Debian Bug report logs - #286905
perl-modules: File::Path::rmtree makes setuid

version graph

Package: perl; Maintainer for perl is Niko Tyni <ntyni@debian.org>; Source for perl is src:perl.

Reported by: Paul Szabo <psz@maths.usyd.edu.au>

Date: Wed, 22 Dec 2004 22:18:05 UTC

Severity: critical

Tags: etch, lenny, security, sid

Found in version perl/5.8.8-1

Fixed in versions 5.8.4-7, perl/5.10.0-18, perl/5.8.8-7etch5

Done: Niko Tyni <ntyni@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Brendan O'Dea <bod@debian.org>:
Bug#286905; Package perl-modules. Full text and rfc822 format available.

Acknowledgement sent to Paul Szabo <psz@maths.usyd.edu.au>:
New Bug report received and forwarded. Copy sent to Brendan O'Dea <bod@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Paul Szabo <psz@maths.usyd.edu.au>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: perl-modules: File::Path::rmtree makes setuid
Date: Thu, 23 Dec 2004 09:10:31 +1100
Package: perl-modules
Version: 5.6.1-8.7
Severity: critical
File: /usr/share/perl/5.6.1/File/Path.pm
Tags: security
Justification: root security hole

Noting USN-44-1 e.g. in

  http://archives.neohapsis.com/archives/fulldisclosure/2004-12/0385.html

I looked in perl-N.N.N/lib/File/Path.pm and noticed that rmtree contains
a race condition, allowing creation of setuid files:

   170          (undef, undef, my $rp) = lstat $root or next;
   171          $rp &= 07777;   # don't forget setuid, setgid, sticky bits
   172          if ( -d _ ) {
   ...
   209              if (rmdir $root) {
   210                  ++$count;
   211              }
   212              else {
   213                  carp "Can't remove directory $root: $!";
   214                  chmod($rp, ($Is_VMS ? VMS::Filespec::fileify($root) : $root))
   215                      or carp("and can't restore permissions to "
   216                              . sprintf("0%o",$rp) . "\n");
   217              }
   218          }
   ...

Example of attack: suppose we know that root uses rmtree to clean up
/tmp directories. Attacker prepares things:

  mkdir -p /tmp/psz/sh
  perl -e 'open F, ">/tmp/psz/sh/$_" foreach (1..1000)'
  chmod 4777 /tmp/psz/sh

While root is busy working on /tmp/psz/sh (and this can be made as slow
as we like), attacker does:

  mv /tmp/psz/sh /tmp/psz/dummy
  ln -s /bin/sh /tmp/psz/sh

Root would have recorded the permissions of /tmp/psz/sh, but would
"restore" it to /bin/sh.

I am not sure if things can almost be fixed (for those architectures
without $force_writeable) by enclosing the chmod($rp,...) line within
if(!safe|$force_writeable){...}. Maybe it should be documented that
rmtree must only be used if you can be sure to have exclusive access to
the tree.

(A few minutes ago I emailed the File::Path authors Tim.Bunce@ig.co.uk
and bailey@newman.upenn.edu; Tim.Bunce bounced.)

Cheers,

Paul Szabo - psz@maths.usyd.edu.au  http://www.maths.usyd.edu.au:8000/u/psz/
School of Mathematics and Statistics  University of Sydney   2006  Australia


-- System Information
Debian Release: 3.0
Architecture: i386
Kernel: Linux pisa.maths.usyd.edu.au 2.4.22-smssvr1.5.3 #1 SMP Wed Jun 23 13:01:39 EST 2004 i686
Locale: LANG=C, LC_CTYPE=C

Versions of packages perl-modules depends on:
ii  perl                          5.6.1-8.7  Larry Wall's Practical Extraction 




Bug reassigned from package `perl-modules' to `perl'. Request was from Brendan O'Dea <bod@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Merged 286905 286922. Request was from Brendan O'Dea <bod@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#286905; Package perl. Full text and rfc822 format available.

Acknowledgement sent to Brendan O'Dea <bod@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #14 received at 286905@bugs.debian.org (full text, mbox):

From: Brendan O'Dea <bod@debian.org>
To: Paul Szabo <psz@maths.usyd.edu.au>, 286905@bugs.debian.org
Cc: Perl5 Porters <perl5-porters@perl.org>
Subject: Re: Bug#286905: perl-modules: File::Path::rmtree makes setuid
Date: Wed, 12 Jan 2005 23:45:57 +1100
On Thu, Dec 23, 2004 at 09:10:31AM +1100, Paul Szabo wrote:
>Package: perl-modules
>Version: 5.6.1-8.7
>Severity: critical
>File: /usr/share/perl/5.6.1/File/Path.pm
>Tags: security
>Justification: root security hole

>Example of attack: suppose we know that root uses rmtree to clean up
>/tmp directories. Attacker prepares things:
>
>  mkdir -p /tmp/psz/sh
>  perl -e 'open F, ">/tmp/psz/sh/$_" foreach (1..1000)'
>  chmod 4777 /tmp/psz/sh
>
>While root is busy working on /tmp/psz/sh (and this can be made as slow
>as we like), attacker does:
>
>  mv /tmp/psz/sh /tmp/psz/dummy
>  ln -s /bin/sh /tmp/psz/sh
>
>Root would have recorded the permissions of /tmp/psz/sh, but would
>"restore" it to /bin/sh.

>Following on from the "File::Path::rmtree makes setuid" issue, I notice
>that rmtree may be tricked into removing arbitrary files.
>
>Example of attack: suppose we know that root uses rmtree to clean up
>/tmp directories. Attacker prepares things:
>
>  mkdir /tmp/psz
>  perl -e 'open F, ">/tmp/psz/$_" foreach (1..1000)'
>  touch /tmp/psz/passwd
>
>While root is busy working on /tmp/psz (and this can be made as slow as
>we like), attacker does:
>
>  mv /tmp/psz /tmp/dummy
>  ln -s /etc /tmp/psz
>
>Root will then remove /etc/passwd.

Thanks Paul,

both of these issues obviously stem from the same root cause--a race
between generating a list of files, then manipulating that list.

I don't really see that this is fixable outside of rewriting rmtree to
recursively chdir+readdir+unlink.

Given that there are possible pitfalls even with this approach (cf. 
CVE-2002-0435) I'm considering punting the problem to fileutils,
replacing rmtree entirely with the attached subroutine.

[p5p:] If anyone had a cleaner (and cross-platform) fix, I'd love to
hear of it.

--bod

sub rmtree
{
    my ($p, $verbose) = @_;
    $p = [] unless defined $p and length $p;
    $p = [ $p ] unless ref $p;
    my @paths = grep defined && length, @$p;

    unless (@paths)
    {
	carp "No root path(s) specified\n";
	return 0;
    }

    local *RM;
    my $pid = open RM, '-|';

    unless (defined $pid)
    {
	carp "Can't fork ($!)\n";
	return 0;
    }

    unless ($pid)
    {
	# need to parse output, ensure it's not localised
	delete $ENV{$_} for grep /^(LC_|LANG(UAGE)?$)/, keys %ENV;

	exec '/bin/rm', '-rvf', @paths
	    or croak "Can't exec /bin/rm ($!)\n";
    }

    my $count = 0;
    while (<RM>)
    {
	if ($verbose)
	{
	    chomp;
	    s/'$//;

	    if (s/^removed directory: `//)
	    {
		print "rmdir $_\n";
	    }
	    elsif (s/^removed `//)
	    {
		print "unlink $_\n";
	    }

	    $count++;
	}
    }

    close RM;

    $count;
}



Information forwarded to debian-bugs-dist@lists.debian.org, Brendan O'Dea <bod@debian.org>:
Bug#286905; Package perl. Full text and rfc822 format available.

Acknowledgement sent to Rafael Garcia-Suarez <rgarciasuarez@mandrakesoft.com>:
Extra info received and forwarded to list. Copy sent to Brendan O'Dea <bod@debian.org>. Full text and rfc822 format available.

Message #19 received at 286905@bugs.debian.org (full text, mbox):

From: Rafael Garcia-Suarez <rgarciasuarez@mandrakesoft.com>
To: Brendan O'Dea <bod@debian.org>
Cc: Paul Szabo <psz@maths.usyd.edu.au>, 286905@bugs.debian.org, Perl5 Porters <perl5-porters@perl.org>
Subject: Re: Bug#286905: perl-modules: File::Path::rmtree makes setuid
Date: Wed, 12 Jan 2005 14:15:18 +0100
How does this relate to the Debian patch 22_fix_file_path
for CAN-2004-0452 ? which I'm pasting below.

That said, an implementation of rmtree() that uses /bin/rm
isn't suitable for inclusion in perl itself.

http://security.debian.org/pool/updates/main/p/perl/perl_5.6.1-8.8.diff.gz
[Adapted from Chip Turner's 5.8.0 patch]
Fix for CAN-2004-0452.  Change chmod's to make files writable/executable
by the current user only and not by the entire world.  chmod's necessary
in the first place but at least this makes them less dangerous.  If, for
some reason the rm process dies halfway through, at worst some files and
dirs were revoked from others, not made available.

--- lib/File/Path.pm    2001-03-21 04:40:22.000000000 +1100
+++ lib/File/Path.pm    2004-12-22 23:46:54.000000000 +1100
@@ -174,7 +174,7 @@
            # it's also intended to change it to writable in case we have
            # to recurse in which case we are better than rm -rf for
            # subtrees with strange permissions
-           chmod(0777, ($Is_VMS ? VMS::Filespec::fileify($root) : $root))
+           chmod(0700, ($Is_VMS ? VMS::Filespec::fileify($root) : $root))
              or carp "Can't make directory $root read+writeable: $!"
                unless $safe;
 
@@ -202,7 +202,7 @@
                print "skipped $root\n" if $verbose;
                next;
            }
-           chmod 0777, $root
+           chmod 0700, $root
              or carp "Can't make directory $root writeable: $!"
                if $force_writeable;
            print "rmdir $root\n" if $verbose;
@@ -224,7 +224,7 @@
                print "skipped $root\n" if $verbose;
                next;
            }
-           chmod 0666, $root
+           chmod 0600, $root
              or carp "Can't make file $root writeable: $!"
                if $force_writeable;
            print "unlink $root\n" if $verbose;




Information forwarded to debian-bugs-dist@lists.debian.org, Brendan O'Dea <bod@debian.org>:
Bug#286905; Package perl. Full text and rfc822 format available.

Acknowledgement sent to psz@maths.usyd.edu.au (psz@maths.usyd.edu.au):
Extra info received and forwarded to list. Copy sent to Brendan O'Dea <bod@debian.org>. Full text and rfc822 format available.

Message #24 received at 286905@bugs.debian.org (full text, mbox):

From: psz@maths.usyd.edu.au (psz@maths.usyd.edu.au)
To: bod@debian.org, rgarciasuarez@mandrakesoft.com
Cc: 286905@bugs.debian.org, perl5-porters@perl.org
Subject: Re: Bug#286905: perl-modules: File::Path::rmtree makes setuid
Date: Thu, 13 Jan 2005 05:23:46 +1100
Brendan O'Dea <bod@debian.org> wrote:

> both of these issues obviously stem from the same root cause--a race
> between generating a list of files, then manipulating that list.

The first issue "also" relies on Path.pm trying to be clever:

	    # notabene: 0777 is for making readable in the first place,
	    # it's also intended to change it to writable in case we have
	    # to recurse in which case we are better than rm -rf for 
	    # subtrees with strange permissions

> I don't really see that this is fixable outside of rewriting rmtree to
> recursively chdir+readdir+unlink.
> Given that there are possible pitfalls even with this approach (cf. 
> CVE-2002-0435) ...

That pitfall is known and easily avoided by double-checking inodes.

>            ... I'm considering punting the problem to fileutils,
> replacing rmtree entirely with the attached subroutine.
> [p5p:] If anyone had a cleaner (and cross-platform) fix, I'd love to
> hear of it.

I am not sure that all platforms have fileutils: no -v option on rm.
(Tru64 doesn't.)


Rafael Garcia-Suarez <rgarciasuarez@mandrakesoft.com> wrote:

> How does this relate to the Debian patch 22_fix_file_path
> for CAN-2004-0452 ? ...

CAN-2004-0452 exploited the "chmod 0777", the fix changed the mode
to 0700 (and 0666 to 0600) but did not avoid the race.

Cheers,

Paul Szabo - psz@maths.usyd.edu.au  http://www.maths.usyd.edu.au:8000/u/psz/
School of Mathematics and Statistics  University of Sydney   2006  Australia



Information forwarded to debian-bugs-dist@lists.debian.org, Brendan O'Dea <bod@debian.org>:
Bug#286905; Package perl. Full text and rfc822 format available.

Acknowledgement sent to Aaron Sherman <ajs@ajs.com>:
Extra info received and forwarded to list. Copy sent to Brendan O'Dea <bod@debian.org>. Full text and rfc822 format available.

Message #29 received at 286905@bugs.debian.org (full text, mbox):

From: Aaron Sherman <ajs@ajs.com>
To: "Brendan O'Dea" <bod@debian.org>
Cc: 286905@bugs.debian.org, Perl5 Porters List <perl5-porters@perl.org>
Subject: Re: Bug#286905: perl-modules: File::Path::rmtree makes setuid
Date: Wed, 12 Jan 2005 17:02:41 -0500
On Wed, 2005-01-12 at 07:45, Brendan O'Dea wrote:

> >Example of attack: suppose we know that root uses rmtree to clean up
> >/tmp directories.
[...]
> >Root would have recorded the permissions of /tmp/psz/sh, but would
> >"restore" it to /bin/sh.

I'll discuss this one, below with my reply to Brendan.

As a general response: the solution to this and any number of other
vulnerabilities is a system that presents filesystem multi-stage
transactions. That's not something Perl can rely on, but it's certainly
something Perl should support when it does exist (perhaps Reiser has
already gone there?)

Ok, now back to reality:

> >Following on from the "File::Path::rmtree makes setuid" issue, I notice
> >that rmtree may be tricked into removing arbitrary files.
> >
> >Example of attack: suppose we know that root uses rmtree to clean up
> >/tmp directories. Attacker prepares things:

You cited a general solution, and it's a good one. You have to chdir
into the directory and then readdir, restoring state as you go back up.

You also need to sanity check using Cwd and File::Spec before and after
the chdir to make sure that you didn't get hijacked.

> [p5p:] If anyone had a cleaner (and cross-platform) fix, I'd love to
> hear of it.

Well, certainly relying on rm (and you assumed a "-v" option which,
AFAIK implies GNU rm specifically) is right out. I'm sure others will
say the same.

Also, I don't see the value in changing permissions.

I understand WHY you want to do this, but it's far better to tell the
programmer calling rmtree that they might have to fix permissions before
calling rmtree. Otherwise, rmtree is doing exactly what your permissions
told it to, and you might have done that for a reason. Is it any worse
to have a developer say, "I made that directory read-only to all, but
rmtree nuked it!" vs. "I made that directory read-only to all, and
rmtree didn't nuke it!"? I can make that argument either way with just
as much sincerity and "oh my gods, you can't do this to me!" pleading as
I'm sure you've heard on this in the past... solution: punt.

Quick fix? Reduce the race by making any changes just before and just
after an operation, not in preparation for a whole directory. Now you
still have a problem, but a smaller one.

Further reduce the problem by using device/inode information from stat
on platforms where it is available. You can't make this atomic, but when
you need to do:

        make_change();
	if (! do_something()) {
		revert_change();
	}

checking just before revert_change() will reduce the race substantially.
Also, consider writing sanity-checking wrappers that handle all of this,
so that future additions don't have to boiler-plate your security code.

-- 
☎ 781-324-3772
✉ ajs@ajs.com
☷ http://www.ajs.com/~ajs




Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#286905; Package perl. Full text and rfc822 format available.

Acknowledgement sent to Brendan O'Dea <bod@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #34 received at 286905@bugs.debian.org (full text, mbox):

From: Brendan O'Dea <bod@debian.org>
To: Aaron Sherman <ajs@ajs.com>
Cc: 286905@bugs.debian.org, Paul Szabo <psz@maths.usyd.edu.au>, Perl5 Porters List <perl5-porters@perl.org>
Subject: Re: Bug#286905: perl-modules: File::Path::rmtree makes setuid
Date: Mon, 24 Jan 2005 22:31:21 +1100
On Wed, Jan 12, 2005 at 05:02:41PM -0500, Aaron Sherman wrote:
>> [p5p:] If anyone had a cleaner (and cross-platform) fix, I'd love to
>> hear of it.
>
>Well, certainly relying on rm (and you assumed a "-v" option which,
>AFAIK implies GNU rm specifically) is right out. I'm sure others will
>say the same.

Sure, it was proposed as a quick hack for the Debian package, where it
is safe to assume /bin/rm is from GNU coreutils.

If it weren't for the requirement to retain the current API (returning
the number of deletions, and verbose output) then a thin wrapper around

  system 'rm', '-rf', @paths

would suffix for POSIX systems.

>Quick fix? Reduce the race by making any changes just before and just
>after an operation, not in preparation for a whole directory. Now you
>still have a problem, but a smaller one.

A race is a race, no matter how small the window.

--bod



Information forwarded to debian-bugs-dist@lists.debian.org, Brendan O'Dea <bod@debian.org>:
Bug#286905; Package perl. Full text and rfc822 format available.

Acknowledgement sent to Arne Wichmann <aw@net.in.tum.de>:
Extra info received and forwarded to list. Copy sent to Brendan O'Dea <bod@debian.org>. Full text and rfc822 format available.

Message #39 received at 286905@bugs.debian.org (full text, mbox):

From: Arne Wichmann <aw@net.in.tum.de>
To: 286905@bugs.debian.org
Subject: perl-modules: File::Path::rmtree makes setuid
Date: Tue, 8 Feb 2005 17:14:44 +0100
[Message part 1 (text/plain, inline)]
Hi. As this Bug is now lying around for more than one month I decided to
look into a fix. It is not a very beautiful one, it is only partially
tested and it only works for systems which can fork, so please look over it
before applying it.

The idea is to fork off a process, change into the directory, make sure the
directory has the same inode which was originally used, and then change
permissions. fchmod would have been much easier.

A diff follows:

-- snip --
--- Path.pm     2005-02-08 13:23:10.000000000 +0100
+++ Path.pm.new 2005-02-08 17:13:04.000000000 +0100
@@ -189,7 +189,7 @@
        } else {
            $root =~ s#/\z##;
        }
-       (undef, undef, my $rp) = lstat $root or next;
+       (undef, my $ino, my $rp) = lstat $root or next;
        $rp &= 07777;   # don't forget setuid, setgid, sticky bits
        if ( -d _ ) {
            # notabene: 0700 is for making readable in the first place,
@@ -239,9 +239,25 @@
            }
            else {
                carp "Can't remove directory $root: $!";
-               chmod($rp, ($Is_VMS ? VMS::Filespec::fileify($root) : $root))
+               # this avoids a race condition which would occur if someone
+               # replaced $root while we were working on it. I would have
+               # preferred to use fchmod, but this seems not to be
+               # supported in perl. -- AW
+               my($fork)=fork;
+               if ($fork<0) {carp("and cannot fork: $!");}
+               elsif ($fork>0) { # parent
+                 waitpid($fork,0);
+               } else { # child
+                 chdir($root) or carp("and cannot change to $root: $!");
+                 (undef,my($rino))=lstat(".");
+                 $rino==$ino or carp(
+                   "and someone replaced $root while I was working on it\n");
+                 $rino==$ino
+                   and chmod($rp,($Is_VMS ? VMS::Filespec::fileify(".") : "."))
                    or carp("and can't restore permissions to "
                            . sprintf("0%o",$rp) . "\n");
+                 exit(0);
+               }
            }
        }
        else { 
-- snip --

I hope this helps.

cu

AW
-- 
<ThePhonk> *tueteKlammernUeberVariableAuskipp* Dereferenzier Dich, Du
+Miststueck!
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#286905; Package perl. Full text and rfc822 format available.

Acknowledgement sent to Brendan O'Dea <bod@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #44 received at 286905@bugs.debian.org (full text, mbox):

From: Brendan O'Dea <bod@debian.org>
To: Thierry Carrez <koon@gentoo.org>
Cc: vendor-sec@lst.de, Mark J Cox <mjc@redhat.com>, Matt Zimmerman <mdz@debian.org>, cturner@redhat.com, Perl5 Porters <perl5-porters@perl.org>, Paul Szabo <psz@maths.usyd.edu.au>, 286905@bugs.debian.org
Subject: Re: [vendor-sec] CAN-2004-0452 File::Path::rmtree() vulnerability
Date: Sat, 12 Feb 2005 11:07:09 +1100
On Fri, Feb 04, 2005 at 03:32:05PM +0100, Thierry Carrez wrote:
>Brendan O'Dea wrote:
>
>> Seems a pretty clean fix, I've applied this to Debian's 5.8.4-5 package. 
>
>Paul Szabo brought to our attention that the fix for CAN-2004-0452 does
>not handle all race conditions cases and that rmtree is still vulnerable :
>
>=============================================
>Just changing the chmod to 0700 and 0600 instead of 0777 and 0666
>does NOT solve the issue. The chmod change was for another, but related,
>problem. See bugs.debian.org/286905 and 286922.
>=============================================
>
>Apparently discussion still rages on how this would best be fixed.
>Any clue ?

Well actually, discussion doesn't rage at all as to how this should be
fixed.

Basically it's been acknowledged as a problem, but one that requires
more than a trivial patch to rmtree to correct, so as such is currently
languishing until such time as rmtree is rewritten to remove the race
condition.

I was kind of hoping that someone else would tackle that task since I
don't really regard myself as a security expert and did't want to make
the problem worse by introducing new, different security issues with a
recursive implementation.

However in the absence of any alternate suggestion, I've appended a
first-cut rmtree replacement.

For the moment I've ignored the third argument entirely; tempted to do
so permanently.

I've also ignored $Is_VMS and $Is_MacOS; will need some input from
perl5-porters as to what changes are required to support those
platforms.

--bod

use strict;
use warnings;
use Carp;
use Cwd 'getcwd';

sub _rmtree;
sub _rmtree
{
    my ($path, $prefix, $up, $up_dev, $up_ino, $verbose) = @_;

    my ($dev, $ino) = lstat $path or return 0;
    unless (-d _)
    {
	unlink $path or return 0;
	print "unlink $prefix$path\n" if $verbose;
	return 1;
    }

    chdir $path or return 0;

    # avoid a race condition where a directory may be replaced by a
    # symlink between the lstat and the chdir
    my ($new_dev, $new_ino) = stat '.';
    unless ("$new_dev:$new_ino" eq "$dev:$ino")
    {
	croak "Directory $prefix$path changed before chdir, aborting\n";
    }

    my $count = 0;
    if (opendir my $dir, '.')
    {
	my $entry;
	while (defined ($entry = readdir $dir))
	{
	    next if $entry =~ /^\.\.?$/;
	    $count += _rmtree $entry, "$prefix$path/", '..', $dev, $ino,
		$verbose;
	}

	closedir $dir;
    }

    # don't leave the caller in an unexpected directory
    unless (chdir $up)
    {
	croak "Can't return to $up from $prefix$path ($!)\n";
    }

    # ensure that a chdir ..  didn't take us somewhere other than
    # where we expected (see CVE-2002-0435)
    unless (($new_dev, $new_ino) = stat '.'
	and "$new_dev:$new_ino" eq "$up_dev:$up_ino")
    {
	croak "Previous directory $up changed since entering $prefix$path\n";
    }

    if (rmdir $path)
    {
	print "rmdir $prefix$path\n" if $verbose;
	$count++;
    };

    return $count;
}

sub rmtree
{
    my ($p, $verbose) = @_;
    $p = [] unless defined $p and length $p;
    $p = [ $p ] unless ref $p;
    my @paths = grep defined && length, @$p;

    unless (@paths)
    {
	carp "No root path(s) specified\n";
	return;
    }

    my $oldpwd = getcwd or do {
	carp "Can't fetch initial working directory\n";
	return;
    };

    my ($dev, $ino) = stat '.' or do {
	carp "Can't stat initial working directory\n";
	return;
    };

    my $count = 0;
    for my $path (@paths)
    {
	$count += _rmtree $path, '', $oldpwd, $dev, $ino, $verbose;
    }

    $count;
}



Information forwarded to debian-bugs-dist@lists.debian.org, Brendan O'Dea <bod@debian.org>:
Bug#286905; Package perl. Full text and rfc822 format available.

Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Brendan O'Dea <bod@debian.org>. Full text and rfc822 format available.

Message #49 received at 286905@bugs.debian.org (full text, mbox):

From: Martin Schulze <joey@infodrom.org>
To: 286905@bugs.debian.org
Subject: Re: CAN-2004-0452 File::Path::rmtree() vulnerability
Date: Wed, 16 Feb 2005 19:40:02 +0100
This has been assigned CAN-2005-0448.

Regards,

	Joey

-- 
Ten years and still binary compatible.  -- XFree86

Please always Cc to me when replying to me on the lists.



Reply sent to Brendan O'Dea <bod@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Paul Szabo <psz@maths.usyd.edu.au>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #54 received at 286905-close@bugs.debian.org (full text, mbox):

From: Brendan O'Dea <bod@debian.org>
To: 286905-close@bugs.debian.org
Subject: Bug#286905: fixed in perl 5.8.4-7
Date: Mon, 07 Mar 2005 01:47:15 -0500
Source: perl
Source-Version: 5.8.4-7

We believe that the bug you reported is fixed in the latest version of
perl, which is due to be installed in the Debian FTP archive:

libcgi-fast-perl_5.8.4-7_all.deb
  to pool/main/p/perl/libcgi-fast-perl_5.8.4-7_all.deb
libperl-dev_5.8.4-7_i386.deb
  to pool/main/p/perl/libperl-dev_5.8.4-7_i386.deb
libperl-dev_5.8.4-7_powerpc.deb
  to pool/main/p/perl/libperl-dev_5.8.4-7_powerpc.deb
libperl-dev_5.8.4-7_sparc.deb
  to pool/main/p/perl/libperl-dev_5.8.4-7_sparc.deb
libperl5.8_5.8.4-7_i386.deb
  to pool/main/p/perl/libperl5.8_5.8.4-7_i386.deb
libperl5.8_5.8.4-7_powerpc.deb
  to pool/main/p/perl/libperl5.8_5.8.4-7_powerpc.deb
libperl5.8_5.8.4-7_sparc.deb
  to pool/main/p/perl/libperl5.8_5.8.4-7_sparc.deb
perl-base_5.8.4-7_i386.deb
  to pool/main/p/perl/perl-base_5.8.4-7_i386.deb
perl-base_5.8.4-7_powerpc.deb
  to pool/main/p/perl/perl-base_5.8.4-7_powerpc.deb
perl-base_5.8.4-7_sparc.deb
  to pool/main/p/perl/perl-base_5.8.4-7_sparc.deb
perl-debug_5.8.4-7_i386.deb
  to pool/main/p/perl/perl-debug_5.8.4-7_i386.deb
perl-debug_5.8.4-7_powerpc.deb
  to pool/main/p/perl/perl-debug_5.8.4-7_powerpc.deb
perl-debug_5.8.4-7_sparc.deb
  to pool/main/p/perl/perl-debug_5.8.4-7_sparc.deb
perl-doc_5.8.4-7_all.deb
  to pool/main/p/perl/perl-doc_5.8.4-7_all.deb
perl-modules_5.8.4-7_all.deb
  to pool/main/p/perl/perl-modules_5.8.4-7_all.deb
perl-suid_5.8.4-7_i386.deb
  to pool/main/p/perl/perl-suid_5.8.4-7_i386.deb
perl-suid_5.8.4-7_powerpc.deb
  to pool/main/p/perl/perl-suid_5.8.4-7_powerpc.deb
perl-suid_5.8.4-7_sparc.deb
  to pool/main/p/perl/perl-suid_5.8.4-7_sparc.deb
perl_5.8.4-7.diff.gz
  to pool/main/p/perl/perl_5.8.4-7.diff.gz
perl_5.8.4-7.dsc
  to pool/main/p/perl/perl_5.8.4-7.dsc
perl_5.8.4-7_i386.deb
  to pool/main/p/perl/perl_5.8.4-7_i386.deb
perl_5.8.4-7_powerpc.deb
  to pool/main/p/perl/perl_5.8.4-7_powerpc.deb
perl_5.8.4-7_sparc.deb
  to pool/main/p/perl/perl_5.8.4-7_sparc.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 286905@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Brendan O'Dea <bod@debian.org> (supplier of updated perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon,  7 Mar 2005 10:22:01 +1100
Source: perl
Binary: perl-base libcgi-fast-perl libperl-dev perl-debug perl-modules perl libperl5.8 perl-suid perl-doc
Architecture: all i386 powerpc source sparc 
Version: 5.8.4-7
Distribution: unstable
Urgency: low
Maintainer: Brendan O'Dea <bod@debian.org>
Changed-By: Brendan O'Dea <bod@debian.org>
Description: 
 libperl-dev - Perl library: development files
 libperl5.8 - Shared Perl library
 perl       - Larry Wall's Practical Extraction and Report Language
 perl-base  - The Pathologically Eclectic Rubbish Lister
 perl-debug - Debug-enabled Perl interpreter
 perl-suid  - Runs setuid Perl scripts
Closes: 178243 198855 250877 255919 256731 263325 275142 281091 281092 281437 286905 286922 289709
Changes: 
 perl (5.8.4-7) unstable; urgency=low
 .
   * SECURITY [CAN-2005-0448]: rewrite File::Path::rmtree to avoid race
     condition which allows an attacker with write permission on
     directories in the tree being removed to make files setuid or to
     remove arbitrary files (closes: #286905, #286922).  Supersedes
     the previous patch for CAN-2004-0452.
 .
   * Add PERL_DEBUGGING_MSTATS for debugperl (closes: #178243).
   * Escape dashes in verbatim text to have groff render them as-is
     rather than as \x{2010} (closes: #250877).
 .
   * CGI: handle escaped newlines in URLs (closes: #289709).
   * Net::NNTP: fix precedence error in article routine (closes: #275142).
   * Devel::Dprof: refer to executable as `perl' (closes: #198855).
   * Remove spurious undefined warning in getopts.pl (closes: #255919).
   * Remove XSI-isms from maintainer scripts (closes: #256731).
   * Revise MakeMaker patch to defer expansion of $(MANnEXT) until
     runtime (closes: #263325).
 .
   * Normalise case of a2p man page OPTIONS section, place optional
     filename in brackets (closes: #281091, #281092).
 .
   * Fix octal glitch in perlreref(1) (closes: #281437).
   * Have perl suggest both ReadLine variants (gnu, perl).
   * Upgrade suggestion on perl-doc to recommends now that dselect is
     less pedantic about the latter.
Files: 
 06d6c960bf7c8b7b7ce66e73bc689a86 3509162 perl standard perl_5.8.4-7_powerpc.deb
 11a48c92fe6046185a1003394c28c1f9 7052380 doc optional perl-doc_5.8.4-7_all.deb
 15d16eb40fc29280a13b901aa6f4d70a 775246 base required perl-base_5.8.4-7_sparc.deb
 2e89765c8eedf6af4fd3636a3922539c 3547364 perl standard perl_5.8.4-7_sparc.deb
 3692cc87735524ef57ceeed24d60f686 567012 libdevel optional libperl-dev_5.8.4-7_i386.deb
 3aa29703d71dbb2fa5f9c4b8b8b203c7 624940 libdevel optional libperl-dev_5.8.4-7_powerpc.deb
 463e43a1c602f74a385bd414e5f752a8 3840696 perl optional perl-debug_5.8.4-7_sparc.deb
 4e7ab56ca74d59f1d98c3147a3a71138 3736402 perl optional perl-debug_5.8.4-7_i386.deb
 61d993933b3a08b0049462a802766220 31698 perl optional perl-suid_5.8.4-7_i386.deb
 6b236605cdb5beb02219ad1f2bb198f8 1034 libs optional libperl5.8_5.8.4-7_powerpc.deb
 6dc36144aca73c10ec9f324117f3acde 38036 perl extra libcgi-fast-perl_5.8.4-7_all.deb
 c861bb89e40c2723b2ce9f0525b22e6b 726 perl standard perl_5.8.4-7.dsc
 8347b722dbee125c18d631bf5ca474ac 31032 perl optional perl-suid_5.8.4-7_sparc.deb
 8d2973686564a7444c23847da092d840 3700708 perl optional perl-debug_5.8.4-7_powerpc.deb
 95e330d949521ee026a7148b4ca014d5 2178102 perl standard perl-modules_5.8.4-7_all.deb
 987b4cfbb284707e1f84f66a72232b5e 508830 libs optional libperl5.8_5.8.4-7_i386.deb
 9db0cfba5fc66c4a0c8279606a91bd94 1034 libs optional libperl5.8_5.8.4-7_sparc.deb
 9f4c86deaa8aa3f377d4ce8ccf3cda76 789658 base required perl-base_5.8.4-7_powerpc.deb
 ab32aebec33b748b0ccaf0e52cb77a69 582240 libdevel optional libperl-dev_5.8.4-7_sparc.deb
 bd4a96454f9a6b6dca5fcc54a24fe350 86680 perl standard perl_5.8.4-7.diff.gz
 e4418c5838c05452631dbd1d561a2312 751654 base required perl-base_5.8.4-7_i386.deb
 e69b276f51914a16eb2d6ac5e09f4f96 33576 perl optional perl-suid_5.8.4-7_powerpc.deb
 fab241c803816d886180d671ac0334f2 3238062 perl standard perl_5.8.4-7_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)

iD8DBQFCK/Y68NyOALKMWZURAuCYAKCxlPgMf40kHc1sF1iiHMOOiVA7AQCcCA/h
mpgXx7fsS2scjvHL021Ieto=
=8WTG
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Brendan O'Dea <bod@debian.org>:
Bug#286905; Package perl. Full text and rfc822 format available.

Acknowledgement sent to Micah Anderson <micah@debian.org>:
Extra info received and forwarded to list. Copy sent to Brendan O'Dea <bod@debian.org>. Full text and rfc822 format available.

Message #59 received at 286905@bugs.debian.org (full text, mbox):

From: Micah Anderson <micah@debian.org>
To: 286905@bugs.debian.org
Cc: control@bugs.debian.org
Subject: CAN-2005-0448 and woody
Date: Thu, 17 Mar 2005 23:37:48 -0600
[Message part 1 (text/plain, inline)]
reopen 286905
tag 286905 + woody
thanks

As noted on debian-security:

#286905 fixes CAN-2005-0448 for testing's perl (5.8.4-7), however it
leaves it unfixed in stable's version (5.6.1-8.8), which is also
affected (according to http://www.securityfocus.com/bid/12767), so
this bug should not be closed. 

[signature.asc (application/pgp-signature, inline)]

Bug reopened, originator not changed. Request was from Micah Anderson <micah@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: woody Request was from Micah Anderson <micah@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#286905; Package perl. Full text and rfc822 format available.

Acknowledgement sent to Brendan O'Dea <bod@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #68 received at 286905@bugs.debian.org (full text, mbox):

From: Brendan O'Dea <bod@debian.org>
To: Micah Anderson <micah@debian.org>, 286905@bugs.debian.org
Subject: Re: Bug#286905: CAN-2005-0448 and woody
Date: Sat, 19 Mar 2005 12:51:46 +1100
On Thu, Mar 17, 2005 at 11:37:48PM -0600, Micah Anderson wrote:
>#286905 fixes CAN-2005-0448 for testing's perl (5.8.4-7), however it
>leaves it unfixed in stable's version (5.6.1-8.8), which is also
>affected (according to http://www.securityfocus.com/bid/12767), so
>this bug should not be closed. 

I've sent a new source package to the security team.

--bod



Tags added: fixed Request was from Brendan O'Dea <bod@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: fixed Request was from Brendan O'Dea <bod@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Bug closed, send any further explanations to Paul Szabo <psz@maths.usyd.edu.au> Request was from Brendan O'Dea <bod@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: fixed Request was from Brendan O'Dea <bod@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: fixed Request was from Brendan O'Dea <bod@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Bug unarchived. Request was from Niko Tyni <ntyni@debian.org> to control@bugs.debian.org. (Thu, 27 Nov 2008 19:12:09 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Brendan O'Dea <bod@debian.org>:
Bug#286905; Package perl. (Thu, 27 Nov 2008 19:27:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Niko Tyni <ntyni@debian.org>:
Extra info received and forwarded to list. Copy sent to Brendan O'Dea <bod@debian.org>. (Thu, 27 Nov 2008 19:27:03 GMT) Full text and rfc822 format available.

Message #85 received at 286905@bugs.debian.org (full text, mbox):

From: Niko Tyni <ntyni@debian.org>
To: 286905@bugs.debian.org, 286922@bugs.debian.org
Subject: CVE-2005-0448 resurfaced
Date: Thu, 27 Nov 2008 21:25:04 +0200
[Message part 1 (text/plain, inline)]
unmerge 286922
found 286905 5.8.8-1
found 286922 5.8.8-1
fixed 286922 5.10.0-1
thanks

As discussed around

 http://www.gossamer-threads.com/lists/perl/porters/233695#233695

CVE-2005-0448 (File::Path::rmtree races) has resurfaced and is present
in all of etch, lenny, and sid.

To be precise, CVE-2005-0448 was about two bugs (#286922 and #286905).
Both of those apply to the etch package, while only #286905 applies to
the lenny/sid package.

I'm unsure if this needs a new CVE id.

For etch, I see no option but to reintroduce the File::Path::rmtree()
implementation by Brendan O'Dea originally introduced in 5.8.4-7. I'm
attaching the diff (debian/patches/03_fix_file_path from 5.8.7-x).
I have informed the security team and they will look at this.

For lenny/sid, #286922 is fixed and the attached patch combined from
File-Path-2.07 and 

 http://www.gossamer-threads.com/lists/perl/porters/233699#233699

should fix #286905. Please note that the above message seems to have
the CVE ids confused; I think CVE-2004-0452 is really fixed for good.

I'll upload 5.10.0-18 with the patch at urgency=high soon, hope it can
make it into lenny without a separate testing-security package.

I'd love more eyeballs on this. I've been able to exploit the issues
with breakpoints in the perl debugger and the patches seem to work.
-- 
Niko Tyni   ntyni@debian.org
[etch_03_fix_file_path (text/plain, attachment)]
[sid_fix_file_path (text/plain, attachment)]

Disconnected #286922 from all other report(s). Request was from Niko Tyni <ntyni@debian.org> to control@bugs.debian.org. (Thu, 27 Nov 2008 19:27:05 GMT) Full text and rfc822 format available.

Bug marked as found in version 5.8.8-1 and reopened. Request was from Niko Tyni <ntyni@debian.org> to control@bugs.debian.org. (Thu, 27 Nov 2008 19:27:06 GMT) Full text and rfc822 format available.

Tags set to: security, etch, lenny, sid Request was from Niko Tyni <ntyni@debian.org> to control@bugs.debian.org. (Thu, 27 Nov 2008 19:48:06 GMT) Full text and rfc822 format available.

Reply sent to Niko Tyni <ntyni@debian.org>:
You have taken responsibility. (Thu, 27 Nov 2008 21:30:06 GMT) Full text and rfc822 format available.

Notification sent to Paul Szabo <psz@maths.usyd.edu.au>:
Bug acknowledged by developer. (Thu, 27 Nov 2008 21:30:07 GMT) Full text and rfc822 format available.

Message #96 received at 286905-close@bugs.debian.org (full text, mbox):

From: Niko Tyni <ntyni@debian.org>
To: 286905-close@bugs.debian.org
Subject: Bug#286905: fixed in perl 5.10.0-18
Date: Thu, 27 Nov 2008 21:18:05 +0000
Source: perl
Source-Version: 5.10.0-18

We believe that the bug you reported is fixed in the latest version of
perl, which is due to be installed in the Debian FTP archive:

libcgi-fast-perl_5.10.0-18_all.deb
  to pool/main/p/perl/libcgi-fast-perl_5.10.0-18_all.deb
libperl-dev_5.10.0-18_i386.deb
  to pool/main/p/perl/libperl-dev_5.10.0-18_i386.deb
libperl5.10_5.10.0-18_i386.deb
  to pool/main/p/perl/libperl5.10_5.10.0-18_i386.deb
perl-base_5.10.0-18_i386.deb
  to pool/main/p/perl/perl-base_5.10.0-18_i386.deb
perl-debug_5.10.0-18_i386.deb
  to pool/main/p/perl/perl-debug_5.10.0-18_i386.deb
perl-doc_5.10.0-18_all.deb
  to pool/main/p/perl/perl-doc_5.10.0-18_all.deb
perl-modules_5.10.0-18_all.deb
  to pool/main/p/perl/perl-modules_5.10.0-18_all.deb
perl-suid_5.10.0-18_i386.deb
  to pool/main/p/perl/perl-suid_5.10.0-18_i386.deb
perl_5.10.0-18.diff.gz
  to pool/main/p/perl/perl_5.10.0-18.diff.gz
perl_5.10.0-18.dsc
  to pool/main/p/perl/perl_5.10.0-18.dsc
perl_5.10.0-18_i386.deb
  to pool/main/p/perl/perl_5.10.0-18_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 286905@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Niko Tyni <ntyni@debian.org> (supplier of updated perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 21 Nov 2008 00:49:57 +0200
Source: perl
Binary: perl-base libcgi-fast-perl perl-doc perl-modules perl-debug perl-suid libperl5.10 libperl-dev perl
Architecture: source all i386
Version: 5.10.0-18
Distribution: unstable
Urgency: high
Maintainer: Brendan O'Dea <bod@debian.org>
Changed-By: Niko Tyni <ntyni@debian.org>
Description: 
 libcgi-fast-perl - CGI::Fast Perl module
 libperl-dev - Perl library: development files
 libperl5.10 - Shared Perl library
 perl       - Larry Wall's Practical Extraction and Report Language
 perl-base  - minimal Perl system
 perl-debug - Debug-enabled Perl interpreter
 perl-doc   - Perl documentation
 perl-modules - Core Perl modules
 perl-suid  - Runs setuid Perl scripts
Closes: 286905
Changes: 
 perl (5.10.0-18) unstable; urgency=high
 .
   * [SECURITY] CVE-2005-0448 revisited: File::Path::rmtree no longer
     allows creating of setuid files. (Closes: #286905)
Checksums-Sha1: 
 171bc598ef035e6a378c9c8e81d8c7bb49df22f0 1307 perl_5.10.0-18.dsc
 b53e28cd1ea933d725a2a1ffd35346a3fc7b9fc3 135235 perl_5.10.0-18.diff.gz
 3b0b558c75d6f93f04e948890540b5efe5649ab9 44216 libcgi-fast-perl_5.10.0-18_all.deb
 45bc807c81a605c3a204663817a06b6e27ed7238 8214774 perl-doc_5.10.0-18_all.deb
 96efc7b35da591651e3b699b2eb6256bff0ca4e7 3188612 perl-modules_5.10.0-18_all.deb
 7470186887201a96e1d1a75bbf01aabb9a27c6a4 971098 perl-base_5.10.0-18_i386.deb
 1f0a713f22b425187f8ccad99f9af3911d38d258 6679902 perl-debug_5.10.0-18_i386.deb
 4391064616a619b021489eff8d7e11c5d38aeaeb 29648 perl-suid_5.10.0-18_i386.deb
 1896640960d462b753d970423e3ecbd252ad0724 623280 libperl5.10_5.10.0-18_i386.deb
 ed80284675d9890eccf70210f53357c8c8b680be 2356604 libperl-dev_5.10.0-18_i386.deb
 e3edadcc0db087a9db318e7c6ec4720d58bf513a 4542852 perl_5.10.0-18_i386.deb
Checksums-Sha256: 
 7cfa74a71d760095fb65e80c97daa636fce4f35896c3ef1312fcedf242979fb8 1307 perl_5.10.0-18.dsc
 204e9bdd2d2182a7c01ad689c265eb8d6cfb2f2acfbbb29a9a761c44428b65d3 135235 perl_5.10.0-18.diff.gz
 a2039a02f016dc385e1792f627eccc2a0186e1b573ce235f4ac211eba804cdd0 44216 libcgi-fast-perl_5.10.0-18_all.deb
 37fcfa22dee8e193462f0e788efb9b632fcfd29852708f780a9b5bcf69b4bae5 8214774 perl-doc_5.10.0-18_all.deb
 df3e19ba3c63c75a2bf12919ce6d8fa3cce4e65efa48b7c28176bcf9a73e94dd 3188612 perl-modules_5.10.0-18_all.deb
 cc5aaf43abcb376ebd54f25602b244ebf0256d9e1ae2d5e411521eadce9bfe0b 971098 perl-base_5.10.0-18_i386.deb
 e45374d585152936d49da3a0f569590b3ac4a2a7a8b633d9cb5e9c383a7be725 6679902 perl-debug_5.10.0-18_i386.deb
 ee5aceaa881e49474ca6770d50ee8223559a6c8596da7a48e6e2aab6dad96c66 29648 perl-suid_5.10.0-18_i386.deb
 b45e3df967781848ab67e622ef715799bbcfb015bd27daa614fdf588b030ee22 623280 libperl5.10_5.10.0-18_i386.deb
 24980c2eac4511f2d1b331d04e0d1849eeafe15e42c3f486450d5c88211738db 2356604 libperl-dev_5.10.0-18_i386.deb
 c17fd9a4f96867907129663490e151b8bb0381db3461e5ab3e8210c3c3d70efa 4542852 perl_5.10.0-18_i386.deb
Files: 
 c0b3359faf4c23db04f07f45e647ffb1 1307 perl standard perl_5.10.0-18.dsc
 2f7b335f9b9f0c092d5748207ef9cc6b 135235 perl standard perl_5.10.0-18.diff.gz
 b8f51a9f0acf5f19c6b7456e890402ed 44216 perl optional libcgi-fast-perl_5.10.0-18_all.deb
 a8d335dba4babbd739c0f419f10d709f 8214774 doc optional perl-doc_5.10.0-18_all.deb
 253adac6efbba5c16323ebb29ddcd723 3188612 perl standard perl-modules_5.10.0-18_all.deb
 9b5eb5a132f323014e07868313cdb4a4 971098 perl required perl-base_5.10.0-18_i386.deb
 4a6a89e4ce667e2642524ea22502ed10 6679902 perl optional perl-debug_5.10.0-18_i386.deb
 1636a3f671cc46988d5f254386328cda 29648 perl optional perl-suid_5.10.0-18_i386.deb
 2ff3db485f93850b58a78fcf515001d2 623280 libs optional libperl5.10_5.10.0-18_i386.deb
 b461ccec626b25e1a290c3629d53ac0a 2356604 libdevel optional libperl-dev_5.10.0-18_i386.deb
 1d62128611ab83bef79ddadc8d32396c 4542852 perl standard perl_5.10.0-18_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkkl9f8ACgkQiyizGWoHLTnnTACfeRJvh0az6jSwfMYELvIV8+i1
zbsAoLWg3YE48Vm306OhGRUe9L70m16M
=M5do
-----END PGP SIGNATURE-----





Reply sent to Niko Tyni <ntyni@debian.org>:
You have taken responsibility. (Fri, 09 Jan 2009 02:09:02 GMT) Full text and rfc822 format available.

Notification sent to Paul Szabo <psz@maths.usyd.edu.au>:
Bug acknowledged by developer. (Fri, 09 Jan 2009 02:09:02 GMT) Full text and rfc822 format available.

Message #101 received at 286905-close@bugs.debian.org (full text, mbox):

From: Niko Tyni <ntyni@debian.org>
To: 286905-close@bugs.debian.org
Subject: Bug#286905: fixed in perl 5.8.8-7etch5
Date: Fri, 09 Jan 2009 01:52:21 +0000
Source: perl
Source-Version: 5.8.8-7etch5

We believe that the bug you reported is fixed in the latest version of
perl, which is due to be installed in the Debian FTP archive:

libcgi-fast-perl_5.8.8-7etch5_all.deb
  to pool/main/p/perl/libcgi-fast-perl_5.8.8-7etch5_all.deb
libperl-dev_5.8.8-7etch5_i386.deb
  to pool/main/p/perl/libperl-dev_5.8.8-7etch5_i386.deb
libperl5.8_5.8.8-7etch5_i386.deb
  to pool/main/p/perl/libperl5.8_5.8.8-7etch5_i386.deb
perl-base_5.8.8-7etch5_i386.deb
  to pool/main/p/perl/perl-base_5.8.8-7etch5_i386.deb
perl-debug_5.8.8-7etch5_i386.deb
  to pool/main/p/perl/perl-debug_5.8.8-7etch5_i386.deb
perl-doc_5.8.8-7etch5_all.deb
  to pool/main/p/perl/perl-doc_5.8.8-7etch5_all.deb
perl-modules_5.8.8-7etch5_all.deb
  to pool/main/p/perl/perl-modules_5.8.8-7etch5_all.deb
perl-suid_5.8.8-7etch5_i386.deb
  to pool/main/p/perl/perl-suid_5.8.8-7etch5_i386.deb
perl_5.8.8-7etch5.diff.gz
  to pool/main/p/perl/perl_5.8.8-7etch5.diff.gz
perl_5.8.8-7etch5.dsc
  to pool/main/p/perl/perl_5.8.8-7etch5.dsc
perl_5.8.8-7etch5_i386.deb
  to pool/main/p/perl/perl_5.8.8-7etch5_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 286905@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Niko Tyni <ntyni@debian.org> (supplier of updated perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Thu, 20 Nov 2008 22:45:54 +0200
Source: perl
Binary: perl-base libcgi-fast-perl libperl-dev perl-debug perl-modules perl libperl5.8 perl-suid perl-doc
Architecture: source i386 all
Version: 5.8.8-7etch5
Distribution: stable-security
Urgency: high
Maintainer: Brendan O'Dea <bod@debian.org>
Changed-By: Niko Tyni <ntyni@debian.org>
Description: 
 libcgi-fast-perl - CGI::Fast Perl module
 libperl-dev - Perl library: development files
 libperl5.8 - Shared Perl library
 perl       - Larry Wall's Practical Extraction and Report Language
 perl-base  - The Pathologically Eclectic Rubbish Lister
 perl-debug - Debug-enabled Perl interpreter
 perl-doc   - Perl documentation
 perl-modules - Core Perl modules
 perl-suid  - Runs setuid Perl scripts
Closes: 286905 286922
Changes: 
 perl (5.8.8-7etch5) stable-security; urgency=high
 .
   * SECURITY [CAN-2005-0448]: re-rewrite File::Path::rmtree to avoid race
     condition which allows an attacker with write permission on
     directories in the tree being removed to make files setuid or to
     remove arbitrary files (Closes: #286905, #286922).
     .
     The race condition was fixed in 5.8.4-7 but re-introduced in 5.8.8-1.
Files: 
 a57837967b7420057558cab7efca9202 750 perl standard perl_5.8.8-7etch5.dsc
 cfd4c3d27c5a7a342c441383867dae89 105052 perl standard perl_5.8.8-7etch5.diff.gz
 9dfa8758852aadcaadb2edbdfa17f942 41082 perl optional libcgi-fast-perl_5.8.8-7etch5_all.deb
 3baade38d4a703ae7db0e2f7d7b2df62 7378812 doc optional perl-doc_5.8.8-7etch5_all.deb
 dc45e7d6fbedf992db42f31326457df2 2316518 perl standard perl-modules_5.8.8-7etch5_all.deb
 40254226d8ae5963a908661350816f0c 762200 perl required perl-base_5.8.8-7etch5_i386.deb
 7149381d9862cc1ebd20092fae76dda9 2491980 perl optional perl-debug_5.8.8-7etch5_i386.deb
 59d70d1ee4f0e7584230095ca079ceb7 32070 perl optional perl-suid_5.8.8-7etch5_i386.deb
 c511226a2cbddb98a170c8f563d6670a 527162 libs optional libperl5.8_5.8.8-7etch5_i386.deb
 f3f34d325de643667d4c12f897a15f48 585396 libdevel optional libperl-dev_5.8.8-7etch5_i386.deb
 bdcb99ed51d06b1639d98a661ce42d58 3589118 perl standard perl_5.8.8-7etch5_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkkxTPsACgkQiyizGWoHLTn0OgCdGI24OjO5S7gb+Vh2qRcSOJYL
U7gAnRXL7Wbcotrdf0cWNYj4zbMweEj5
=8aRt
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 10 Feb 2009 07:26:14 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 17 16:00:21 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.