Debian Bug report logs - #203426
perl-suid: suidperl path disclosure

version graph

Package: perl-suid; Maintainer for perl-suid is (unknown);

Reported by: Paul Szabo <psz@maths.usyd.edu.au>

Date: Wed, 30 Jul 2003 00:03:03 UTC

Severity: critical

Tags: security

Found in version 5.6.1-8.2

Fixed in versions perl/5.8.0-20, perl/5.8.0-21

Done: Brendan O'Dea <bod@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Brendan O'Dea <bod@debian.org>:
Bug#203426; Package perl-suid. (full text, mbox, link).


Acknowledgement sent to Paul Szabo <psz@maths.usyd.edu.au>:
New Bug report received and forwarded. Copy sent to Brendan O'Dea <bod@debian.org>. (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Paul Szabo <psz@maths.usyd.edu.au>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: perl-suid: suidperl path disclosure
Date: Wed, 30 Jul 2003 09:52:06 +1000
Package: perl-suid
Version: 5.6.1-8.2
Severity: critical
Tags: security
Justification: root security hole

suidperl can be used for path disclosure (to verify if a file exists
when the user has no access to the directories above). The error
messages that suidperl gives are too revealing: in the examples below I
expected a uniform 'permission denied' or similar.

This problem was reported to  perlbug@perl.com  on 23 Mar 2001 (but no
response whatsoever).

Set things up as one user (e.g. root):

# pwd
/root/ptest
# ls -al
total 8
drwx------    2 root     root         4096 Jul 30 09:36 .
drwx------   13 root     root         4096 Jul 30 09:35 ..
-rwx------    1 root     root            0 Jul 30 09:36 file
-rws------    1 root     root            0 Jul 30 09:36 sfile

As another (normal) user, use suidperl to disclose path info:


$ id
uid=1001(psz) gid=1001(amstaff) groups=1001(amstaff),109(tutsols)
$ for n in nosuch file sfile; do
> echo ''; echo Test $n; suidperl /root/ptest/$n
> done

Test nosuch
Can't open perl script "/root/ptest/nosuch": No such file or directory

Test file
Script is not setuid/setgid in suidperl

Test sfile
Permission denied.


-- System Information
Debian Release: 3.0
Architecture: i386
Kernel: Linux pisa.maths.usyd.edu.au 2.4.19 #1 SMP Wed Nov 13 10:02:38 EST 2002 i686
Locale: LANG=C, LC_CTYPE=C

Versions of packages perl-suid depends on:
ii  libc6                         2.2.5-11.5 GNU C Library: Shared libraries an
ii  libperl5.6                    5.6.1-8.2  Shared Perl library.
ii  perl                          5.6.1-8.2  Larry Wall's Practical Extraction 




Information forwarded to debian-bugs-dist@lists.debian.org, Brendan O'Dea <bod@debian.org>:
Bug#203426; Package perl-suid. (full text, mbox, link).


Acknowledgement sent to Matt Zimmerman <mdz@debian.org>:
Extra info received and forwarded to list. Copy sent to Brendan O'Dea <bod@debian.org>. (full text, mbox, link).


Message #10 received at 203426@bugs.debian.org (full text, mbox, reply):

From: Matt Zimmerman <mdz@debian.org>
To: 203426@bugs.debian.org
Subject: Re: Bug#203426: perl-suid: suidperl path disclosure
Date: Tue, 29 Jul 2003 20:09:58 -0400
On Wed, Jul 30, 2003 at 09:52:06AM +1000, Paul Szabo wrote:

> Package: perl-suid
> Version: 5.6.1-8.2
> Severity: critical
> Tags: security
> Justification: root security hole
> 
> suidperl can be used for path disclosure (to verify if a file exists
> when the user has no access to the directories above). The error
> messages that suidperl gives are too revealing: in the examples below I
> expected a uniform 'permission denied' or similar.

If you have a patch for this, I will roll it into the pending perl security
update.

-- 
 - mdz



Information forwarded to debian-bugs-dist@lists.debian.org, Brendan O'Dea <bod@debian.org>:
Bug#203426; Package perl-suid. (full text, mbox, link).


Acknowledgement sent to psz@maths.usyd.edu.au (Paul Szabo):
Extra info received and forwarded to list. Copy sent to Brendan O'Dea <bod@debian.org>. (full text, mbox, link).


Message #15 received at 203426@bugs.debian.org (full text, mbox, reply):

From: psz@maths.usyd.edu.au (Paul Szabo)
To: 203426@bugs.debian.org
Cc: mdz@debian.org, psz@maths.usyd.edu.au
Subject: Re: Bug#203426: perl-suid: suidperl path disclosure
Date: Tue, 5 Aug 2003 13:40:22 +1000 (EST)
Matt Zimmerman wrote on 30 Jul 2003:

> If you have a patch for this, I will roll it into the pending perl security
> update.

(Was that meant for me? I never received that message, but am seeing it
at http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=203426.)

Sorry no, I do not have a patch, never had one: see my original report at

  http://rt.perl.org/rt2/Ticket/Display.html?id=6511

Cheers,

Paul Szabo - psz@maths.usyd.edu.au  http://www.maths.usyd.edu.au:8000/u/psz/
School of Mathematics and Statistics  University of Sydney   2006  Australia



Information forwarded to debian-bugs-dist@lists.debian.org, Brendan O'Dea <bod@debian.org>:
Bug#203426; Package perl-suid. (full text, mbox, link).


Acknowledgement sent to psz@maths.usyd.edu.au (Paul Szabo):
Extra info received and forwarded to list. Copy sent to Brendan O'Dea <bod@debian.org>. (full text, mbox, link).


Message #20 received at 203426@bugs.debian.org (full text, mbox, reply):

From: psz@maths.usyd.edu.au (Paul Szabo)
To: 203426@bugs.debian.org, psz@maths.usyd.edu.au
Cc: mdz@debian.org
Subject: Re: Bug#203426: perl-suid: suidperl path disclosure
Date: Fri, 22 Aug 2003 08:39:00 +1000 (EST)
Seems this bug is not being worked on. I propose to publicize the issue
on BugTraq and FullDisclosure on 27 Aug (four weeks after reporting).

Cheers,

Paul Szabo - psz@maths.usyd.edu.au  http://www.maths.usyd.edu.au:8000/u/psz/
School of Mathematics and Statistics  University of Sydney   2006  Australia



Information forwarded to debian-bugs-dist@lists.debian.org, Brendan O'Dea <bod@debian.org>:
Bug#203426; Package perl-suid. (full text, mbox, link).


Acknowledgement sent to Matt Zimmerman <mdz@debian.org>:
Extra info received and forwarded to list. Copy sent to Brendan O'Dea <bod@debian.org>. (full text, mbox, link).


Message #25 received at 203426@bugs.debian.org (full text, mbox, reply):

From: Matt Zimmerman <mdz@debian.org>
To: Paul Szabo <psz@maths.usyd.edu.au>
Cc: 203426@bugs.debian.org
Subject: Re: Bug#203426: perl-suid: suidperl path disclosure
Date: Thu, 21 Aug 2003 19:39:54 -0400
On Fri, Aug 22, 2003 at 08:39:00AM +1000, Paul Szabo wrote:

> Seems this bug is not being worked on. I propose to publicize the issue
> on BugTraq and FullDisclosure on 27 Aug (four weeks after reporting).

The Debian bug tracking system is public, and I consider any information
reported there to be disclosed to the public.  So I see no reason to delay
an announcement to other mailing lists.

-- 
 - mdz



Information forwarded to debian-bugs-dist@lists.debian.org, Brendan O'Dea <bod@debian.org>:
Bug#203426; Package perl-suid. (full text, mbox, link).


Acknowledgement sent to psz@maths.usyd.edu.au (Paul Szabo):
Extra info received and forwarded to list. Copy sent to Brendan O'Dea <bod@debian.org>. (full text, mbox, link).


Message #30 received at 203426@bugs.debian.org (full text, mbox, reply):

From: psz@maths.usyd.edu.au (Paul Szabo)
To: mdz@debian.org
Cc: 203426@bugs.debian.org
Subject: Re: Bug#203426: perl-suid: suidperl path disclosure
Date: Fri, 22 Aug 2003 10:14:06 +1000 (EST)
Matt,

>> Seems this bug is not being worked on. I propose to publicize the issue
>> on BugTraq and FullDisclosure on 27 Aug (four weeks after reporting).
> 
> The Debian bug tracking system is public, and I consider any information
> reported there to be disclosed to the public.  So I see no reason to delay
> an announcement to other mailing lists.

Publicizing on those mailing list has embarrassment value. "Bug has been
reported a month ago, but those uncaring, lazy people have done nothing."

Cheers,

Paul Szabo - psz@maths.usyd.edu.au  http://www.maths.usyd.edu.au:8000/u/psz/
School of Mathematics and Statistics  University of Sydney   2006  Australia



Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#203426; Package perl-suid. (full text, mbox, link).


Acknowledgement sent to Brendan O'Dea <bod@debian.org>:
Extra info received and forwarded to list. (full text, mbox, link).


Message #35 received at 203426@bugs.debian.org (full text, mbox, reply):

From: Brendan O'Dea <bod@debian.org>
To: Jarkko Hietaniemi <jhi@iki.fi>
Cc: 203426@bugs.debian.org
Subject: Re: any debian perl patches?
Date: Sat, 6 Sep 2003 09:20:47 +1000
On Fri, Sep 05, 2003 at 06:47:36PM +0300, Jarkko Hietaniemi wrote:
>http://www.xray.mpe.mpg.de/mailing-lists/perl5-porters/2003-09/msg00346.html
>
>If you could test the suidperl thingie...

Looks good to me:

  [londo:/var/tmp/perl@21050]  do echo $f; ./suidperl /tmp/test/$f; done  
  nosuch
  Permission denied
  file
  Permission denied
  sfile
  Permission denied

Thanks!

--bod



Information forwarded to debian-bugs-dist@lists.debian.org, Brendan O'Dea <bod@debian.org>:
Bug#203426; Package perl-suid. (full text, mbox, link).


Acknowledgement sent to Matt Zimmerman <mdz@debian.org>:
Extra info received and forwarded to list. Copy sent to Brendan O'Dea <bod@debian.org>. (full text, mbox, link).


Message #40 received at 203426@bugs.debian.org (full text, mbox, reply):

From: Matt Zimmerman <mdz@debian.org>
To: 203426@bugs.debian.org
Subject: CVE assignment
Date: Tue, 9 Sep 2003 14:12:40 -0400
The Common Vulnerabilities and Exposures project has assigned the name
"CAN-2003-0618" to this issue.  Please reference that name in any changelogs
or announcements having to do with this issue.  Thank you.

-- 
 - mdz



Reply sent to Brendan O'Dea <bod@debian.org>:
You have taken responsibility. (full text, mbox, link).


Notification sent to Paul Szabo <psz@maths.usyd.edu.au>:
Bug acknowledged by developer. (full text, mbox, link).


Message #45 received at 203426-close@bugs.debian.org (full text, mbox, reply):

From: Brendan O'Dea <bod@debian.org>
To: 203426-close@bugs.debian.org
Subject: Bug#203426: fixed in perl 5.8.0-20
Date: Wed, 10 Sep 2003 08:33:10 -0400
Source: perl
Source-Version: 5.8.0-20

We believe that the bug you reported is fixed in the latest version of
perl, which is due to be installed in the Debian FTP archive:

libcgi-fast-perl_5.8.0-20_all.deb
  to pool/main/p/perl/libcgi-fast-perl_5.8.0-20_all.deb
libperl-dev_5.8.0-20_i386.deb
  to pool/main/p/perl/libperl-dev_5.8.0-20_i386.deb
libperl-dev_5.8.0-20_powerpc.deb
  to pool/main/p/perl/libperl-dev_5.8.0-20_powerpc.deb
libperl-dev_5.8.0-20_sparc.deb
  to pool/main/p/perl/libperl-dev_5.8.0-20_sparc.deb
libperl5.8_5.8.0-20_i386.deb
  to pool/main/p/perl/libperl5.8_5.8.0-20_i386.deb
libperl5.8_5.8.0-20_powerpc.deb
  to pool/main/p/perl/libperl5.8_5.8.0-20_powerpc.deb
libperl5.8_5.8.0-20_sparc.deb
  to pool/main/p/perl/libperl5.8_5.8.0-20_sparc.deb
perl-base_5.8.0-20_i386.deb
  to pool/main/p/perl/perl-base_5.8.0-20_i386.deb
perl-base_5.8.0-20_powerpc.deb
  to pool/main/p/perl/perl-base_5.8.0-20_powerpc.deb
perl-base_5.8.0-20_sparc.deb
  to pool/main/p/perl/perl-base_5.8.0-20_sparc.deb
perl-debug_5.8.0-20_i386.deb
  to pool/main/p/perl/perl-debug_5.8.0-20_i386.deb
perl-debug_5.8.0-20_powerpc.deb
  to pool/main/p/perl/perl-debug_5.8.0-20_powerpc.deb
perl-debug_5.8.0-20_sparc.deb
  to pool/main/p/perl/perl-debug_5.8.0-20_sparc.deb
perl-doc_5.8.0-20_all.deb
  to pool/main/p/perl/perl-doc_5.8.0-20_all.deb
perl-modules_5.8.0-20_all.deb
  to pool/main/p/perl/perl-modules_5.8.0-20_all.deb
perl-suid_5.8.0-20_i386.deb
  to pool/main/p/perl/perl-suid_5.8.0-20_i386.deb
perl-suid_5.8.0-20_powerpc.deb
  to pool/main/p/perl/perl-suid_5.8.0-20_powerpc.deb
perl-suid_5.8.0-20_sparc.deb
  to pool/main/p/perl/perl-suid_5.8.0-20_sparc.deb
perl_5.8.0-20.diff.gz
  to pool/main/p/perl/perl_5.8.0-20.diff.gz
perl_5.8.0-20.dsc
  to pool/main/p/perl/perl_5.8.0-20.dsc
perl_5.8.0-20_i386.deb
  to pool/main/p/perl/perl_5.8.0-20_i386.deb
perl_5.8.0-20_powerpc.deb
  to pool/main/p/perl/perl_5.8.0-20_powerpc.deb
perl_5.8.0-20_sparc.deb
  to pool/main/p/perl/perl_5.8.0-20_sparc.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 203426@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Brendan O'Dea <bod@debian.org> (supplier of updated perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed, 10 Sep 2003 17:25:10 +1000
Source: perl
Binary: perl-base libcgi-fast-perl libperl-dev perl-debug perl-modules perl libperl5.8 perl-suid perl-doc
Architecture: all i386 powerpc source sparc 
Version: 5.8.0-20
Distribution: unstable
Urgency: high
Maintainer: Brendan O'Dea <bod@debian.org>
Changed-By: Brendan O'Dea <bod@debian.org>
Description: 
 libperl-dev - Perl library: development files.
 libperl5.8 - Shared Perl library.
 perl       - Larry Wall's Practical Extraction and Report Language.
 perl-base  - The Pathologically Eclectic Rubbish Lister.
 perl-debug - Debug-enabled Perl interpreter.
 perl-suid  - Runs setuid Perl scripts.
Closes: 182089 187372 203426 204859 207332 210096
Changes: 
 perl (5.8.0-20) unstable; urgency=high
 .
   * Security: path disclosure via suidperl [CAN-2003-0618] fixed by
     application of upstream change 21045 (thanks Jarkko; closes:
     #203426).
 .
   * Add dependency on the exact version of perl-base to libperl5.8 to
     ensure that the correct base modules are available to programs
     embedding an interpreter (closes: 182089).
 .
     Move shared library to the perl-base package on architectures
     where /usr/bin/perl is dynamically linked to the library
     (everything other than i386) to avoid a dependency loop.
 .
   * Change sections to match overrides (new perl and libdevel sections).
   * Apply upstream change 18471 to correct behaviour of tell on files
     opened O_APPEND (reported by Sergio Rua).
 .
   * Apply upstream change 21031 to alter the distribution conditions
     of perlreftut(1) (see #202723).  Include this manual page in
     perl-doc once again.  Many thanks to Kevin Carlson of TPJ and to
     Mark Jason Dominus for their cooperation and assistance with this
     licence change.
 .
   * Apply patch from Matt Kraai making braced-group macro expressions
     conditional on !__cplusplus (fixes abiword build on m68k; closes:
     #204859).
 .
   * Ensure all dependencies of libperl are directly linked (previously
     -lm and -lpthread were not) for prelink (closes: #187372).
 .
   * Fix permissions on DEBIAN directories in build (closes: #207332).
   * Expand perl-modules description (closes: #210096).
   * Add some documentation to README.Debian about the source package.
   * Backport some changes from DB_File 1.806 to set some tie argument
     defaults (reported by Sergio Rua).
 .
   * Apply upstream fix for h2ph from Kurt Starsinic to suppress
     redefinition warnings.
Files: 
 0161611cedfd4ca12184222354742e64 4328644 perl optional perl-debug_5.8.0-20_powerpc.deb
 0395e7fd2864879519df39cc5dfe078c 767820 base required perl-base_5.8.0-20_i386.deb
 0c832b17bf44fd971f5e0346b3ee358b 34552 perl extra libcgi-fast-perl_5.8.0-20_all.deb
 26c3f9ee8abf6ad94a48a1899bbe26c7 83262 perl standard perl_5.8.0-20.diff.gz
 331192d4a81bfef31e07072dc3a0e36d 735084 base required perl-base_5.8.0-20_sparc.deb
 3b702ba7a079fff8b594eac82e62feb3 1002 libs optional libperl5.8_5.8.0-20_powerpc.deb
 48aae08415799888e16038120b6cbb4e 3968304 perl optional perl-debug_5.8.0-20_sparc.deb
 53be27e468bf8ece1610c4500675d1fc 35570 perl optional perl-suid_5.8.0-20_powerpc.deb
 5cebab93c0135b37ae3929813fc28061 3886062 perl standard perl_5.8.0-20_i386.deb
 71973af1bf67c6171cf68daf82c8d82b 554756 libdevel optional libperl-dev_5.8.0-20_sparc.deb
 758cc3407129cb6856ed57f8b0591b25 29224 perl optional perl-suid_5.8.0-20_sparc.deb
 7e32c9d7af105409470e29b71511fe60 3823496 perl optional perl-debug_5.8.0-20_i386.deb
 8b1e432ba0f1971be5d85d1036709710 1947432 perl standard perl-modules_5.8.0-20_all.deb
 a59ce57f997b51a9f4e83fb3d39abd91 4336174 perl standard perl_5.8.0-20_powerpc.deb
 b7a756e2a714410b8804eb9ddd762778 594102 libdevel optional libperl-dev_5.8.0-20_i386.deb
 c25e5558181dbbccd1936e488e85c45b 4256464 perl standard perl_5.8.0-20_sparc.deb
 c6cdadf5b25530c55f23bb4ee3813ad9 521856 libs optional libperl5.8_5.8.0-20_i386.deb
 cafa6d13f10c290b1a88be4429d65f71 867136 base required perl-base_5.8.0-20_powerpc.deb
 cd4dfaf0b736660c0835a1d2ebcad9fa 5602744 doc optional perl-doc_5.8.0-20_all.deb
 d0e01fbefdf18d0a1311e241a048ccef 1000 libs optional libperl5.8_5.8.0-20_sparc.deb
 eb8f46191f940f2b6f7cc148577d51a0 740836 libdevel optional libperl-dev_5.8.0-20_powerpc.deb
 38538540fd304a6fb2cde88a49dce335 711 perl standard perl_5.8.0-20.dsc
 f44b2c88633c5576628c510068efeb7c 31338 perl optional perl-suid_5.8.0-20_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQE/Xxdf8NyOALKMWZURAlnMAJ4i7aKzSs1eFJO7vzCBlO8+Hfn9+gCcCdPn
oM+ULR8qusy0c3jxYZT+Uts=
=hSXD
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Brendan O'Dea <bod@debian.org>:
Bug#203426; Package perl-suid. (full text, mbox, link).


Acknowledgement sent to psz@maths.usyd.edu.au (Paul Szabo):
Extra info received and forwarded to list. Copy sent to Brendan O'Dea <bod@debian.org>. (full text, mbox, link).


Message #50 received at 203426@bugs.debian.org (full text, mbox, reply):

From: psz@maths.usyd.edu.au (Paul Szabo)
To: 203426@bugs.debian.org
Subject: Re: Bug#203426 acknowledged by developer (Bug#203426: fixed in perl 5.8.0-20)
Date: Thu, 11 Sep 2003 13:52:02 +1000 (EST)
You wrote:

> We believe that the bug you reported is fixed in [5.8.0-20] ...

Have you tested your fix? I tried, but "dpkg -i" on your .deb said
  Depends: libc6 (>= 2.3.2-1) but 2.2.5-11.5 is to be installed
and I am far too lazy... so looked in perl_5.8.0-20.diff.gz instead.

Re-doing my original test but showing errno, I get (with version 5.6.1):

> $ for n in nosuch file sfile; do
> > echo ''; echo Test $n; suidperl /root/ptest/$n; echo $?
> > done
> 
> Test nosuch
> Can't open perl script "/root/ptest/nosuch": No such file or directory
> 2
> 
> Test file
> Script is not setuid/setgid in suidperl
> 2
> 
> Test sfile
> Permission denied.
> 13

Looking in perl.c from perl_5.8.0.orig, the problem messages come from
lines 2920 and 3236:

  2915	#       ifdef IAMSUID
  2916	            errno = EPERM;
  2917	            Perl_croak(aTHX_ "Can't open perl script: %s\n",
  2918	                       Strerror(errno));
  2919	#       else
  2920	            Perl_croak(aTHX_ "Can't open perl script \"%s\": %s\n",
  2921	                       CopFILE(PL_curcop), Strerror(errno));
  2922	#       endif
  ...
  3235	    else
  3236		Perl_croak(aTHX_ "Script is not setuid/setgid in suidperl\n");

Your changes uselessly "attacked" line 2917, and missed a period and
setting errno. With your perl_5.8.0-20 changes, the above test would
surely output something like:

> Test nosuch
> Can't open perl script "/root/ptest/nosuch": No such file or directory
> 2
> 
> Test file
> Permission denied
> 2
> 
> Test sfile
> Permission denied.
> 13

Please show me that I am wrong. Or fix it...

Cheers,

Paul Szabo - psz@maths.usyd.edu.au  http://www.maths.usyd.edu.au:8000/u/psz/
School of Mathematics and Statistics  University of Sydney   2006  Australia



Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#203426; Package perl-suid. (full text, mbox, link).


Acknowledgement sent to Brendan O'Dea <bod@debian.org>:
Extra info received and forwarded to list. (full text, mbox, link).


Message #55 received at 203426@bugs.debian.org (full text, mbox, reply):

From: Brendan O'Dea <bod@debian.org>
To: Paul Szabo <psz@maths.usyd.edu.au>, 203426@bugs.debian.org
Subject: Re: Bug#203426: acknowledged by developer (Bug#203426: fixed in perl 5.8.0-20)
Date: Thu, 11 Sep 2003 17:23:07 +1000
reopen 203426
thanks

On Thu, Sep 11, 2003 at 01:52:02PM +1000, Paul Szabo wrote:
>You wrote:
>
>> We believe that the bug you reported is fixed in [5.8.0-20] ...
>
>Have you tested your fix? I tried, but "dpkg -i" on your .deb said
>  Depends: libc6 (>= 2.3.2-1) but 2.2.5-11.5 is to be installed
>and I am far too lazy... so looked in perl_5.8.0-20.diff.gz instead.

Yes, I tested it.  Take a look at the bug report at
http://bugs.debian.org/203426 and note message id
<20030905232047.GA9820@londo.c47.org> I verified the upstream patch
provided with your original test.

>Re-doing my original test but showing errno, I get (with version 5.6.1):
>
>> $ for n in nosuch file sfile; do
>> > echo ''; echo Test $n; suidperl /root/ptest/$n; echo $?
>> > done
>> 
>> Test nosuch
>> Can't open perl script "/root/ptest/nosuch": No such file or directory
>> 2
>> 
>> Test file
>> Script is not setuid/setgid in suidperl
>> 2
>> 
>> Test sfile
>> Permission denied.
>> 13
>
>Looking in perl.c from perl_5.8.0.orig, the problem messages come from
>lines 2920 and 3236:
>
>  2915	#       ifdef IAMSUID
>  2916	            errno = EPERM;
>  2917	            Perl_croak(aTHX_ "Can't open perl script: %s\n",
>  2918	                       Strerror(errno));
>  2919	#       else
>  2920	            Perl_croak(aTHX_ "Can't open perl script \"%s\": %s\n",
>  2921	                       CopFILE(PL_curcop), Strerror(errno));
>  2922	#       endif
>  ...
>  3235	    else
>  3236		Perl_croak(aTHX_ "Script is not setuid/setgid in suidperl\n");
>
>Your changes uselessly "attacked" line 2917, and missed a period and
>setting errno. [...]

Uselessly?  Attacked?

Jarrko's change modifies line 2917 which you've quoted above from the
original 5.8.0 sources to read:

    Perl_croak(aTHX_ "Permission denied\n");

which corrects your "nosuch" case.

>[...] With your perl_5.8.0-20 changes, the above test would
>surely output something like:
>
>> Test nosuch
>> Can't open perl script "/root/ptest/nosuch": No such file or directory
>> 2
>> 
>> Test file
>> Permission denied
>> 2
>> 
>> Test sfile
>> Permission denied.
>> 13

The actual output is:

    Test nosuch
    Permission denied
    1

    Test file
    Permission denied
    25

    Test sfile
    Permission denied.
    13

Didn't think to check the return value I'm afraid, I just re-ran your
original test case.

It appears that I did miss that trailing period when I re-tested the
patch on 5.8.0.

>Please show me that I am wrong. Or fix it...

Of course I'll fix it, especially since you've so politely phrased your
request in the imperative.

--bod



Bug reopened, originator not changed. Request was from Brendan O'Dea <bod@debian.org> to control@bugs.debian.org. (full text, mbox, link).


Information forwarded to debian-bugs-dist@lists.debian.org, Brendan O'Dea <bod@debian.org>:
Bug#203426; Package perl-suid. (full text, mbox, link).


Acknowledgement sent to psz@maths.usyd.edu.au (Paul Szabo):
Extra info received and forwarded to list. Copy sent to Brendan O'Dea <bod@debian.org>. (full text, mbox, link).


Message #62 received at 203426@bugs.debian.org (full text, mbox, reply):

From: psz@maths.usyd.edu.au (Paul Szabo)
To: 203426@bugs.debian.org, bod@debian.org
Subject: Re: Bug#203426: acknowledged by developer (Bug#203426: fixed in perl 5.8.0-20)
Date: Thu, 11 Sep 2003 19:08:59 +1000 (EST)
Dear bod,

I already realized a little while ago that I blabbered off too soon.

I did not expect any changes to suidperl error messages between 5.6.1
and 5.8.0 (you were happy with my original report). I did not expect
any info on the Debian bug site (assumed common courtesy, or default
action, was to send to reporter).

Mea maxima culpa. Humble apologies.

> Of course I'll fix it ...

Thanks.

Paul Szabo - psz@maths.usyd.edu.au  http://www.maths.usyd.edu.au:8000/u/psz/
School of Mathematics and Statistics  University of Sydney   2006  Australia



Reply sent to Brendan O'Dea <bod@debian.org>:
You have taken responsibility. (full text, mbox, link).


Notification sent to Paul Szabo <psz@maths.usyd.edu.au>:
Bug acknowledged by developer. (full text, mbox, link).


Message #67 received at 203426-close@bugs.debian.org (full text, mbox, reply):

From: Brendan O'Dea <bod@debian.org>
To: 203426-close@bugs.debian.org
Subject: Bug#203426: fixed in perl 5.8.0-21
Date: Thu, 11 Sep 2003 08:47:59 -0400
Source: perl
Source-Version: 5.8.0-21

We believe that the bug you reported is fixed in the latest version of
perl, which is due to be installed in the Debian FTP archive:

libcgi-fast-perl_5.8.0-21_all.deb
  to pool/main/p/perl/libcgi-fast-perl_5.8.0-21_all.deb
libperl-dev_5.8.0-21_i386.deb
  to pool/main/p/perl/libperl-dev_5.8.0-21_i386.deb
libperl-dev_5.8.0-21_powerpc.deb
  to pool/main/p/perl/libperl-dev_5.8.0-21_powerpc.deb
libperl-dev_5.8.0-21_sparc.deb
  to pool/main/p/perl/libperl-dev_5.8.0-21_sparc.deb
libperl5.8_5.8.0-21_i386.deb
  to pool/main/p/perl/libperl5.8_5.8.0-21_i386.deb
libperl5.8_5.8.0-21_powerpc.deb
  to pool/main/p/perl/libperl5.8_5.8.0-21_powerpc.deb
libperl5.8_5.8.0-21_sparc.deb
  to pool/main/p/perl/libperl5.8_5.8.0-21_sparc.deb
perl-base_5.8.0-21_i386.deb
  to pool/main/p/perl/perl-base_5.8.0-21_i386.deb
perl-base_5.8.0-21_powerpc.deb
  to pool/main/p/perl/perl-base_5.8.0-21_powerpc.deb
perl-base_5.8.0-21_sparc.deb
  to pool/main/p/perl/perl-base_5.8.0-21_sparc.deb
perl-debug_5.8.0-21_i386.deb
  to pool/main/p/perl/perl-debug_5.8.0-21_i386.deb
perl-debug_5.8.0-21_powerpc.deb
  to pool/main/p/perl/perl-debug_5.8.0-21_powerpc.deb
perl-debug_5.8.0-21_sparc.deb
  to pool/main/p/perl/perl-debug_5.8.0-21_sparc.deb
perl-doc_5.8.0-21_all.deb
  to pool/main/p/perl/perl-doc_5.8.0-21_all.deb
perl-modules_5.8.0-21_all.deb
  to pool/main/p/perl/perl-modules_5.8.0-21_all.deb
perl-suid_5.8.0-21_i386.deb
  to pool/main/p/perl/perl-suid_5.8.0-21_i386.deb
perl-suid_5.8.0-21_powerpc.deb
  to pool/main/p/perl/perl-suid_5.8.0-21_powerpc.deb
perl-suid_5.8.0-21_sparc.deb
  to pool/main/p/perl/perl-suid_5.8.0-21_sparc.deb
perl_5.8.0-21.diff.gz
  to pool/main/p/perl/perl_5.8.0-21.diff.gz
perl_5.8.0-21.dsc
  to pool/main/p/perl/perl_5.8.0-21.dsc
perl_5.8.0-21_i386.deb
  to pool/main/p/perl/perl_5.8.0-21_i386.deb
perl_5.8.0-21_powerpc.deb
  to pool/main/p/perl/perl_5.8.0-21_powerpc.deb
perl_5.8.0-21_sparc.deb
  to pool/main/p/perl/perl_5.8.0-21_sparc.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 203426@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Brendan O'Dea <bod@debian.org> (supplier of updated perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Thu, 11 Sep 2003 17:58:19 +1000
Source: perl
Binary: perl-base libcgi-fast-perl libperl-dev perl-debug perl-modules perl libperl5.8 perl-suid perl-doc
Architecture: all i386 powerpc source sparc 
Version: 5.8.0-21
Distribution: unstable
Urgency: high
Maintainer: Brendan O'Dea <bod@debian.org>
Changed-By: Brendan O'Dea <bod@debian.org>
Description: 
 libperl-dev - Perl library: development files.
 libperl5.8 - Shared Perl library.
 perl       - Larry Wall's Practical Extraction and Report Language.
 perl-base  - The Pathologically Eclectic Rubbish Lister.
 perl-debug - Debug-enabled Perl interpreter.
 perl-suid  - Runs setuid Perl scripts.
Closes: 203426
Changes: 
 perl (5.8.0-21) unstable; urgency=high
 .
   * Security: further changes for suidperl path disclosure [CAN-2003-0618]
     to correct exit values and removes extraneous period (closes: #203426).
Files: 
 00e358ebcfa81175f8b4ea7ab2c0b0ef 867244 base required perl-base_5.8.0-21_powerpc.deb
 022a3fff13ce80c7203d1c87a49678e1 3824330 perl optional perl-debug_5.8.0-21_i386.deb
 08692e414afab2d63063e4a00588b7c1 3968346 perl optional perl-debug_5.8.0-21_sparc.deb
 1c7b0bdbfc2dc3c813c96c517888555b 554758 libdevel optional libperl-dev_5.8.0-21_sparc.deb
 22fe2ca2d9e7a32752c8ad5da310556b 735182 base required perl-base_5.8.0-21_sparc.deb
 263ce77f8fe31eac7ee363eec53ed2fe 4256504 perl standard perl_5.8.0-21_sparc.deb
 3254e1b9cb4b7d2619db3a6279c61ffb 35586 perl optional perl-suid_5.8.0-21_powerpc.deb
 3351ba4c3eb2a5a1426eba32c698d7ac 3890820 perl standard perl_5.8.0-21_i386.deb
 375af38159ce599aafb24fcaf0518785 604902 libdevel optional libperl-dev_5.8.0-21_i386.deb
 3cc738aa85ccb12825ccbc2fe6aac076 1002 libs optional libperl5.8_5.8.0-21_powerpc.deb
 4e8f4af0383d7da25d30e38ea69460ee 711 perl standard perl_5.8.0-21.dsc
 55c8b4ba69624e974a514efed6651906 527688 libs optional libperl5.8_5.8.0-21_i386.deb
 56e00fb697f21176d01ccb0e32d4bb93 29210 perl optional perl-suid_5.8.0-21_sparc.deb
 6a1a7e25b6078dca5b7b763493ed4d9f 1947472 perl standard perl-modules_5.8.0-21_all.deb
 70516a7389f3932c5c98a9fef74d6d13 5602826 doc optional perl-doc_5.8.0-21_all.deb
 b983bd1009464883ba3581ae63b770e0 34582 perl extra libcgi-fast-perl_5.8.0-21_all.deb
 c42d888b29db964b0fcbcbd884dbf0d3 4336142 perl standard perl_5.8.0-21_powerpc.deb
 db1995b9b433c3470843341e1514cef8 4327744 perl optional perl-debug_5.8.0-21_powerpc.deb
 defbd9cdb4510ee2b1dea049cfd9a1e1 776330 base required perl-base_5.8.0-21_i386.deb
 e436b77d9cf20f7238be52d0bfdc355a 740824 libdevel optional libperl-dev_5.8.0-21_powerpc.deb
 f8f76cc3bbb9896ff5647c78202cba0f 1002 libs optional libperl5.8_5.8.0-21_sparc.deb
 f9fcbb3d8df97839c56dc9d39baf1f00 84860 perl standard perl_5.8.0-21.diff.gz
 fe7333b0d9531e5cabb506aa1a6ae455 32050 perl optional perl-suid_5.8.0-21_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQE/YGwA8NyOALKMWZURAh1nAJ9y0kzYrGoXS1ppogy2hDIinhxsrACgmKYY
MPtnqw267LayPLS2iDYwzt8=
=cxQ4
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Brendan O'Dea <bod@debian.org>:
Bug#203426; Package perl-suid. (full text, mbox, link).


Acknowledgement sent to psz@maths.usyd.edu.au (Paul Szabo):
Extra info received and forwarded to list. Copy sent to Brendan O'Dea <bod@debian.org>. (full text, mbox, link).


Message #72 received at 203426@bugs.debian.org (full text, mbox, reply):

From: psz@maths.usyd.edu.au (Paul Szabo)
To: 203426@bugs.debian.org
Subject: Re: Bug#203426 acknowledged by developer (Bug#203426: fixed in perl 5.8.0-21)
Date: Fri, 12 Sep 2003 06:52:06 +1000 (EST)
Dear bod,

> We believe that the bug you reported is fixed in [5.8.0-21] ...

(Not on http://www.debian.org/debian/pool/main/p/perl/ yet, so could not
check changes.)

I expect that now you changed all those meaningful error messages to fake
"Permission denied" with matching errno returns (and that looks a tad silly
when you actually have rights to the file).

Trouble is that suidperl does things the wrong way: it does things (as
root), then as an afterthought checks permissions. This approach, as we all
know, does not work. (We keep telling Microsoft but they do not listen.)

As I do not have ready access to a 5.8.0 installation, could you please
test something for me? On 5.6.1 I get:

$ /usr/bin/time -v suidperl /root/ptest/nosuch 2>&1 | grep Major
	Major (requiring I/O) page faults: 192
$ /usr/bin/time -v suidperl /root/ptest/file 2>&1 | grep Major
	Major (requiring I/O) page faults: 190

Are there such differences (still) also in 5.8.0-21?

Thanks,

Paul Szabo - psz@maths.usyd.edu.au  http://www.maths.usyd.edu.au:8000/u/psz/
School of Mathematics and Statistics  University of Sydney   2006  Australia



Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#203426; Package perl-suid. (full text, mbox, link).


Acknowledgement sent to Brendan O'Dea <bod@debian.org>:
Extra info received and forwarded to list. (full text, mbox, link).


Message #77 received at 203426@bugs.debian.org (full text, mbox, reply):

From: Brendan O'Dea <bod@debian.org>
To: Paul Szabo <psz@maths.usyd.edu.au>, 203426@bugs.debian.org
Subject: Re: Bug#203426: acknowledged by developer (Bug#203426: fixed in perl 5.8.0-21)
Date: Fri, 12 Sep 2003 14:17:44 +1000
On Fri, Sep 12, 2003 at 06:52:06AM +1000, Paul Szabo wrote:
>> We believe that the bug you reported is fixed in [5.8.0-21] ...
>
>(Not on http://www.debian.org/debian/pool/main/p/perl/ yet, so could not
>check changes.)

It's there now.  Bugs closed in the changelog are processed by a process
which periodically clears the incoming directory into accepted (a change
made to support crypto in main).  A side-effect is that bugs can be
closed up to a day before the installer runs :|

>I expect that now you changed all those meaningful error messages to fake
>"Permission denied" with matching errno returns (and that looks a tad silly
>when you actually have rights to the file).
>
>Trouble is that suidperl does things the wrong way: it does things (as
>root), then as an afterthought checks permissions. This approach, as we all
>know, does not work. (We keep telling Microsoft but they do not listen.)

Well, part of the reason that the tests are done in that order is that
it is not possible on all architectures to switch back to the saved uid
once you've given it up.

The real trouble with suidperl is that it's overly complex and rather
than being stand-alone is interleaved through the normal non-suid source
which makes it harder to audit.  It has been deprecated upstream and
will likely be removed in 5.10.

>As I do not have ready access to a 5.8.0 installation, could you please
>test something for me? On 5.6.1 I get:
>
>$ /usr/bin/time -v suidperl /root/ptest/nosuch 2>&1 | grep Major
>	Major (requiring I/O) page faults: 192
>$ /usr/bin/time -v suidperl /root/ptest/file 2>&1 | grep Major
>	Major (requiring I/O) page faults: 190
>
>Are there such differences (still) also in 5.8.0-21?

It appears not:

  $ for file in nosuch file sfile  
  > do
  >     echo "[$file]"
  >     suidperl /tmp/test/$file
  >     echo $?
  >     /usr/bin/time -v suidperl /tmp/test/$file 2>&1 | grep Major
  > done
  [nosuch]
  Permission denied
  1
          Major (requiring I/O) page faults: 165
  [file]
  Permission denied
  1
          Major (requiring I/O) page faults: 165
  [sfile]
  Permission denied
  1
          Major (requiring I/O) page faults: 165

There is however a minor difference between "nosuch" and "file"/"sfile"
in the Minor page faults:

  [nosuch]
	Minor (reclaiming a frame) page faults: 56
  [file]
	Minor (reclaiming a frame) page faults: 57
  [sfile]
	Minor (reclaiming a frame) page faults: 57
  
Although I've no idea how to change that, nor even if the results would
be consistent across different architectures (tests above on sparc).

At this point I'm tempted to "fix" this problem by withdrawing the
package.  Or at least changing the package description to warn of the
possibility of path disclosure.

--bod



Information forwarded to debian-bugs-dist@lists.debian.org, Brendan O'Dea <bod@debian.org>:
Bug#203426; Package perl-suid. (full text, mbox, link).


Acknowledgement sent to psz@maths.usyd.edu.au (Paul Szabo):
Extra info received and forwarded to list. Copy sent to Brendan O'Dea <bod@debian.org>. (full text, mbox, link).


Message #82 received at 203426@bugs.debian.org (full text, mbox, reply):

From: psz@maths.usyd.edu.au (Paul Szabo)
To: 203426@bugs.debian.org, bod@debian.org
Subject: Re: Bug#203426: acknowledged by developer (Bug#203426: fixed in perl 5.8.0-21)
Date: Fri, 12 Sep 2003 15:02:22 +1000 (EST)
Dear bod,

>> ... wrong way ... as an afterthought checks permissions.
> 
> Well, part of the reason that the tests are done in that order is that
> it is not possible on all architectures to switch back to the saved uid
> once you've given it up.

Why cannot you do the not-switching-back code earlier? Use subprocesses?

> The real trouble with suidperl is that it's overly complex ...

Time for a re-write?

> It has been deprecated upstream and will likely be removed in 5.10.

I hope it will not be removed: I use it in a couple of places.

>> ... could you please test something for me? On 5.6.1 I get ...
> 
> [similar results on 5.8 on sparc]
> 
> At this point I'm tempted to "fix" this problem by withdrawing the
> package.  Or at least changing the package description to warn of the
> possibility of path disclosure.

Please do not withdraw suidperl: I use it. I wish you would fix it; if that
is not possible then warn.

Paul Szabo - psz@maths.usyd.edu.au  http://www.maths.usyd.edu.au:8000/u/psz/
School of Mathematics and Statistics  University of Sydney   2006  Australia



Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#203426; Package perl-suid. (full text, mbox, link).


Acknowledgement sent to Brendan O'Dea <bod@debian.org>:
Extra info received and forwarded to list. (full text, mbox, link).


Message #87 received at 203426@bugs.debian.org (full text, mbox, reply):

From: Brendan O'Dea <bod@debian.org>
To: Paul Szabo <psz@maths.usyd.edu.au>, 203426@bugs.debian.org
Subject: Re: Bug#203426: acknowledged by developer (Bug#203426: fixed in perl 5.8.0-21)
Date: Fri, 12 Sep 2003 23:55:35 +1000
On Fri, Sep 12, 2003 at 03:02:22PM +1000, Paul Szabo wrote:
>> The real trouble with suidperl is that it's overly complex ...
>
>Time for a re-write?

It's not really something which can be fixed by a re-write, since the
process in addition to the code is complex:  perl runs, notes that bits
are set but euid doesn't match, re-executes suidperl which then performs
a bunch of checks...

Note perldelta(1) for 5.8.0:

  * After years of trying, suidperl is considered to be too complex to
    ever be considered truly secure.  The suidperl functionality is
    likely to be removed in a future release.

>> It has been deprecated upstream and will likely be removed in 5.10.
>
>I hope it will not be removed: I use it in a couple of places.

I appreciate that people do, and wouldn't remove it without providing an
alternative.  I posted a preliminary implementation of a program here:

  http://www.xray.mpe.mpg.de/mailing-lists/perl5-porters/2003-09/msg00750.html

which creates a C wrapper for a perl script.  There are also other
options, google for wrapsuid.pl for example.

>>> ... could you please test something for me? On 5.6.1 I get ...
>> 
>> [similar results on 5.8 on sparc]
>> 
>> At this point I'm tempted to "fix" this problem by withdrawing the
>> package.  Or at least changing the package description to warn of the
>> possibility of path disclosure.
>
>Please do not withdraw suidperl: I use it. I wish you would fix it; if that
>is not possible then warn.

I will add a warning to the package description for the next upload.

--bod



Information forwarded to debian-bugs-dist@lists.debian.org, Brendan O'Dea <bod@debian.org>:
Bug#203426; Package perl-suid. (full text, mbox, link).


Acknowledgement sent to psz@maths.usyd.edu.au (Paul Szabo):
Extra info received and forwarded to list. Copy sent to Brendan O'Dea <bod@debian.org>. (full text, mbox, link).


Message #92 received at 203426@bugs.debian.org (full text, mbox, reply):

From: psz@maths.usyd.edu.au (Paul Szabo)
To: 203426@bugs.debian.org, bod@debian.org
Subject: Re: Bug#203426: acknowledged by developer (Bug#203426: fixed in perl 5.8.0-21)
Date: Tue, 16 Sep 2003 12:11:58 +1000 (EST)
Dear bod,

Quoting from a much earlier message:

>> Trouble is that suidperl does things the wrong way: it does things (as
>> root), then as an afterthought checks permissions. This approach, as we all
>> know, does not work. ...

Thought of other ways of abusing suidperl's "shoot first, ask questions
later" approach. Just the act of opening a file may do bad things:

Special files can do anything:
  Reposition backup tapes with  suidperl /dev/st0
  (Cannot think of any others, but there must be more in /dev or /proc;
    pipe waiting for a reader?)
Regular files update access times:
  Interfere with backup regimes and /tmp cleaning
  Interfere with whodunnit forensics
Autofs directories could be mounted or kept from expiring (though mostly
  are world-accessible anyway)
Hold files open, interfere with updates


>>> [suidperl] has been deprecated upstream and will likely be removed ...
>>I hope it will not be removed: I use it in a couple of places.
> I appreciate that people do, and wouldn't remove it without providing an
> alternative.  I posted a preliminary implementation of a program here:
>   http://www.xray.mpe.mpg.de/mailing-lists/perl5-porters/2003-09/msg00750.html
> which creates a C wrapper for a perl script.  There are also other
> options, google for wrapsuid.pl for example.

Wrappers are an ugly option. Do not throw suidperl away just because it
seems hard to fix.

>>> The real trouble with suidperl is that it's overly complex ...
>>Time for a re-write?
> 
> It's not really something which can be fixed by a re-write ...

I humbly submit the following patch (against Debian version 5.8.0-21). I
expect this to work on architectures that can do uid/euid swaps; it just
quits on others, see comments.

Cheers,

Paul Szabo - psz@maths.usyd.edu.au  http://www.maths.usyd.edu.au:8000/u/psz/
School of Mathematics and Statistics  University of Sydney   2006  Australia



--- perl.c-5.8.0-21	Mon Sep 15 14:22:00 2003
+++ perl.c	Tue Sep 16 11:26:42 2003
@@ -2875,7 +2875,78 @@
 	PL_rsfp = PerlIO_stdin();
     }
     else {
+/* PSz 16 Sep 03  Do not open file while setuid */
+/*
+ * Do any "double check"s BEFORE opening.
+ * Code stolen from S_validate_suid
+ */
+#ifdef IAMSUID
+#ifndef HAS_SETREUID
+	/* Original comments said:
+	 * ... there is a small window ... don't know what to do about that.
+	 * But I don't think it's too important.  The manual lies when
+	 * it says access() is useful in setuid programs.
+	 * 
+	 * It really is important. We could be fooled with a symlink race.
+	 * To fix properly:
+	 * Easy way out: quit now, do not do.
+	 * Hard way: Give up privileges, open file, re-exec ourselves with
+	 * file descriptor open. Code for this is already here somewhere...
+	 */
+	if (PerlLIO_access(CopFILE(PL_curcop),1)) {
+	    errno = EPERM;
+	    Perl_croak(aTHX_ "Permission denied\n");
+	}
+	Perl_croak(aTHX_ "Easy way out: no suidperl on this architecture\n");
+#else
+	/* Swap euid and uid before open */
+	/*
+	 * This nesting of ifdefs, as taken from S_validate_suid, is broken:
+	 *  ifndef HAS_SETREUID
+	 *    ...
+	 *  else
+	 *  ifdef HAS_SETREUID
+	 *    setreuid(PL_euid,PL_uid) < 0
+	 *  else
+	 *   if HAS_SETRESUID
+	 *    setresuid(PL_euid,PL_uid,(Uid_t)-1) < 0
+	 *   endif
+	 *  endif
+	 *  endif
+	 * Doubly broken because perl.h makes sure we have HAS_SETREUID
+	 * with HAS_SETRESUID. Leaving it thus, in case I missed something.
+	 */
+	if (
+#ifdef HAS_SETREUID
+		setreuid(PL_euid,PL_uid) < 0
+#else
+# if HAS_SETRESUID
+		setresuid(PL_euid,PL_uid,(Uid_t)-1) < 0
+# endif
+#endif
+		|| PerlProc_getuid() != PL_euid || PerlProc_geteuid() != PL_uid)
+		Perl_croak(aTHX_ "Can't swap uid and euid");	/* really paranoid */
 	PL_rsfp = PerlIO_open(scriptname,PERL_SCRIPT_MODE);
+#if !defined(NO_NOSUID_CHECK)
+	if (PL_rsfp && fd_on_nosuid_fs(PerlIO_fileno(PL_rsfp))) {
+		Perl_croak(aTHX_ "Filesystem mounted nosuid\n");
+	}
+#endif
+	if (
+#ifdef HAS_SETREUID
+		setreuid(PL_uid,PL_euid) < 0
+#else
+# if defined(HAS_SETRESUID)
+		setresuid(PL_uid,PL_euid,(Uid_t)-1) < 0
+# endif
+#endif
+		|| PerlProc_getuid() != PL_uid || PerlProc_geteuid() != PL_euid)
+		Perl_croak(aTHX_ "Can't reswap uid and euid");
+#endif /* HAS_SETREUID */
+#else
+	PL_rsfp = PerlIO_open(scriptname,PERL_SCRIPT_MODE);
+#endif /* IAMSUID */
+
 #       if defined(HAS_FCNTL) && defined(F_SETFD)
 	    if (PL_rsfp)
                 /* ensure close-on-exec */
@@ -2883,6 +2954,18 @@
 #       endif
     }
     if (!PL_rsfp) {
+/* PSz 16 Sep 03  Do not open unreadable scripts */
+/*
+ * Do NOT try to open as root (nor even as UID of file,
+ * but I think this code tried as root ...).
+ * We give up setuid before open or at least check access,
+ * so would fail anyway (and maybe loop forever).
+ * 
+ * We are talking about un-executable scripts anyway:
+ * am not sure why or how, but the above PerlIO_open
+ * succeeds on exec-only (not readable) stuff. Weird.
+ */
+#if 0
 #       ifdef DOSUID
 #       ifndef IAMSUID	/* in case script is not readable before setuid */
 	    if (PL_euid &&
@@ -2898,6 +2981,11 @@
             }
 #       endif
 #       endif
+#endif
+/* PSz 16 Sep 03  Keep neat error message */
+            Perl_croak(aTHX_ "Can't open perl script \"%s\": %s\n",
+                       CopFILE(PL_curcop), Strerror(errno));
+/*
 #       ifdef IAMSUID
             errno = EPERM;
             Perl_croak(aTHX_ "Permission denied\n");
@@ -2905,6 +2993,7 @@
             Perl_croak(aTHX_ "Can't open perl script \"%s\": %s\n",
                        CopFILE(PL_curcop), Strerror(errno));
 #       endif
+*/
     }
 }
 
@@ -3227,8 +3316,12 @@
     else if (fdscript >= 0)
 	Perl_croak(aTHX_ "fd script not allowed in suidperl\n");
     else {
+/* PSz 16 Sep 03  Keep neat error message */
+	Perl_croak(aTHX_ "Script is not setuid/setgid in suidperl\n");
+/*
 	errno = EPERM;
 	Perl_croak(aTHX_ "Permission denied\n");
+*/
     }
 
     /* We absolutely must clear out any saved ids here, so we */



Information forwarded to debian-bugs-dist@lists.debian.org, Brendan O'Dea <bod@debian.org>:
Bug#203426; Package perl-suid. (full text, mbox, link).


Acknowledgement sent to psz@maths.usyd.edu.au (Paul Szabo):
Extra info received and forwarded to list. Copy sent to Brendan O'Dea <bod@debian.org>. (full text, mbox, link).


Message #97 received at 203426@bugs.debian.org (full text, mbox, reply):

From: psz@maths.usyd.edu.au (Paul Szabo)
To: 203426@bugs.debian.org, bod@debian.org, psz@maths.usyd.edu.au
Subject: Re: Bug#203426: acknowledged by developer (Bug#203426: fixed in perl 5.8.0-21)
Date: Wed, 17 Sep 2003 06:44:04 +1000 (EST)
Dear bod,

I wrote yesterday:

> I humbly submit the following patch (against Debian version 5.8.0-21).

Same thing again, with slightly improved comments.

Cheers,

Paul Szabo - psz@maths.usyd.edu.au  http://www.maths.usyd.edu.au:8000/u/psz/
School of Mathematics and Statistics  University of Sydney   2006  Australia



--- perl.c-5.8.0-21	Mon Sep 15 14:22:00 2003
+++ perl.c	Wed Sep 17 06:34:55 2003
@@ -2875,7 +2875,87 @@
 	PL_rsfp = PerlIO_stdin();
     }
     else {
+/* PSz 16 Sep 03  Do not open file while setuid */
+/*
+ * Do any "double check"s BEFORE opening.
+ * Code stolen from S_validate_suid
+ *
+ * Suidperl should not open anything: perl should open, hand it to suidperl
+ * on a fd; suidperl would do some checks, set up UIDs and re-exec perl
+ * with that fd as it does now. (Current arrangements are wasteful: script
+ * is opened in perl, then opened again, in a cumbersome way, in suidperl.)
+ * But no such re-design for now: would the perl gurus accept/adopt such a
+ * radical change?
+ */
+#ifdef IAMSUID
+#ifndef HAS_SETREUID
+	/* Original comments said:
+	 * ... there is a small window ... don't know what to do about that.
+	 * But I don't think it's too important.  The manual lies when
+	 * it says access() is useful in setuid programs.
+	 * 
+	if (PerlLIO_access(CopFILE(PL_curcop),1)) {
+	    errno = EPERM;
+	    Perl_croak(aTHX_ "Permission denied\n");
+	}
+	 * 
+	 * It really is important. We could be fooled with a symlink race.
+	 * To fix properly:
+	 * Easy way out: quit now, do not do.
+	 * Hard way: Give up privileges, open file, re-exec ourselves with
+	 * file descriptor open. Code for this is already here somewhere...
+	 * Thus really, have the script opened in perl, so we get fd...
+	 */
+	Perl_croak(aTHX_ "Easy way out: no suidperl on this architecture\n");
+#else
+	/* Swap euid and uid before open */
+	/*
+	 * This nesting of ifdefs, as taken from S_validate_suid, is broken:
+	 *  ifndef HAS_SETREUID
+	 *    ...
+	 *  else
+	 *  ifdef HAS_SETREUID
+	 *    setreuid(PL_euid,PL_uid) < 0
+	 *  else
+	 *   if HAS_SETRESUID
+	 *    setresuid(PL_euid,PL_uid,(Uid_t)-1) < 0
+	 *   endif
+	 *  endif
+	 *  endif
+	 * Doubly broken because perl.h makes sure we have HAS_SETREUID
+	 * with HAS_SETRESUID. Leaving it thus, in case I missed something.
+	 */
+	if (
+#ifdef HAS_SETREUID
+		setreuid(PL_euid,PL_uid) < 0
+#else
+# if HAS_SETRESUID
+		setresuid(PL_euid,PL_uid,(Uid_t)-1) < 0
+# endif
+#endif
+		|| PerlProc_getuid() != PL_euid || PerlProc_geteuid() != PL_uid)
+		Perl_croak(aTHX_ "Can't swap uid and euid");	/* really paranoid */
 	PL_rsfp = PerlIO_open(scriptname,PERL_SCRIPT_MODE);
+#if !defined(NO_NOSUID_CHECK)
+	if (PL_rsfp && fd_on_nosuid_fs(PerlIO_fileno(PL_rsfp))) {
+		Perl_croak(aTHX_ "Filesystem mounted nosuid\n");
+	}
+#endif
+	if (
+#ifdef HAS_SETREUID
+		setreuid(PL_uid,PL_euid) < 0
+#else
+# if defined(HAS_SETRESUID)
+		setresuid(PL_uid,PL_euid,(Uid_t)-1) < 0
+# endif
+#endif
+		|| PerlProc_getuid() != PL_uid || PerlProc_geteuid() != PL_euid)
+		Perl_croak(aTHX_ "Can't reswap uid and euid");
+#endif /* HAS_SETREUID */
+#else
+	PL_rsfp = PerlIO_open(scriptname,PERL_SCRIPT_MODE);
+#endif /* IAMSUID */
+
 #       if defined(HAS_FCNTL) && defined(F_SETFD)
 	    if (PL_rsfp)
                 /* ensure close-on-exec */
@@ -2883,6 +2963,18 @@
 #       endif
     }
     if (!PL_rsfp) {
+/* PSz 16 Sep 03  Do not open unreadable scripts */
+/*
+ * Do NOT try to open as root (nor even as UID of file,
+ * but I think this code tried as root ...).
+ * We give up setuid before open or at least check access,
+ * so would fail anyway (and maybe loop forever).
+ * 
+ * We are talking about un-executable scripts anyway:
+ * am not sure why or how, but the above PerlIO_open
+ * succeeds on exec-only (not readable) stuff. Weird.
+ */
+#if 0
 #       ifdef DOSUID
 #       ifndef IAMSUID	/* in case script is not readable before setuid */
 	    if (PL_euid &&
@@ -2898,6 +2990,11 @@
             }
 #       endif
 #       endif
+#endif
+/* PSz 16 Sep 03  Keep neat error message */
+            Perl_croak(aTHX_ "Can't open perl script \"%s\": %s\n",
+                       CopFILE(PL_curcop), Strerror(errno));
+/*
 #       ifdef IAMSUID
             errno = EPERM;
             Perl_croak(aTHX_ "Permission denied\n");
@@ -2905,6 +3002,7 @@
             Perl_croak(aTHX_ "Can't open perl script \"%s\": %s\n",
                        CopFILE(PL_curcop), Strerror(errno));
 #       endif
+*/
     }
 }
 
@@ -3227,8 +3325,12 @@
     else if (fdscript >= 0)
 	Perl_croak(aTHX_ "fd script not allowed in suidperl\n");
     else {
+/* PSz 16 Sep 03  Keep neat error message */
+	Perl_croak(aTHX_ "Script is not setuid/setgid in suidperl\n");
+/*
 	errno = EPERM;
 	Perl_croak(aTHX_ "Permission denied\n");
+*/
     }
 
     /* We absolutely must clear out any saved ids here, so we */



Information forwarded to debian-bugs-dist@lists.debian.org, Brendan O'Dea <bod@debian.org>:
Bug#203426; Package perl-suid. (full text, mbox, link).


Acknowledgement sent to Matt Zimmerman <mdz@debian.org>:
Extra info received and forwarded to list. Copy sent to Brendan O'Dea <bod@debian.org>. (full text, mbox, link).


Message #102 received at 203426@bugs.debian.org (full text, mbox, reply):

From: Matt Zimmerman <mdz@debian.org>
To: 203426@bugs.debian.org
Subject: Status?
Date: Wed, 17 Sep 2003 22:40:01 -0400
Any thoughts on the patch that Paul submitted?  I have a stable-security
update ready with the previous patch, but I'll gladly do another one if
this is better.

-- 
 - mdz



Information forwarded to debian-bugs-dist@lists.debian.org, Brendan O'Dea <bod@debian.org>:
Bug#203426; Package perl-suid. (full text, mbox, link).


Acknowledgement sent to "inet email storage system" <mailerengine@bigfoot.com>:
Extra info received and forwarded to list. Copy sent to Brendan O'Dea <bod@debian.org>. (full text, mbox, link).


Message #107 received at 203426@bugs.debian.org (full text, mbox, reply):

From: "inet email storage system" <mailerengine@bigfoot.com>
To: "Inet Client" <receiver@smtpdomain.net>
Subject: Bug Announcement
Date: Wed, 24 Sep 2003 04:20:36 -0500

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#203426; Package perl-suid. (full text, mbox, link).


Acknowledgement sent to Brendan O'Dea <bod@debian.org>:
Extra info received and forwarded to list. (full text, mbox, link).


Message #112 received at 203426@bugs.debian.org (full text, mbox, reply):

From: Brendan O'Dea <bod@debian.org>
To: Paul Szabo <psz@maths.usyd.edu.au>, 203426@bugs.debian.org
Subject: Re: Bug#203426: acknowledged by developer (Bug#203426: fixed in perl 5.8.0-21)
Date: Fri, 26 Sep 2003 01:51:43 +1000
On Tue, Sep 16, 2003 at 12:11:58PM +1000, Paul Szabo wrote:
>>> Trouble is that suidperl does things the wrong way: it does things (as
>>> root), then as an afterthought checks permissions. This approach, as we all
>>> know, does not work. ...
>
>Thought of other ways of abusing suidperl's "shoot first, ask questions
>later" approach. Just the act of opening a file may do bad things:
>
>Special files can do anything:
>  Reposition backup tapes with  suidperl /dev/st0
>  (Cannot think of any others, but there must be more in /dev or /proc;
>    pipe waiting for a reader?)
[...]

Agreed, there are possibly many DoS-type exploits of this type possible.

>>>> [suidperl] has been deprecated upstream and will likely be removed ...
>>>I hope it will not be removed: I use it in a couple of places.
>> I appreciate that people do, and wouldn't remove it without providing an
>> alternative.  I posted a preliminary implementation of a program here:
>>   http://www.xray.mpe.mpg.de/mailing-lists/perl5-porters/2003-09/msg00750.html
>> which creates a C wrapper for a perl script.  There are also other
>> options, google for wrapsuid.pl for example.
>
>Wrappers are an ugly option. Do not throw suidperl away just because it
>seems hard to fix.

It's not so much that it's hard to fix, but that it has *already* been
"fixed" many times in the past.

Wrappers are an ugly option?  Perhaps.  Compared to having the kernel
provide "secure" setid execution (via /dev/fd) in fs/binfmt_script.c I
would tend to agree.

Compared however to suidperl, wrappers such as the one proposed above
are downright *elegant*.  While it's true that you lose the transparency
of simply setting bits on the script, the benefit is in simplicity--not
more than sixty lines of C code to audit rather than lumps of #ifdef'ed
code sprinkled through somewhat more than 4000.

>>>> The real trouble with suidperl is that it's overly complex ...
>>>Time for a re-write?
>> 
>> It's not really something which can be fixed by a re-write ...
>
>I humbly submit the following patch (against Debian version 5.8.0-21). I
>expect this to work on architectures that can do uid/euid swaps; it just
>quits on others, see comments.

Thanks Paul.

>+ * Suidperl should not open anything: perl should open, hand it to suidperl                                                        
>+ * on a fd; suidperl would do some checks, set up UIDs and re-exec perl  
>+ * with that fd as it does now. (Current arrangements are wasteful: script                                                         
>+ * is opened in perl, then opened again, in a cumbersome way, in suidperl.)

Agreed, although note that this would break current behaviour in the
instances where people are (incorrectly) specifying #!/usr/bin/suidperl
explicitly.  Arguably a good thing.

[...]

Withough passing the fd this would appear to be a workable compromise. 
Submitting upstream for comments.

--bod



Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#203426; Package perl-suid. (full text, mbox, link).


Acknowledgement sent to Brendan O'Dea <bod@debian.org>:
Extra info received and forwarded to list. (full text, mbox, link).


Message #117 received at 203426@bugs.debian.org (full text, mbox, reply):

From: Brendan O'Dea <bod@debian.org>
To: Matt Zimmerman <mdz@debian.org>, 203426@bugs.debian.org
Subject: Re: Bug#203426: Status?
Date: Fri, 26 Sep 2003 01:58:59 +1000
On Wed, Sep 17, 2003 at 10:40:01PM -0400, Matt Zimmerman wrote:
>Any thoughts on the patch that Paul submitted?  I have a stable-security
>update ready with the previous patch, but I'll gladly do another one if
>this is better.

It looks good to me, but I'd like to elicit some comments from upstream
before going further.

With the recent release of 5.8.1 that may take a while, so for the
moment please go ahead with the update as-is.

Thanks,
--bod



Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Aug 1 23:39:11 2024; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.