Acknowledgement sent to Paul Szabo <psz@maths.usyd.edu.au>:
New Bug report received and forwarded. Copy sent to Brendan O'Dea <bod@debian.org>.
(full text, mbox, link).
Package: perl-modules
Version: 5.6.1-8.7
Severity: critical
File: /usr/share/perl/5.6.1/File/Path.pm
Tags: security
Justification: root security hole
Following on from the "File::Path::rmtree makes setuid" issue, I notice
that rmtree may be tricked into removing arbitrary files.
Example of attack: suppose we know that root uses rmtree to clean up
/tmp directories. Attacker prepares things:
mkdir /tmp/psz
perl -e 'open F, ">/tmp/psz/$_" foreach (1..1000)'
touch /tmp/psz/passwd
While root is busy working on /tmp/psz (and this can be made as slow as
we like), attacker does:
mv /tmp/psz /tmp/dummy
ln -s /etc /tmp/psz
Root will then remove /etc/passwd.
Maybe it should be documented that rmtree must only be used if you can
be sure to have exclusive access to the tree.
Cheers,
Paul Szabo - psz@maths.usyd.edu.au http://www.maths.usyd.edu.au:8000/u/psz/
School of Mathematics and Statistics University of Sydney 2006 Australia
-- System Information
Debian Release: 3.0
Architecture: i386
Kernel: Linux pisa.maths.usyd.edu.au 2.4.22-smssvr1.5.3 #1 SMP Wed Jun 23 13:01:39 EST 2004 i686
Locale: LANG=C, LC_CTYPE=C
Versions of packages perl-modules depends on:
ii perl 5.6.1-8.7 Larry Wall's Practical Extraction
Bug reassigned from package `perl-modules' to `perl'.
Request was from Brendan O'Dea <bod@debian.org>
to control@bugs.debian.org.
(full text, mbox, link).
Merged 286905286922.
Request was from Brendan O'Dea <bod@debian.org>
to control@bugs.debian.org.
(full text, mbox, link).
Reply sent to Brendan O'Dea <bod@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Paul Szabo <psz@maths.usyd.edu.au>:
Bug acknowledged by developer.
(full text, mbox, link).
Source: perl
Source-Version: 5.8.4-7
We believe that the bug you reported is fixed in the latest version of
perl, which is due to be installed in the Debian FTP archive:
libcgi-fast-perl_5.8.4-7_all.deb
to pool/main/p/perl/libcgi-fast-perl_5.8.4-7_all.deb
libperl-dev_5.8.4-7_i386.deb
to pool/main/p/perl/libperl-dev_5.8.4-7_i386.deb
libperl-dev_5.8.4-7_powerpc.deb
to pool/main/p/perl/libperl-dev_5.8.4-7_powerpc.deb
libperl-dev_5.8.4-7_sparc.deb
to pool/main/p/perl/libperl-dev_5.8.4-7_sparc.deb
libperl5.8_5.8.4-7_i386.deb
to pool/main/p/perl/libperl5.8_5.8.4-7_i386.deb
libperl5.8_5.8.4-7_powerpc.deb
to pool/main/p/perl/libperl5.8_5.8.4-7_powerpc.deb
libperl5.8_5.8.4-7_sparc.deb
to pool/main/p/perl/libperl5.8_5.8.4-7_sparc.deb
perl-base_5.8.4-7_i386.deb
to pool/main/p/perl/perl-base_5.8.4-7_i386.deb
perl-base_5.8.4-7_powerpc.deb
to pool/main/p/perl/perl-base_5.8.4-7_powerpc.deb
perl-base_5.8.4-7_sparc.deb
to pool/main/p/perl/perl-base_5.8.4-7_sparc.deb
perl-debug_5.8.4-7_i386.deb
to pool/main/p/perl/perl-debug_5.8.4-7_i386.deb
perl-debug_5.8.4-7_powerpc.deb
to pool/main/p/perl/perl-debug_5.8.4-7_powerpc.deb
perl-debug_5.8.4-7_sparc.deb
to pool/main/p/perl/perl-debug_5.8.4-7_sparc.deb
perl-doc_5.8.4-7_all.deb
to pool/main/p/perl/perl-doc_5.8.4-7_all.deb
perl-modules_5.8.4-7_all.deb
to pool/main/p/perl/perl-modules_5.8.4-7_all.deb
perl-suid_5.8.4-7_i386.deb
to pool/main/p/perl/perl-suid_5.8.4-7_i386.deb
perl-suid_5.8.4-7_powerpc.deb
to pool/main/p/perl/perl-suid_5.8.4-7_powerpc.deb
perl-suid_5.8.4-7_sparc.deb
to pool/main/p/perl/perl-suid_5.8.4-7_sparc.deb
perl_5.8.4-7.diff.gz
to pool/main/p/perl/perl_5.8.4-7.diff.gz
perl_5.8.4-7.dsc
to pool/main/p/perl/perl_5.8.4-7.dsc
perl_5.8.4-7_i386.deb
to pool/main/p/perl/perl_5.8.4-7_i386.deb
perl_5.8.4-7_powerpc.deb
to pool/main/p/perl/perl_5.8.4-7_powerpc.deb
perl_5.8.4-7_sparc.deb
to pool/main/p/perl/perl_5.8.4-7_sparc.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 286905@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Brendan O'Dea <bod@debian.org> (supplier of updated perl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Mon, 7 Mar 2005 10:22:01 +1100
Source: perl
Binary: perl-base libcgi-fast-perl libperl-dev perl-debug perl-modules perl libperl5.8 perl-suid perl-doc
Architecture: all i386 powerpc source sparc
Version: 5.8.4-7
Distribution: unstable
Urgency: low
Maintainer: Brendan O'Dea <bod@debian.org>
Changed-By: Brendan O'Dea <bod@debian.org>
Description:
libperl-dev - Perl library: development files
libperl5.8 - Shared Perl library
perl - Larry Wall's Practical Extraction and Report Language
perl-base - The Pathologically Eclectic Rubbish Lister
perl-debug - Debug-enabled Perl interpreter
perl-suid - Runs setuid Perl scripts
Closes: 178243198855250877255919256731263325275142281091281092281437286905286922289709
Changes:
perl (5.8.4-7) unstable; urgency=low
.
* SECURITY [CAN-2005-0448]: rewrite File::Path::rmtree to avoid race
condition which allows an attacker with write permission on
directories in the tree being removed to make files setuid or to
remove arbitrary files (closes: #286905, #286922). Supersedes
the previous patch for CAN-2004-0452.
.
* Add PERL_DEBUGGING_MSTATS for debugperl (closes: #178243).
* Escape dashes in verbatim text to have groff render them as-is
rather than as \x{2010} (closes: #250877).
.
* CGI: handle escaped newlines in URLs (closes: #289709).
* Net::NNTP: fix precedence error in article routine (closes: #275142).
* Devel::Dprof: refer to executable as `perl' (closes: #198855).
* Remove spurious undefined warning in getopts.pl (closes: #255919).
* Remove XSI-isms from maintainer scripts (closes: #256731).
* Revise MakeMaker patch to defer expansion of $(MANnEXT) until
runtime (closes: #263325).
.
* Normalise case of a2p man page OPTIONS section, place optional
filename in brackets (closes: #281091, #281092).
.
* Fix octal glitch in perlreref(1) (closes: #281437).
* Have perl suggest both ReadLine variants (gnu, perl).
* Upgrade suggestion on perl-doc to recommends now that dselect is
less pedantic about the latter.
Files:
06d6c960bf7c8b7b7ce66e73bc689a86 3509162 perl standard perl_5.8.4-7_powerpc.deb
11a48c92fe6046185a1003394c28c1f9 7052380 doc optional perl-doc_5.8.4-7_all.deb
15d16eb40fc29280a13b901aa6f4d70a 775246 base required perl-base_5.8.4-7_sparc.deb
2e89765c8eedf6af4fd3636a3922539c 3547364 perl standard perl_5.8.4-7_sparc.deb
3692cc87735524ef57ceeed24d60f686 567012 libdevel optional libperl-dev_5.8.4-7_i386.deb
3aa29703d71dbb2fa5f9c4b8b8b203c7 624940 libdevel optional libperl-dev_5.8.4-7_powerpc.deb
463e43a1c602f74a385bd414e5f752a8 3840696 perl optional perl-debug_5.8.4-7_sparc.deb
4e7ab56ca74d59f1d98c3147a3a71138 3736402 perl optional perl-debug_5.8.4-7_i386.deb
61d993933b3a08b0049462a802766220 31698 perl optional perl-suid_5.8.4-7_i386.deb
6b236605cdb5beb02219ad1f2bb198f8 1034 libs optional libperl5.8_5.8.4-7_powerpc.deb
6dc36144aca73c10ec9f324117f3acde 38036 perl extra libcgi-fast-perl_5.8.4-7_all.deb
c861bb89e40c2723b2ce9f0525b22e6b 726 perl standard perl_5.8.4-7.dsc
8347b722dbee125c18d631bf5ca474ac 31032 perl optional perl-suid_5.8.4-7_sparc.deb
8d2973686564a7444c23847da092d840 3700708 perl optional perl-debug_5.8.4-7_powerpc.deb
95e330d949521ee026a7148b4ca014d5 2178102 perl standard perl-modules_5.8.4-7_all.deb
987b4cfbb284707e1f84f66a72232b5e 508830 libs optional libperl5.8_5.8.4-7_i386.deb
9db0cfba5fc66c4a0c8279606a91bd94 1034 libs optional libperl5.8_5.8.4-7_sparc.deb
9f4c86deaa8aa3f377d4ce8ccf3cda76 789658 base required perl-base_5.8.4-7_powerpc.deb
ab32aebec33b748b0ccaf0e52cb77a69 582240 libdevel optional libperl-dev_5.8.4-7_sparc.deb
bd4a96454f9a6b6dca5fcc54a24fe350 86680 perl standard perl_5.8.4-7.diff.gz
e4418c5838c05452631dbd1d561a2312 751654 base required perl-base_5.8.4-7_i386.deb
e69b276f51914a16eb2d6ac5e09f4f96 33576 perl optional perl-suid_5.8.4-7_powerpc.deb
fab241c803816d886180d671ac0334f2 3238062 perl standard perl_5.8.4-7_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
iD8DBQFCK/Y68NyOALKMWZURAuCYAKCxlPgMf40kHc1sF1iiHMOOiVA7AQCcCA/h
mpgXx7fsS2scjvHL021Ieto=
=8WTG
-----END PGP SIGNATURE-----
Source: perl
Source-Version: 5.8.4-7
We believe that the bug you reported is fixed in the latest version of
perl, which is due to be installed in the Debian FTP archive:
libcgi-fast-perl_5.8.4-7_all.deb
to pool/main/p/perl/libcgi-fast-perl_5.8.4-7_all.deb
libperl-dev_5.8.4-7_i386.deb
to pool/main/p/perl/libperl-dev_5.8.4-7_i386.deb
libperl-dev_5.8.4-7_powerpc.deb
to pool/main/p/perl/libperl-dev_5.8.4-7_powerpc.deb
libperl-dev_5.8.4-7_sparc.deb
to pool/main/p/perl/libperl-dev_5.8.4-7_sparc.deb
libperl5.8_5.8.4-7_i386.deb
to pool/main/p/perl/libperl5.8_5.8.4-7_i386.deb
libperl5.8_5.8.4-7_powerpc.deb
to pool/main/p/perl/libperl5.8_5.8.4-7_powerpc.deb
libperl5.8_5.8.4-7_sparc.deb
to pool/main/p/perl/libperl5.8_5.8.4-7_sparc.deb
perl-base_5.8.4-7_i386.deb
to pool/main/p/perl/perl-base_5.8.4-7_i386.deb
perl-base_5.8.4-7_powerpc.deb
to pool/main/p/perl/perl-base_5.8.4-7_powerpc.deb
perl-base_5.8.4-7_sparc.deb
to pool/main/p/perl/perl-base_5.8.4-7_sparc.deb
perl-debug_5.8.4-7_i386.deb
to pool/main/p/perl/perl-debug_5.8.4-7_i386.deb
perl-debug_5.8.4-7_powerpc.deb
to pool/main/p/perl/perl-debug_5.8.4-7_powerpc.deb
perl-debug_5.8.4-7_sparc.deb
to pool/main/p/perl/perl-debug_5.8.4-7_sparc.deb
perl-doc_5.8.4-7_all.deb
to pool/main/p/perl/perl-doc_5.8.4-7_all.deb
perl-modules_5.8.4-7_all.deb
to pool/main/p/perl/perl-modules_5.8.4-7_all.deb
perl-suid_5.8.4-7_i386.deb
to pool/main/p/perl/perl-suid_5.8.4-7_i386.deb
perl-suid_5.8.4-7_powerpc.deb
to pool/main/p/perl/perl-suid_5.8.4-7_powerpc.deb
perl-suid_5.8.4-7_sparc.deb
to pool/main/p/perl/perl-suid_5.8.4-7_sparc.deb
perl_5.8.4-7.diff.gz
to pool/main/p/perl/perl_5.8.4-7.diff.gz
perl_5.8.4-7.dsc
to pool/main/p/perl/perl_5.8.4-7.dsc
perl_5.8.4-7_i386.deb
to pool/main/p/perl/perl_5.8.4-7_i386.deb
perl_5.8.4-7_powerpc.deb
to pool/main/p/perl/perl_5.8.4-7_powerpc.deb
perl_5.8.4-7_sparc.deb
to pool/main/p/perl/perl_5.8.4-7_sparc.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 286922@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Brendan O'Dea <bod@debian.org> (supplier of updated perl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Mon, 7 Mar 2005 10:22:01 +1100
Source: perl
Binary: perl-base libcgi-fast-perl libperl-dev perl-debug perl-modules perl libperl5.8 perl-suid perl-doc
Architecture: all i386 powerpc source sparc
Version: 5.8.4-7
Distribution: unstable
Urgency: low
Maintainer: Brendan O'Dea <bod@debian.org>
Changed-By: Brendan O'Dea <bod@debian.org>
Description:
libperl-dev - Perl library: development files
libperl5.8 - Shared Perl library
perl - Larry Wall's Practical Extraction and Report Language
perl-base - The Pathologically Eclectic Rubbish Lister
perl-debug - Debug-enabled Perl interpreter
perl-suid - Runs setuid Perl scripts
Closes: 178243198855250877255919256731263325275142281091281092281437286905286922289709
Changes:
perl (5.8.4-7) unstable; urgency=low
.
* SECURITY [CAN-2005-0448]: rewrite File::Path::rmtree to avoid race
condition which allows an attacker with write permission on
directories in the tree being removed to make files setuid or to
remove arbitrary files (closes: #286905, #286922). Supersedes
the previous patch for CAN-2004-0452.
.
* Add PERL_DEBUGGING_MSTATS for debugperl (closes: #178243).
* Escape dashes in verbatim text to have groff render them as-is
rather than as \x{2010} (closes: #250877).
.
* CGI: handle escaped newlines in URLs (closes: #289709).
* Net::NNTP: fix precedence error in article routine (closes: #275142).
* Devel::Dprof: refer to executable as `perl' (closes: #198855).
* Remove spurious undefined warning in getopts.pl (closes: #255919).
* Remove XSI-isms from maintainer scripts (closes: #256731).
* Revise MakeMaker patch to defer expansion of $(MANnEXT) until
runtime (closes: #263325).
.
* Normalise case of a2p man page OPTIONS section, place optional
filename in brackets (closes: #281091, #281092).
.
* Fix octal glitch in perlreref(1) (closes: #281437).
* Have perl suggest both ReadLine variants (gnu, perl).
* Upgrade suggestion on perl-doc to recommends now that dselect is
less pedantic about the latter.
Files:
06d6c960bf7c8b7b7ce66e73bc689a86 3509162 perl standard perl_5.8.4-7_powerpc.deb
11a48c92fe6046185a1003394c28c1f9 7052380 doc optional perl-doc_5.8.4-7_all.deb
15d16eb40fc29280a13b901aa6f4d70a 775246 base required perl-base_5.8.4-7_sparc.deb
2e89765c8eedf6af4fd3636a3922539c 3547364 perl standard perl_5.8.4-7_sparc.deb
3692cc87735524ef57ceeed24d60f686 567012 libdevel optional libperl-dev_5.8.4-7_i386.deb
3aa29703d71dbb2fa5f9c4b8b8b203c7 624940 libdevel optional libperl-dev_5.8.4-7_powerpc.deb
463e43a1c602f74a385bd414e5f752a8 3840696 perl optional perl-debug_5.8.4-7_sparc.deb
4e7ab56ca74d59f1d98c3147a3a71138 3736402 perl optional perl-debug_5.8.4-7_i386.deb
61d993933b3a08b0049462a802766220 31698 perl optional perl-suid_5.8.4-7_i386.deb
6b236605cdb5beb02219ad1f2bb198f8 1034 libs optional libperl5.8_5.8.4-7_powerpc.deb
6dc36144aca73c10ec9f324117f3acde 38036 perl extra libcgi-fast-perl_5.8.4-7_all.deb
c861bb89e40c2723b2ce9f0525b22e6b 726 perl standard perl_5.8.4-7.dsc
8347b722dbee125c18d631bf5ca474ac 31032 perl optional perl-suid_5.8.4-7_sparc.deb
8d2973686564a7444c23847da092d840 3700708 perl optional perl-debug_5.8.4-7_powerpc.deb
95e330d949521ee026a7148b4ca014d5 2178102 perl standard perl-modules_5.8.4-7_all.deb
987b4cfbb284707e1f84f66a72232b5e 508830 libs optional libperl5.8_5.8.4-7_i386.deb
9db0cfba5fc66c4a0c8279606a91bd94 1034 libs optional libperl5.8_5.8.4-7_sparc.deb
9f4c86deaa8aa3f377d4ce8ccf3cda76 789658 base required perl-base_5.8.4-7_powerpc.deb
ab32aebec33b748b0ccaf0e52cb77a69 582240 libdevel optional libperl-dev_5.8.4-7_sparc.deb
bd4a96454f9a6b6dca5fcc54a24fe350 86680 perl standard perl_5.8.4-7.diff.gz
e4418c5838c05452631dbd1d561a2312 751654 base required perl-base_5.8.4-7_i386.deb
e69b276f51914a16eb2d6ac5e09f4f96 33576 perl optional perl-suid_5.8.4-7_powerpc.deb
fab241c803816d886180d671ac0334f2 3238062 perl standard perl_5.8.4-7_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
iD8DBQFCK/Y68NyOALKMWZURAuCYAKCxlPgMf40kHc1sF1iiHMOOiVA7AQCcCA/h
mpgXx7fsS2scjvHL021Ieto=
=8WTG
-----END PGP SIGNATURE-----
Bug reopened, originator not changed.
Request was from Micah Anderson <micah@debian.org>
to control@bugs.debian.org.
(full text, mbox, link).
Tags added: woody
Request was from Micah Anderson <micah@debian.org>
to control@bugs.debian.org.
(full text, mbox, link).
Tags added: fixed
Request was from Brendan O'Dea <bod@debian.org>
to control@bugs.debian.org.
(full text, mbox, link).
Tags added: fixed
Request was from Brendan O'Dea <bod@debian.org>
to control@bugs.debian.org.
(full text, mbox, link).
Bug closed, send any further explanations to Paul Szabo <psz@maths.usyd.edu.au>
Request was from Brendan O'Dea <bod@debian.org>
to control@bugs.debian.org.
(full text, mbox, link).
Tags added: fixed
Request was from Brendan O'Dea <bod@debian.org>
to control@bugs.debian.org.
(full text, mbox, link).
Tags added: fixed
Request was from Brendan O'Dea <bod@debian.org>
to control@bugs.debian.org.
(full text, mbox, link).
Bug unarchived.
Request was from Niko Tyni <ntyni@debian.org>
to control@bugs.debian.org.
(Thu, 27 Nov 2008 19:12:10 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Brendan O'Dea <bod@debian.org>: Bug#286922; Package perl.
(Thu, 27 Nov 2008 19:27:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Niko Tyni <ntyni@debian.org>:
Extra info received and forwarded to list. Copy sent to Brendan O'Dea <bod@debian.org>.
(Thu, 27 Nov 2008 19:27:04 GMT) (full text, mbox, link).
unmerge 286922
found 286905 5.8.8-1
found 286922 5.8.8-1
fixed 286922 5.10.0-1
thanks
As discussed around
http://www.gossamer-threads.com/lists/perl/porters/233695#233695CVE-2005-0448 (File::Path::rmtree races) has resurfaced and is present
in all of etch, lenny, and sid.
To be precise, CVE-2005-0448 was about two bugs (#286922 and #286905).
Both of those apply to the etch package, while only #286905 applies to
the lenny/sid package.
I'm unsure if this needs a new CVE id.
For etch, I see no option but to reintroduce the File::Path::rmtree()
implementation by Brendan O'Dea originally introduced in 5.8.4-7. I'm
attaching the diff (debian/patches/03_fix_file_path from 5.8.7-x).
I have informed the security team and they will look at this.
For lenny/sid, #286922 is fixed and the attached patch combined from
File-Path-2.07 and
http://www.gossamer-threads.com/lists/perl/porters/233699#233699
should fix #286905. Please note that the above message seems to have
the CVE ids confused; I think CVE-2004-0452 is really fixed for good.
I'll upload 5.10.0-18 with the patch at urgency=high soon, hope it can
make it into lenny without a separate testing-security package.
I'd love more eyeballs on this. I've been able to exploit the issues
with breakpoints in the perl debugger and the patches seem to work.
--
Niko Tyni ntyni@debian.org
Disconnected #286922 from all other report(s).
Request was from Niko Tyni <ntyni@debian.org>
to control@bugs.debian.org.
(Thu, 27 Nov 2008 19:27:05 GMT) (full text, mbox, link).
Bug marked as found in version 5.8.8-1 and reopened.
Request was from Niko Tyni <ntyni@debian.org>
to control@bugs.debian.org.
(Thu, 27 Nov 2008 19:27:06 GMT) (full text, mbox, link).
Bug marked as fixed in version 5.10.0-1.
Request was from Niko Tyni <ntyni@debian.org>
to control@bugs.debian.org.
(Thu, 27 Nov 2008 19:27:07 GMT) (full text, mbox, link).
Tags set to: security, etch
Request was from Niko Tyni <ntyni@debian.org>
to control@bugs.debian.org.
(Thu, 27 Nov 2008 19:48:06 GMT) (full text, mbox, link).
Reply sent
to Niko Tyni <ntyni@debian.org>:
You have taken responsibility.
(Fri, 09 Jan 2009 02:09:03 GMT) (full text, mbox, link).
Notification sent
to Paul Szabo <psz@maths.usyd.edu.au>:
Bug acknowledged by developer.
(Fri, 09 Jan 2009 02:09:03 GMT) (full text, mbox, link).
Source: perl
Source-Version: 5.8.8-7etch5
We believe that the bug you reported is fixed in the latest version of
perl, which is due to be installed in the Debian FTP archive:
libcgi-fast-perl_5.8.8-7etch5_all.deb
to pool/main/p/perl/libcgi-fast-perl_5.8.8-7etch5_all.deb
libperl-dev_5.8.8-7etch5_i386.deb
to pool/main/p/perl/libperl-dev_5.8.8-7etch5_i386.deb
libperl5.8_5.8.8-7etch5_i386.deb
to pool/main/p/perl/libperl5.8_5.8.8-7etch5_i386.deb
perl-base_5.8.8-7etch5_i386.deb
to pool/main/p/perl/perl-base_5.8.8-7etch5_i386.deb
perl-debug_5.8.8-7etch5_i386.deb
to pool/main/p/perl/perl-debug_5.8.8-7etch5_i386.deb
perl-doc_5.8.8-7etch5_all.deb
to pool/main/p/perl/perl-doc_5.8.8-7etch5_all.deb
perl-modules_5.8.8-7etch5_all.deb
to pool/main/p/perl/perl-modules_5.8.8-7etch5_all.deb
perl-suid_5.8.8-7etch5_i386.deb
to pool/main/p/perl/perl-suid_5.8.8-7etch5_i386.deb
perl_5.8.8-7etch5.diff.gz
to pool/main/p/perl/perl_5.8.8-7etch5.diff.gz
perl_5.8.8-7etch5.dsc
to pool/main/p/perl/perl_5.8.8-7etch5.dsc
perl_5.8.8-7etch5_i386.deb
to pool/main/p/perl/perl_5.8.8-7etch5_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 286922@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Niko Tyni <ntyni@debian.org> (supplier of updated perl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Thu, 20 Nov 2008 22:45:54 +0200
Source: perl
Binary: perl-base libcgi-fast-perl libperl-dev perl-debug perl-modules perl libperl5.8 perl-suid perl-doc
Architecture: source i386 all
Version: 5.8.8-7etch5
Distribution: stable-security
Urgency: high
Maintainer: Brendan O'Dea <bod@debian.org>
Changed-By: Niko Tyni <ntyni@debian.org>
Description:
libcgi-fast-perl - CGI::Fast Perl module
libperl-dev - Perl library: development files
libperl5.8 - Shared Perl library
perl - Larry Wall's Practical Extraction and Report Language
perl-base - The Pathologically Eclectic Rubbish Lister
perl-debug - Debug-enabled Perl interpreter
perl-doc - Perl documentation
perl-modules - Core Perl modules
perl-suid - Runs setuid Perl scripts
Closes: 286905286922
Changes:
perl (5.8.8-7etch5) stable-security; urgency=high
.
* SECURITY [CAN-2005-0448]: re-rewrite File::Path::rmtree to avoid race
condition which allows an attacker with write permission on
directories in the tree being removed to make files setuid or to
remove arbitrary files (Closes: #286905, #286922).
.
The race condition was fixed in 5.8.4-7 but re-introduced in 5.8.8-1.
Files:
a57837967b7420057558cab7efca9202 750 perl standard perl_5.8.8-7etch5.dsc
cfd4c3d27c5a7a342c441383867dae89 105052 perl standard perl_5.8.8-7etch5.diff.gz
9dfa8758852aadcaadb2edbdfa17f942 41082 perl optional libcgi-fast-perl_5.8.8-7etch5_all.deb
3baade38d4a703ae7db0e2f7d7b2df62 7378812 doc optional perl-doc_5.8.8-7etch5_all.deb
dc45e7d6fbedf992db42f31326457df2 2316518 perl standard perl-modules_5.8.8-7etch5_all.deb
40254226d8ae5963a908661350816f0c 762200 perl required perl-base_5.8.8-7etch5_i386.deb
7149381d9862cc1ebd20092fae76dda9 2491980 perl optional perl-debug_5.8.8-7etch5_i386.deb
59d70d1ee4f0e7584230095ca079ceb7 32070 perl optional perl-suid_5.8.8-7etch5_i386.deb
c511226a2cbddb98a170c8f563d6670a 527162 libs optional libperl5.8_5.8.8-7etch5_i386.deb
f3f34d325de643667d4c12f897a15f48 585396 libdevel optional libperl-dev_5.8.8-7etch5_i386.deb
bdcb99ed51d06b1639d98a661ce42d58 3589118 perl standard perl_5.8.8-7etch5_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkkxTPsACgkQiyizGWoHLTn0OgCdGI24OjO5S7gb+Vh2qRcSOJYL
U7gAnRXL7Wbcotrdf0cWNYj4zbMweEj5
=8aRt
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 10 Feb 2009 07:27:41 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.