Debian Bug report logs - #286922
perl-modules: File::Path::rmtree removes arbitrary

version graph

Package: perl; Maintainer for perl is Niko Tyni <ntyni@debian.org>; Source for perl is src:perl.

Reported by: Paul Szabo <psz@maths.usyd.edu.au>

Date: Wed, 22 Dec 2004 23:03:04 UTC

Severity: critical

Tags: etch, security

Found in version perl/5.8.8-1

Fixed in versions 5.8.4-7, perl/5.10.0-1, perl/5.8.8-7etch5

Done: Niko Tyni <ntyni@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Brendan O'Dea <bod@debian.org>:
Bug#286922; Package perl-modules. Full text and rfc822 format available.

Acknowledgement sent to Paul Szabo <psz@maths.usyd.edu.au>:
New Bug report received and forwarded. Copy sent to Brendan O'Dea <bod@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Paul Szabo <psz@maths.usyd.edu.au>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: perl-modules: File::Path::rmtree removes arbitrary
Date: Thu, 23 Dec 2004 10:00:00 +1100
Package: perl-modules
Version: 5.6.1-8.7
Severity: critical
File: /usr/share/perl/5.6.1/File/Path.pm
Tags: security
Justification: root security hole

Following on from the "File::Path::rmtree makes setuid" issue, I notice
that rmtree may be tricked into removing arbitrary files.

Example of attack: suppose we know that root uses rmtree to clean up
/tmp directories. Attacker prepares things:

  mkdir /tmp/psz
  perl -e 'open F, ">/tmp/psz/$_" foreach (1..1000)'
  touch /tmp/psz/passwd

While root is busy working on /tmp/psz (and this can be made as slow as
we like), attacker does:

  mv /tmp/psz /tmp/dummy
  ln -s /etc /tmp/psz

Root will then remove /etc/passwd.

Maybe it should be documented that rmtree must only be used if you can
be sure to have exclusive access to the tree.

Cheers,

Paul Szabo - psz@maths.usyd.edu.au  http://www.maths.usyd.edu.au:8000/u/psz/
School of Mathematics and Statistics  University of Sydney   2006  Australia


-- System Information
Debian Release: 3.0
Architecture: i386
Kernel: Linux pisa.maths.usyd.edu.au 2.4.22-smssvr1.5.3 #1 SMP Wed Jun 23 13:01:39 EST 2004 i686
Locale: LANG=C, LC_CTYPE=C

Versions of packages perl-modules depends on:
ii  perl                          5.6.1-8.7  Larry Wall's Practical Extraction 




Bug reassigned from package `perl-modules' to `perl'. Request was from Brendan O'Dea <bod@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Merged 286905 286922. Request was from Brendan O'Dea <bod@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Reply sent to Brendan O'Dea <bod@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Paul Szabo <psz@maths.usyd.edu.au>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #14 received at 286905-close@bugs.debian.org (full text, mbox):

From: Brendan O'Dea <bod@debian.org>
To: 286905-close@bugs.debian.org
Subject: Bug#286905: fixed in perl 5.8.4-7
Date: Mon, 07 Mar 2005 01:47:15 -0500
Source: perl
Source-Version: 5.8.4-7

We believe that the bug you reported is fixed in the latest version of
perl, which is due to be installed in the Debian FTP archive:

libcgi-fast-perl_5.8.4-7_all.deb
  to pool/main/p/perl/libcgi-fast-perl_5.8.4-7_all.deb
libperl-dev_5.8.4-7_i386.deb
  to pool/main/p/perl/libperl-dev_5.8.4-7_i386.deb
libperl-dev_5.8.4-7_powerpc.deb
  to pool/main/p/perl/libperl-dev_5.8.4-7_powerpc.deb
libperl-dev_5.8.4-7_sparc.deb
  to pool/main/p/perl/libperl-dev_5.8.4-7_sparc.deb
libperl5.8_5.8.4-7_i386.deb
  to pool/main/p/perl/libperl5.8_5.8.4-7_i386.deb
libperl5.8_5.8.4-7_powerpc.deb
  to pool/main/p/perl/libperl5.8_5.8.4-7_powerpc.deb
libperl5.8_5.8.4-7_sparc.deb
  to pool/main/p/perl/libperl5.8_5.8.4-7_sparc.deb
perl-base_5.8.4-7_i386.deb
  to pool/main/p/perl/perl-base_5.8.4-7_i386.deb
perl-base_5.8.4-7_powerpc.deb
  to pool/main/p/perl/perl-base_5.8.4-7_powerpc.deb
perl-base_5.8.4-7_sparc.deb
  to pool/main/p/perl/perl-base_5.8.4-7_sparc.deb
perl-debug_5.8.4-7_i386.deb
  to pool/main/p/perl/perl-debug_5.8.4-7_i386.deb
perl-debug_5.8.4-7_powerpc.deb
  to pool/main/p/perl/perl-debug_5.8.4-7_powerpc.deb
perl-debug_5.8.4-7_sparc.deb
  to pool/main/p/perl/perl-debug_5.8.4-7_sparc.deb
perl-doc_5.8.4-7_all.deb
  to pool/main/p/perl/perl-doc_5.8.4-7_all.deb
perl-modules_5.8.4-7_all.deb
  to pool/main/p/perl/perl-modules_5.8.4-7_all.deb
perl-suid_5.8.4-7_i386.deb
  to pool/main/p/perl/perl-suid_5.8.4-7_i386.deb
perl-suid_5.8.4-7_powerpc.deb
  to pool/main/p/perl/perl-suid_5.8.4-7_powerpc.deb
perl-suid_5.8.4-7_sparc.deb
  to pool/main/p/perl/perl-suid_5.8.4-7_sparc.deb
perl_5.8.4-7.diff.gz
  to pool/main/p/perl/perl_5.8.4-7.diff.gz
perl_5.8.4-7.dsc
  to pool/main/p/perl/perl_5.8.4-7.dsc
perl_5.8.4-7_i386.deb
  to pool/main/p/perl/perl_5.8.4-7_i386.deb
perl_5.8.4-7_powerpc.deb
  to pool/main/p/perl/perl_5.8.4-7_powerpc.deb
perl_5.8.4-7_sparc.deb
  to pool/main/p/perl/perl_5.8.4-7_sparc.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 286905@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Brendan O'Dea <bod@debian.org> (supplier of updated perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon,  7 Mar 2005 10:22:01 +1100
Source: perl
Binary: perl-base libcgi-fast-perl libperl-dev perl-debug perl-modules perl libperl5.8 perl-suid perl-doc
Architecture: all i386 powerpc source sparc 
Version: 5.8.4-7
Distribution: unstable
Urgency: low
Maintainer: Brendan O'Dea <bod@debian.org>
Changed-By: Brendan O'Dea <bod@debian.org>
Description: 
 libperl-dev - Perl library: development files
 libperl5.8 - Shared Perl library
 perl       - Larry Wall's Practical Extraction and Report Language
 perl-base  - The Pathologically Eclectic Rubbish Lister
 perl-debug - Debug-enabled Perl interpreter
 perl-suid  - Runs setuid Perl scripts
Closes: 178243 198855 250877 255919 256731 263325 275142 281091 281092 281437 286905 286922 289709
Changes: 
 perl (5.8.4-7) unstable; urgency=low
 .
   * SECURITY [CAN-2005-0448]: rewrite File::Path::rmtree to avoid race
     condition which allows an attacker with write permission on
     directories in the tree being removed to make files setuid or to
     remove arbitrary files (closes: #286905, #286922).  Supersedes
     the previous patch for CAN-2004-0452.
 .
   * Add PERL_DEBUGGING_MSTATS for debugperl (closes: #178243).
   * Escape dashes in verbatim text to have groff render them as-is
     rather than as \x{2010} (closes: #250877).
 .
   * CGI: handle escaped newlines in URLs (closes: #289709).
   * Net::NNTP: fix precedence error in article routine (closes: #275142).
   * Devel::Dprof: refer to executable as `perl' (closes: #198855).
   * Remove spurious undefined warning in getopts.pl (closes: #255919).
   * Remove XSI-isms from maintainer scripts (closes: #256731).
   * Revise MakeMaker patch to defer expansion of $(MANnEXT) until
     runtime (closes: #263325).
 .
   * Normalise case of a2p man page OPTIONS section, place optional
     filename in brackets (closes: #281091, #281092).
 .
   * Fix octal glitch in perlreref(1) (closes: #281437).
   * Have perl suggest both ReadLine variants (gnu, perl).
   * Upgrade suggestion on perl-doc to recommends now that dselect is
     less pedantic about the latter.
Files: 
 06d6c960bf7c8b7b7ce66e73bc689a86 3509162 perl standard perl_5.8.4-7_powerpc.deb
 11a48c92fe6046185a1003394c28c1f9 7052380 doc optional perl-doc_5.8.4-7_all.deb
 15d16eb40fc29280a13b901aa6f4d70a 775246 base required perl-base_5.8.4-7_sparc.deb
 2e89765c8eedf6af4fd3636a3922539c 3547364 perl standard perl_5.8.4-7_sparc.deb
 3692cc87735524ef57ceeed24d60f686 567012 libdevel optional libperl-dev_5.8.4-7_i386.deb
 3aa29703d71dbb2fa5f9c4b8b8b203c7 624940 libdevel optional libperl-dev_5.8.4-7_powerpc.deb
 463e43a1c602f74a385bd414e5f752a8 3840696 perl optional perl-debug_5.8.4-7_sparc.deb
 4e7ab56ca74d59f1d98c3147a3a71138 3736402 perl optional perl-debug_5.8.4-7_i386.deb
 61d993933b3a08b0049462a802766220 31698 perl optional perl-suid_5.8.4-7_i386.deb
 6b236605cdb5beb02219ad1f2bb198f8 1034 libs optional libperl5.8_5.8.4-7_powerpc.deb
 6dc36144aca73c10ec9f324117f3acde 38036 perl extra libcgi-fast-perl_5.8.4-7_all.deb
 c861bb89e40c2723b2ce9f0525b22e6b 726 perl standard perl_5.8.4-7.dsc
 8347b722dbee125c18d631bf5ca474ac 31032 perl optional perl-suid_5.8.4-7_sparc.deb
 8d2973686564a7444c23847da092d840 3700708 perl optional perl-debug_5.8.4-7_powerpc.deb
 95e330d949521ee026a7148b4ca014d5 2178102 perl standard perl-modules_5.8.4-7_all.deb
 987b4cfbb284707e1f84f66a72232b5e 508830 libs optional libperl5.8_5.8.4-7_i386.deb
 9db0cfba5fc66c4a0c8279606a91bd94 1034 libs optional libperl5.8_5.8.4-7_sparc.deb
 9f4c86deaa8aa3f377d4ce8ccf3cda76 789658 base required perl-base_5.8.4-7_powerpc.deb
 ab32aebec33b748b0ccaf0e52cb77a69 582240 libdevel optional libperl-dev_5.8.4-7_sparc.deb
 bd4a96454f9a6b6dca5fcc54a24fe350 86680 perl standard perl_5.8.4-7.diff.gz
 e4418c5838c05452631dbd1d561a2312 751654 base required perl-base_5.8.4-7_i386.deb
 e69b276f51914a16eb2d6ac5e09f4f96 33576 perl optional perl-suid_5.8.4-7_powerpc.deb
 fab241c803816d886180d671ac0334f2 3238062 perl standard perl_5.8.4-7_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)

iD8DBQFCK/Y68NyOALKMWZURAuCYAKCxlPgMf40kHc1sF1iiHMOOiVA7AQCcCA/h
mpgXx7fsS2scjvHL021Ieto=
=8WTG
-----END PGP SIGNATURE-----




Message #15 received at 286922-close@bugs.debian.org (full text, mbox):

From: Brendan O'Dea <bod@debian.org>
To: 286922-close@bugs.debian.org
Subject: Bug#286922: fixed in perl 5.8.4-7
Date: Mon, 07 Mar 2005 01:47:15 -0500
Source: perl
Source-Version: 5.8.4-7

We believe that the bug you reported is fixed in the latest version of
perl, which is due to be installed in the Debian FTP archive:

libcgi-fast-perl_5.8.4-7_all.deb
  to pool/main/p/perl/libcgi-fast-perl_5.8.4-7_all.deb
libperl-dev_5.8.4-7_i386.deb
  to pool/main/p/perl/libperl-dev_5.8.4-7_i386.deb
libperl-dev_5.8.4-7_powerpc.deb
  to pool/main/p/perl/libperl-dev_5.8.4-7_powerpc.deb
libperl-dev_5.8.4-7_sparc.deb
  to pool/main/p/perl/libperl-dev_5.8.4-7_sparc.deb
libperl5.8_5.8.4-7_i386.deb
  to pool/main/p/perl/libperl5.8_5.8.4-7_i386.deb
libperl5.8_5.8.4-7_powerpc.deb
  to pool/main/p/perl/libperl5.8_5.8.4-7_powerpc.deb
libperl5.8_5.8.4-7_sparc.deb
  to pool/main/p/perl/libperl5.8_5.8.4-7_sparc.deb
perl-base_5.8.4-7_i386.deb
  to pool/main/p/perl/perl-base_5.8.4-7_i386.deb
perl-base_5.8.4-7_powerpc.deb
  to pool/main/p/perl/perl-base_5.8.4-7_powerpc.deb
perl-base_5.8.4-7_sparc.deb
  to pool/main/p/perl/perl-base_5.8.4-7_sparc.deb
perl-debug_5.8.4-7_i386.deb
  to pool/main/p/perl/perl-debug_5.8.4-7_i386.deb
perl-debug_5.8.4-7_powerpc.deb
  to pool/main/p/perl/perl-debug_5.8.4-7_powerpc.deb
perl-debug_5.8.4-7_sparc.deb
  to pool/main/p/perl/perl-debug_5.8.4-7_sparc.deb
perl-doc_5.8.4-7_all.deb
  to pool/main/p/perl/perl-doc_5.8.4-7_all.deb
perl-modules_5.8.4-7_all.deb
  to pool/main/p/perl/perl-modules_5.8.4-7_all.deb
perl-suid_5.8.4-7_i386.deb
  to pool/main/p/perl/perl-suid_5.8.4-7_i386.deb
perl-suid_5.8.4-7_powerpc.deb
  to pool/main/p/perl/perl-suid_5.8.4-7_powerpc.deb
perl-suid_5.8.4-7_sparc.deb
  to pool/main/p/perl/perl-suid_5.8.4-7_sparc.deb
perl_5.8.4-7.diff.gz
  to pool/main/p/perl/perl_5.8.4-7.diff.gz
perl_5.8.4-7.dsc
  to pool/main/p/perl/perl_5.8.4-7.dsc
perl_5.8.4-7_i386.deb
  to pool/main/p/perl/perl_5.8.4-7_i386.deb
perl_5.8.4-7_powerpc.deb
  to pool/main/p/perl/perl_5.8.4-7_powerpc.deb
perl_5.8.4-7_sparc.deb
  to pool/main/p/perl/perl_5.8.4-7_sparc.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 286922@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Brendan O'Dea <bod@debian.org> (supplier of updated perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon,  7 Mar 2005 10:22:01 +1100
Source: perl
Binary: perl-base libcgi-fast-perl libperl-dev perl-debug perl-modules perl libperl5.8 perl-suid perl-doc
Architecture: all i386 powerpc source sparc 
Version: 5.8.4-7
Distribution: unstable
Urgency: low
Maintainer: Brendan O'Dea <bod@debian.org>
Changed-By: Brendan O'Dea <bod@debian.org>
Description: 
 libperl-dev - Perl library: development files
 libperl5.8 - Shared Perl library
 perl       - Larry Wall's Practical Extraction and Report Language
 perl-base  - The Pathologically Eclectic Rubbish Lister
 perl-debug - Debug-enabled Perl interpreter
 perl-suid  - Runs setuid Perl scripts
Closes: 178243 198855 250877 255919 256731 263325 275142 281091 281092 281437 286905 286922 289709
Changes: 
 perl (5.8.4-7) unstable; urgency=low
 .
   * SECURITY [CAN-2005-0448]: rewrite File::Path::rmtree to avoid race
     condition which allows an attacker with write permission on
     directories in the tree being removed to make files setuid or to
     remove arbitrary files (closes: #286905, #286922).  Supersedes
     the previous patch for CAN-2004-0452.
 .
   * Add PERL_DEBUGGING_MSTATS for debugperl (closes: #178243).
   * Escape dashes in verbatim text to have groff render them as-is
     rather than as \x{2010} (closes: #250877).
 .
   * CGI: handle escaped newlines in URLs (closes: #289709).
   * Net::NNTP: fix precedence error in article routine (closes: #275142).
   * Devel::Dprof: refer to executable as `perl' (closes: #198855).
   * Remove spurious undefined warning in getopts.pl (closes: #255919).
   * Remove XSI-isms from maintainer scripts (closes: #256731).
   * Revise MakeMaker patch to defer expansion of $(MANnEXT) until
     runtime (closes: #263325).
 .
   * Normalise case of a2p man page OPTIONS section, place optional
     filename in brackets (closes: #281091, #281092).
 .
   * Fix octal glitch in perlreref(1) (closes: #281437).
   * Have perl suggest both ReadLine variants (gnu, perl).
   * Upgrade suggestion on perl-doc to recommends now that dselect is
     less pedantic about the latter.
Files: 
 06d6c960bf7c8b7b7ce66e73bc689a86 3509162 perl standard perl_5.8.4-7_powerpc.deb
 11a48c92fe6046185a1003394c28c1f9 7052380 doc optional perl-doc_5.8.4-7_all.deb
 15d16eb40fc29280a13b901aa6f4d70a 775246 base required perl-base_5.8.4-7_sparc.deb
 2e89765c8eedf6af4fd3636a3922539c 3547364 perl standard perl_5.8.4-7_sparc.deb
 3692cc87735524ef57ceeed24d60f686 567012 libdevel optional libperl-dev_5.8.4-7_i386.deb
 3aa29703d71dbb2fa5f9c4b8b8b203c7 624940 libdevel optional libperl-dev_5.8.4-7_powerpc.deb
 463e43a1c602f74a385bd414e5f752a8 3840696 perl optional perl-debug_5.8.4-7_sparc.deb
 4e7ab56ca74d59f1d98c3147a3a71138 3736402 perl optional perl-debug_5.8.4-7_i386.deb
 61d993933b3a08b0049462a802766220 31698 perl optional perl-suid_5.8.4-7_i386.deb
 6b236605cdb5beb02219ad1f2bb198f8 1034 libs optional libperl5.8_5.8.4-7_powerpc.deb
 6dc36144aca73c10ec9f324117f3acde 38036 perl extra libcgi-fast-perl_5.8.4-7_all.deb
 c861bb89e40c2723b2ce9f0525b22e6b 726 perl standard perl_5.8.4-7.dsc
 8347b722dbee125c18d631bf5ca474ac 31032 perl optional perl-suid_5.8.4-7_sparc.deb
 8d2973686564a7444c23847da092d840 3700708 perl optional perl-debug_5.8.4-7_powerpc.deb
 95e330d949521ee026a7148b4ca014d5 2178102 perl standard perl-modules_5.8.4-7_all.deb
 987b4cfbb284707e1f84f66a72232b5e 508830 libs optional libperl5.8_5.8.4-7_i386.deb
 9db0cfba5fc66c4a0c8279606a91bd94 1034 libs optional libperl5.8_5.8.4-7_sparc.deb
 9f4c86deaa8aa3f377d4ce8ccf3cda76 789658 base required perl-base_5.8.4-7_powerpc.deb
 ab32aebec33b748b0ccaf0e52cb77a69 582240 libdevel optional libperl-dev_5.8.4-7_sparc.deb
 bd4a96454f9a6b6dca5fcc54a24fe350 86680 perl standard perl_5.8.4-7.diff.gz
 e4418c5838c05452631dbd1d561a2312 751654 base required perl-base_5.8.4-7_i386.deb
 e69b276f51914a16eb2d6ac5e09f4f96 33576 perl optional perl-suid_5.8.4-7_powerpc.deb
 fab241c803816d886180d671ac0334f2 3238062 perl standard perl_5.8.4-7_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)

iD8DBQFCK/Y68NyOALKMWZURAuCYAKCxlPgMf40kHc1sF1iiHMOOiVA7AQCcCA/h
mpgXx7fsS2scjvHL021Ieto=
=8WTG
-----END PGP SIGNATURE-----




Bug reopened, originator not changed. Request was from Micah Anderson <micah@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: woody Request was from Micah Anderson <micah@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: fixed Request was from Brendan O'Dea <bod@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: fixed Request was from Brendan O'Dea <bod@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Bug closed, send any further explanations to Paul Szabo <psz@maths.usyd.edu.au> Request was from Brendan O'Dea <bod@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: fixed Request was from Brendan O'Dea <bod@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: fixed Request was from Brendan O'Dea <bod@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Bug unarchived. Request was from Niko Tyni <ntyni@debian.org> to control@bugs.debian.org. (Thu, 27 Nov 2008 19:12:10 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Brendan O'Dea <bod@debian.org>:
Bug#286922; Package perl. (Thu, 27 Nov 2008 19:27:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Niko Tyni <ntyni@debian.org>:
Extra info received and forwarded to list. Copy sent to Brendan O'Dea <bod@debian.org>. (Thu, 27 Nov 2008 19:27:04 GMT) Full text and rfc822 format available.

Message #36 received at 286922@bugs.debian.org (full text, mbox):

From: Niko Tyni <ntyni@debian.org>
To: 286905@bugs.debian.org, 286922@bugs.debian.org
Subject: CVE-2005-0448 resurfaced
Date: Thu, 27 Nov 2008 21:25:04 +0200
[Message part 1 (text/plain, inline)]
unmerge 286922
found 286905 5.8.8-1
found 286922 5.8.8-1
fixed 286922 5.10.0-1
thanks

As discussed around

 http://www.gossamer-threads.com/lists/perl/porters/233695#233695

CVE-2005-0448 (File::Path::rmtree races) has resurfaced and is present
in all of etch, lenny, and sid.

To be precise, CVE-2005-0448 was about two bugs (#286922 and #286905).
Both of those apply to the etch package, while only #286905 applies to
the lenny/sid package.

I'm unsure if this needs a new CVE id.

For etch, I see no option but to reintroduce the File::Path::rmtree()
implementation by Brendan O'Dea originally introduced in 5.8.4-7. I'm
attaching the diff (debian/patches/03_fix_file_path from 5.8.7-x).
I have informed the security team and they will look at this.

For lenny/sid, #286922 is fixed and the attached patch combined from
File-Path-2.07 and 

 http://www.gossamer-threads.com/lists/perl/porters/233699#233699

should fix #286905. Please note that the above message seems to have
the CVE ids confused; I think CVE-2004-0452 is really fixed for good.

I'll upload 5.10.0-18 with the patch at urgency=high soon, hope it can
make it into lenny without a separate testing-security package.

I'd love more eyeballs on this. I've been able to exploit the issues
with breakpoints in the perl debugger and the patches seem to work.
-- 
Niko Tyni   ntyni@debian.org
[etch_03_fix_file_path (text/plain, attachment)]
[sid_fix_file_path (text/plain, attachment)]

Disconnected #286922 from all other report(s). Request was from Niko Tyni <ntyni@debian.org> to control@bugs.debian.org. (Thu, 27 Nov 2008 19:27:05 GMT) Full text and rfc822 format available.

Bug marked as found in version 5.8.8-1 and reopened. Request was from Niko Tyni <ntyni@debian.org> to control@bugs.debian.org. (Thu, 27 Nov 2008 19:27:06 GMT) Full text and rfc822 format available.

Bug marked as fixed in version 5.10.0-1. Request was from Niko Tyni <ntyni@debian.org> to control@bugs.debian.org. (Thu, 27 Nov 2008 19:27:07 GMT) Full text and rfc822 format available.

Tags set to: security, etch Request was from Niko Tyni <ntyni@debian.org> to control@bugs.debian.org. (Thu, 27 Nov 2008 19:48:06 GMT) Full text and rfc822 format available.

Reply sent to Niko Tyni <ntyni@debian.org>:
You have taken responsibility. (Fri, 09 Jan 2009 02:09:03 GMT) Full text and rfc822 format available.

Notification sent to Paul Szabo <psz@maths.usyd.edu.au>:
Bug acknowledged by developer. (Fri, 09 Jan 2009 02:09:03 GMT) Full text and rfc822 format available.

Message #49 received at 286922-close@bugs.debian.org (full text, mbox):

From: Niko Tyni <ntyni@debian.org>
To: 286922-close@bugs.debian.org
Subject: Bug#286922: fixed in perl 5.8.8-7etch5
Date: Fri, 09 Jan 2009 01:52:21 +0000
Source: perl
Source-Version: 5.8.8-7etch5

We believe that the bug you reported is fixed in the latest version of
perl, which is due to be installed in the Debian FTP archive:

libcgi-fast-perl_5.8.8-7etch5_all.deb
  to pool/main/p/perl/libcgi-fast-perl_5.8.8-7etch5_all.deb
libperl-dev_5.8.8-7etch5_i386.deb
  to pool/main/p/perl/libperl-dev_5.8.8-7etch5_i386.deb
libperl5.8_5.8.8-7etch5_i386.deb
  to pool/main/p/perl/libperl5.8_5.8.8-7etch5_i386.deb
perl-base_5.8.8-7etch5_i386.deb
  to pool/main/p/perl/perl-base_5.8.8-7etch5_i386.deb
perl-debug_5.8.8-7etch5_i386.deb
  to pool/main/p/perl/perl-debug_5.8.8-7etch5_i386.deb
perl-doc_5.8.8-7etch5_all.deb
  to pool/main/p/perl/perl-doc_5.8.8-7etch5_all.deb
perl-modules_5.8.8-7etch5_all.deb
  to pool/main/p/perl/perl-modules_5.8.8-7etch5_all.deb
perl-suid_5.8.8-7etch5_i386.deb
  to pool/main/p/perl/perl-suid_5.8.8-7etch5_i386.deb
perl_5.8.8-7etch5.diff.gz
  to pool/main/p/perl/perl_5.8.8-7etch5.diff.gz
perl_5.8.8-7etch5.dsc
  to pool/main/p/perl/perl_5.8.8-7etch5.dsc
perl_5.8.8-7etch5_i386.deb
  to pool/main/p/perl/perl_5.8.8-7etch5_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 286922@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Niko Tyni <ntyni@debian.org> (supplier of updated perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Thu, 20 Nov 2008 22:45:54 +0200
Source: perl
Binary: perl-base libcgi-fast-perl libperl-dev perl-debug perl-modules perl libperl5.8 perl-suid perl-doc
Architecture: source i386 all
Version: 5.8.8-7etch5
Distribution: stable-security
Urgency: high
Maintainer: Brendan O'Dea <bod@debian.org>
Changed-By: Niko Tyni <ntyni@debian.org>
Description: 
 libcgi-fast-perl - CGI::Fast Perl module
 libperl-dev - Perl library: development files
 libperl5.8 - Shared Perl library
 perl       - Larry Wall's Practical Extraction and Report Language
 perl-base  - The Pathologically Eclectic Rubbish Lister
 perl-debug - Debug-enabled Perl interpreter
 perl-doc   - Perl documentation
 perl-modules - Core Perl modules
 perl-suid  - Runs setuid Perl scripts
Closes: 286905 286922
Changes: 
 perl (5.8.8-7etch5) stable-security; urgency=high
 .
   * SECURITY [CAN-2005-0448]: re-rewrite File::Path::rmtree to avoid race
     condition which allows an attacker with write permission on
     directories in the tree being removed to make files setuid or to
     remove arbitrary files (Closes: #286905, #286922).
     .
     The race condition was fixed in 5.8.4-7 but re-introduced in 5.8.8-1.
Files: 
 a57837967b7420057558cab7efca9202 750 perl standard perl_5.8.8-7etch5.dsc
 cfd4c3d27c5a7a342c441383867dae89 105052 perl standard perl_5.8.8-7etch5.diff.gz
 9dfa8758852aadcaadb2edbdfa17f942 41082 perl optional libcgi-fast-perl_5.8.8-7etch5_all.deb
 3baade38d4a703ae7db0e2f7d7b2df62 7378812 doc optional perl-doc_5.8.8-7etch5_all.deb
 dc45e7d6fbedf992db42f31326457df2 2316518 perl standard perl-modules_5.8.8-7etch5_all.deb
 40254226d8ae5963a908661350816f0c 762200 perl required perl-base_5.8.8-7etch5_i386.deb
 7149381d9862cc1ebd20092fae76dda9 2491980 perl optional perl-debug_5.8.8-7etch5_i386.deb
 59d70d1ee4f0e7584230095ca079ceb7 32070 perl optional perl-suid_5.8.8-7etch5_i386.deb
 c511226a2cbddb98a170c8f563d6670a 527162 libs optional libperl5.8_5.8.8-7etch5_i386.deb
 f3f34d325de643667d4c12f897a15f48 585396 libdevel optional libperl-dev_5.8.8-7etch5_i386.deb
 bdcb99ed51d06b1639d98a661ce42d58 3589118 perl standard perl_5.8.8-7etch5_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkkxTPsACgkQiyizGWoHLTn0OgCdGI24OjO5S7gb+Vh2qRcSOJYL
U7gAnRXL7Wbcotrdf0cWNYj4zbMweEj5
=8aRt
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 10 Feb 2009 07:27:41 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 17 01:29:33 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.