple of places.
> I appreciate that people do, and wouldn't remove it without providing an
> alternative. I posted a preliminary implementation of a program here:
> http://www.xray.mpe.mpg.de/mailing-lists/perl5-porters/2003-09/msg00750.html
> which creates a C wrapper for a perl script. There are also other
> options, google for wrapsuid.pl for example.
Wrappers are an ugly option. Do not throw suidperl away just because it
seems hard to fix.
>>> The real trouble with suidperl is that it's overly complex ...
>>Time for a re-write?
>
> It's not really something which can be fixed by a re-write ...
I humbly submit the following patch (against Debian version 5.8.0-21). I
expect this to work on architectures that can do uid/euid swaps; it just
quits on others, see comments.
Cheers,
Paul Szabo - psz@maths.usyd.edu.au http://www.maths.usyd.edu.au:8000/u/psz/
School of Mathematics and Statistics University of Sydney 2006 Australia
--- perl.c-5.8.0-21 Mon Sep 15 14:22:00 2003
+++ perl.c Tue Sep 16 11:26:42 2003
@@ -2875,7 +2875,78 @@
PL_rsfp = PerlIO_stdin();
}
else {
+/* PSz 16 Sep 03 Do not open file while setuid */
+/*
+ * Do any "double check"s BEFORE opening.
+ * Code stolen from S_validate_suid
+ */
+#ifdef IAMSUID
+#ifndef HAS_SETREUID
+ /* Original comments said:
+ * ... there is a small window ... don't know what to do about that.
+ * But I don't think it's too important. The manual lies when
+ * it says access() is useful in setuid programs.
+ *
+ * It really is important. We could be fooled with a symlink race.
+ * To fix properly:
+ * Easy way out: quit now, do not do.
+ * Hard way: Give up privileges, open file, re-exec ourselves with
+ * file descriptor open. Code for this is already here somewhere...
+ */
+ if (PerlLIO_access(CopFILE(PL_curcop),1)) {
+ errno = EPERM;
+ Perl_croak(aTHX_ "Permission denied\n");
+ }
+ Perl_croak(aTHX_ "Easy way out: no suidperl on this architecture\n");
+#else
+ /* Swap euid and uid before open */
+ /*
+ * This nesting of ifdefs, as taken from S_validate_suid, is broken:
+ * ifndef HAS_SETREUID
+ * ...
+ * else
+ * ifdef HAS_SETREUID
+ * setreuid(PL_euid,PL_uid) < 0
+ * else
+ * if HAS_SETRESUID
+ * setresuid(PL_euid,PL_uid,(Uid_t)-1) < 0
+ * endif
+ * endif
+ * endif
+ * Doubly broken because perl.h makes sure we have HAS_SETREUID
+ * with HAS_SETRESUID. Leaving it thus, in case I missed something.
+ */
+ if (
+#ifdef HAS_SETREUID
+ setreuid(PL_euid,PL_uid) < 0
+#else
+# if HAS_SETRESUID
+ setresuid(PL_euid,PL_uid,(Uid_t)-1) < 0
+# endif
+#endif
+ || PerlProc_getuid() != PL_euid || PerlProc_geteuid() != PL_uid)
+ Perl_croak(aTHX_ "Can't swap uid and euid"); /* really paranoid */
PL_rsfp = PerlIO_open(scriptname,PERL_SCRIPT_MODE);
+#if !defined(NO_NOSUID_CHECK)
+ if (PL_rsfp && fd_on_nosuid_fs(PerlIO_fileno(PL_rsfp))) {
+ Perl_croak(aTHX_ "Filesystem mounted nosuid\n");
+ }
+#endif
+ if (
+#ifdef HAS_SETREUID
+ setreuid(PL_uid,PL_euid) < 0
+#else
+# if defined(HAS_SETRESUID)
+ setresuid(PL_uid,PL_euid,(Uid_t)-1) < 0
+# endif
+#endif
+ || PerlProc_getuid() != PL_uid || PerlProc_geteuid() != PL_euid)
+ Perl_croak(aTHX_ "Can't reswap uid and euid");
+#endif /* HAS_SETREUID */
+#else
+ PL_rsfp = PerlIO_open(scriptname,PERL_SCRIPT_MODE);
+#endif /* IAMSUID */
+
# if defined(HAS_FCNTL) && defined(F_SETFD)
if (PL_rsfp)
/* ensure close-on-exec */
@@ -2883,6 +2954,18 @@
# endif
}
if (!PL_rsfp) {
+/* PSz 16 Sep 03 Do not open unreadable scripts */
+/*
+ * Do NOT try to open as root (nor even as UID of file,
+ * but I think this code tried as root ...).
+ * We give up setuid before open or at least check access,
+ * so would fail anyway (and maybe loop forever).
+ *
+ * We are talking about un-executable scripts anyway:
+ * am not sure why or how, but the above PerlIO_open
+ * succeeds on exec-only (not readable) stuff. Weird.
+ */
+#if 0
# ifdef DOSUID
# ifndef IAMSUID /* in case script is not readable before setuid */
if (PL_euid &&
@@ -2898,6 +2981,11 @@
}
# endif
# endif
+#endif
+/* PSz 16 Sep 03 Keep neat error message */
+ Perl_croak(aTHX_ "Can't open perl script \"%s\": %s\n",
+ CopFILE(PL_curcop), Strerror(errno));
+/*
# ifdef IAMSUID
errno = EPERM;
Perl_croak(aTHX_ "Permission denied\n");
@@ -2905,6 +2993,7 @@
Perl_croak(aTHX_ "Can't open perl script \"%s\": %s\n",
CopFILE(PL_curcop), Strerror(errno));
# endif
+*/
}
}
@@ -3227,8 +3316,12 @@
else if (fdscript >= 0)
Perl_croak(aTHX_ "fd script not allowed in suidperl\n");
else {
+/* PSz 16 Sep 03 Keep neat error message */
+ Perl_croak(aTHX_ "Script is not setuid/setgid in suidperl\n");
+/*
errno = EPERM;
Perl_croak(aTHX_ "Permission denied\n");
+*/
}
/* We absolutely must clear out any saved ids here, so we */
Information forwarded to debian-bugs-dist@lists.debian.org, Brendan O'Dea <bod@debian.org>:
Bug#203426; Package perl-suid.
(full text, mbox, link).
Acknowledgement sent to psz@maths.usyd.edu.au (Paul Szabo):
Extra info received and forwarded to list. Copy sent to Brendan O'Dea <bod@debian.org>.
(full text, mbox, link).
Message #97 received at 203426@bugs.debian.org (full text, mbox, reply):
Dear bod,
I wrote yesterday:
> I humbly submit the following patch (against Debian version 5.8.0-21).
Same thing again, with slightly improved comments.
Cheers,
Paul Szabo - psz@maths.usyd.edu.au http://www.maths.usyd.edu.au:8000/u/psz/
School of Mathematics and Statistics University of Sydney 2006 Australia
--- perl.c-5.8.0-21 Mon Sep 15 14:22:00 2003
+++ perl.c Wed Sep 17 06:34:55 2003
@@ -2875,7 +2875,87 @@
PL_rsfp = PerlIO_stdin();
}
else {
+/* PSz 16 Sep 03 Do not open file while setuid */
+/*
+ * Do any "double check"s BEFORE opening.
+ * Code stolen from S_validate_suid
+ *
+ * Suidperl should not open anything: perl should open, hand it to suidperl
+ * on a fd; suidperl would do some checks, set up UIDs and re-exec perl
+ * with that fd as it does now. (Current arrangements are wasteful: script
+ * is opened in perl, then opened again, in a cumbersome way, in suidperl.)
+ * But no such re-design for now: would the perl gurus accept/adopt such a
+ * radical change?
+ */
+#ifdef IAMSUID
+#ifndef HAS_SETREUID
+ /* Original comments said:
+ * ... there is a small window ... don't know what to do about that.
+ * But I don't think it's too important. The manual lies when
+ * it says access() is useful in setuid programs.
+ *
+ if (PerlLIO_access(CopFILE(PL_curcop),1)) {
+ errno = EPERM;
+ Perl_croak(aTHX_ "Permission denied\n");
+ }
+ *
+ * It really is important. We could be fooled with a symlink race.
+ * To fix properly:
+ * Easy way out: quit now, do not do.
+ * Hard way: Give up privileges, open file, re-exec ourselves with
+ * file descriptor open. Code for this is already here somewhere...
+ * Thus really, have the script opened in perl, so we get fd...
+ */
+ Perl_croak(aTHX_ "Easy way out: no suidperl on this architecture\n");
+#else
+ /* Swap euid and uid before open */
+ /*
+ * This nesting of ifdefs, as taken from S_validate_suid, is broken:
+ * ifndef HAS_SETREUID
+ * ...
+ * else
+ * ifdef HAS_SETREUID
+ * setreuid(PL_euid,PL_uid) < 0
+ * else
+ * if HAS_SETRESUID
+ * setresuid(PL_euid,PL_uid,(Uid_t)-1) < 0
+ * endif
+ * endif
+ * endif
+ * Doubly broken because perl.h makes sure we have HAS_SETREUID
+ * with HAS_SETRESUID. Leaving it thus, in case I missed something.
+ */
+ if (
+#ifdef HAS_SETREUID
+ setreuid(PL_euid,PL_uid) < 0
+#else
+# if HAS_SETRESUID
+ setresuid(PL_euid,PL_uid,(Uid_t)-1) < 0
+# endif
+#endif
+ || PerlProc_getuid() != PL_euid || PerlProc_geteuid() != PL_uid)
+ Perl_croak(aTHX_ "Can't swap uid and euid"); /* really paranoid */
PL_rsfp = PerlIO_open(scriptname,PERL_SCRIPT_MODE);
+#if !defined(NO_NOSUID_CHECK)
+ if (PL_rsfp && fd_on_nosuid_fs(PerlIO_fileno(PL_rsfp))) {
+ Perl_croak(aTHX_ "Filesystem mounted nosuid\n");
+ }
+#endif
+ if (
+#ifdef HAS_SETREUID
+ setreuid(PL_uid,PL_euid) < 0
+#else
+# if defined(HAS_SETRESUID)
+ setresuid(PL_uid,PL_euid,(Uid_t)-1) < 0
+# endif
+#endif
+ || PerlProc_getuid() != PL_uid || PerlProc_geteuid() != PL_euid)
+ Perl_croak(aTHX_ "Can't reswap uid and euid");
+#endif /* HAS_SETREUID */
+#else
+ PL_rsfp = PerlIO_open(scriptname,PERL_SCRIPT_MODE);
+#endif /* IAMSUID */
+
# if defined(HAS_FCNTL) && defined(F_SETFD)
if (PL_rsfp)
/* ensure close-on-exec */
@@ -2883,6 +2963,18 @@
# endif
}
if (!PL_rsfp) {
+/* PSz 16 Sep 03 Do not open unreadable scripts */
+/*
+ * Do NOT try to open as root (nor even as UID of file,
+ * but I think this code tried as root ...).
+ * We give up setuid before open or at least check access,
+ * so would fail anyway (and maybe loop forever).
+ *
+ * We are talking about un-executable scripts anyway:
+ * am not sure why or how, but the above PerlIO_open
+ * succeeds on exec-only (not readable) stuff. Weird.
+ */
+#if 0
# ifdef DOSUID
# ifndef IAMSUID /* in case script is not readable before setuid */
if (PL_euid &&
@@ -2898,6 +2990,11 @@
}
# endif
# endif
+#endif
+/* PSz 16 Sep 03 Keep neat error message */
+ Perl_croak(aTHX_ "Can't open perl script \"%s\": %s\n",
+ CopFILE(PL_curcop), Strerror(errno));
+/*
# ifdef IAMSUID
errno = EPERM;
Perl_croak(aTHX_ "Permission denied\n");
@@ -2905,6 +3002,7 @@
Perl_croak(aTHX_ "Can't open perl script \"%s\": %s\n",
CopFILE(PL_curcop), Strerror(errno));
# endif
+*/
}
}
@@ -3227,8 +3325,12 @@
else if (fdscript >= 0)
Perl_croak(aTHX_ "fd script not allowed in suidperl\n");
else {
+/* PSz 16 Sep 03 Keep neat error message */
+ Perl_croak(aTHX_ "Script is not setuid/setgid in suidperl\n");
+/*
errno = EPERM;
Perl_croak(aTHX_ "Permission denied\n");
+*/
}
/* We absolutely must clear out any saved ids here, so we */
Information forwarded to debian-bugs-dist@lists.debian.org, Brendan O'Dea <bod@debian.org>:
Bug#203426; Package perl-suid.
(full text, mbox, link).
Acknowledgement sent to Matt Zimmerman <mdz@debian.org>:
Extra info received and forwarded to list. Copy sent to Brendan O'Dea <bod@debian.org>.
(full text, mbox, link).
Message #102 received at 203426@bugs.debian.org (full text, mbox, reply):
Any thoughts on the patch that Paul submitted? I have a stable-security update ready with the previous patch, but I'll gladly do another one if this is better. -- - mdz
Information forwarded to debian-bugs-dist@lists.debian.org, Brendan O'Dea <bod@debian.org>:
Bug#203426; Package perl-suid.
(full text, mbox, link).
Acknowledgement sent to "inet email storage system" <mailerengine@bigfoot.com>:
Extra info received and forwarded to list. Copy sent to Brendan O'Dea <bod@debian.org>.
(full text, mbox, link).
Message #107 received at 203426@bugs.debian.org (full text, mbox, reply):
Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#203426; Package perl-suid.
(full text, mbox, link).
Acknowledgement sent to Brendan O'Dea <bod@debian.org>:
Extra info received and forwarded to list.
(full text, mbox, link).
Message #112 received at 203426@bugs.debian.org (full text, mbox, reply):
On Tue, Sep 16, 2003 at 12:11:58PM +1000, Paul Szabo wrote: >>> Trouble is that suidperl does things the wrong way: it does things (as >>> root), then as an afterthought checks permissions. This approach, as we all >>> know, does not work. ... > >Thought of other ways of abusing suidperl's "shoot first, ask questions >later" approach. Just the act of opening a file may do bad things: > >Special files can do anything: > Reposition backup tapes with suidperl /dev/st0 > (Cannot think of any others, but there must be more in /dev or /proc; > pipe waiting for a reader?) [...] Agreed, there are possibly many DoS-type exploits of this type possible. >>>> [suidperl] has been deprecated upstream and will likely be removed ... >>>I hope it will not be removed: I use it in a couple of places. >> I appreciate that people do, and wouldn't remove it without providing an >> alternative. I posted a preliminary implementation of a program here: >> http://www.xray.mpe.mpg.de/mailing-lists/perl5-porters/2003-09/msg00750.html >> which creates a C wrapper for a perl script. There are also other >> options, google for wrapsuid.pl for example. > >Wrappers are an ugly option. Do not throw suidperl away just because it >seems hard to fix. It's not so much that it's hard to fix, but that it has *already* been "fixed" many times in the past. Wrappers are an ugly option? Perhaps. Compared to having the kernel provide "secure" setid execution (via /dev/fd) in fs/binfmt_script.c I would tend to agree. Compared however to suidperl, wrappers such as the one proposed above are downright *elegant*. While it's true that you lose the transparency of simply setting bits on the script, the benefit is in simplicity--not more than sixty lines of C code to audit rather than lumps of #ifdef'ed code sprinkled through somewhat more than 4000. >>>> The real trouble with suidperl is that it's overly complex ... >>>Time for a re-write? >> >> It's not really something which can be fixed by a re-write ... > >I humbly submit the following patch (against Debian version 5.8.0-21). I >expect this to work on architectures that can do uid/euid swaps; it just >quits on others, see comments. Thanks Paul. >+ * Suidperl should not open anything: perl should open, hand it to suidperl >+ * on a fd; suidperl would do some checks, set up UIDs and re-exec perl >+ * with that fd as it does now. (Current arrangements are wasteful: script >+ * is opened in perl, then opened again, in a cumbersome way, in suidperl.) Agreed, although note that this would break current behaviour in the instances where people are (incorrectly) specifying #!/usr/bin/suidperl explicitly. Arguably a good thing. [...] Withough passing the fd this would appear to be a workable compromise. Submitting upstream for comments. --bod
Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#203426; Package perl-suid.
(full text, mbox, link).
Acknowledgement sent to Brendan O'Dea <bod@debian.org>:
Extra info received and forwarded to list.
(full text, mbox, link).
Message #117 received at 203426@bugs.debian.org (full text, mbox, reply):
On Wed, Sep 17, 2003 at 10:40:01PM -0400, Matt Zimmerman wrote: >Any thoughts on the patch that Paul submitted? I have a stable-security >update ready with the previous patch, but I'll gladly do another one if >this is better. It looks good to me, but I'd like to elicit some comments from upstream before going further. With the recent release of 5.8.1 that may take a while, so for the moment please go ahead with the update as-is. Thanks, --bod
Send a report that this bug log contains spam.
Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.