Debian Bug report logs - #487319
perl-modules: File::Path::rmtree sets symlink target permissions to 0777

version graph

Package: perl-modules; Maintainer for perl-modules is Niko Tyni <ntyni@debian.org>; Source for perl-modules is src:perl.

Reported by: Ben Hutchings <ben@decadent.org.uk>

Date: Fri, 20 Jun 2008 22:39:01 UTC

Severity: critical

Tags: confirmed, patch, security

Fixed in versions perl/5.10.0-11, 5.10.0-10+lenny1

Done: Niko Tyni <ntyni@debian.org>

Bug is archived. No further changes may be made.

Forwarded to http://rt.cpan.org/Public/Bug/Display.html?id=36982

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, debian-devel@lists.debian.org, debian-boot@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Brendan O'Dea <bod@debian.org>:
Bug#487317; Package debsums. Full text and rfc822 format available.

Acknowledgement sent to Ben Hutchings <ben@decadent.org.uk>:
New Bug report received and forwarded. Copy sent to debian-devel@lists.debian.org, debian-boot@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Brendan O'Dea <bod@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Ben Hutchings <ben@decadent.org.uk>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: perl-modules: File::Path::rmtree sets symlink target permissions to 0777
Date: Fri, 20 Jun 2008 23:36:51 +0100
Package: debsums
Version: 5.10.0-10
Severity: critical
Tags: security
Justification: root security hole

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Fri, 2008-06-20 at 23:26 +0200, Cyril Brulebois wrote:
> Frans Pop <elendil@planet.nl> (20/06/2008):
> > $ sudo aptitude reinstall ncurses-base
> > $ ls -l /lib/terminfo/*/*
> > -rwxrwxrwx 1 root root 1481 2008-06-16 22:40 /lib/terminfo/a/ansi
> > -rwxrwxrwx 1 root root 1502 2008-06-16 22:40 /lib/terminfo/c/cons25
> > -rwxrwxrwx 1 root root 1529 2008-06-16 22:40 /lib/terminfo/c/cygwin
> > -rwxrwxrwx 1 root root  308 2008-06-16 22:40 /lib/terminfo/d/dumb
> > [...]
> 
> Maybe you could provide us with the part of your dpkg.log relative to
> that particular “aptitude reinstall” run, maybe there are some leads
> there.
>
> You could also strace it, following its childs.

debsums is doing it:

32321 execve("/usr/bin/debsums", ["/usr/bin/debsums", "--generate=nocheck", "-sp", "/var/cache/apt/archives"], [/* 18 vars */]) = 0
...
32321 lstat64("wsvt25", {st_mode=S_IFLNK|0777, st_size=22, ...}) = 0
32321 chmod("wsvt25", 0777)             = 0
32321 lstat64("wsvt25", {st_mode=S_IFLNK|0777, st_size=22, ...}) = 0
32321 unlink("wsvt25")                  = 0

It looks like it's unpacking the archive under /tmp, generating
checksums, then deleting the files as it goes.  Before unlinking it uses
chmod, presumably to ensure the unlink will succeed.  But chmod follows
sym-links, and these sym-links are absolute so it chmods the installed
files!

...and a little investigation shows debsums is just using File::Path::rmtree.

Ben.

- -- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'stable'), (100, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.25-2-686 (SMP w/1 CPU core)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages debsums depends on:
ii  debconf [debconf-2.0]         1.5.22     Debian configuration management sy
ii  perl                          5.10.0-10  Larry Wall's Practical Extraction 

debsums recommends no packages.

- -- debconf information:
  debsums/apt-autogen: true

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFIXDED79ZNCRIGYgcRAjqKAKCx2e/tBqjv0VSxmshtCgLwddKKyACghswA
pcsZLTltsPcRMAmBiBW4q0s=
=FSgb
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Brendan O'Dea <bod@debian.org>:
Bug#487317; Package debsums. Full text and rfc822 format available.

Acknowledgement sent to Ben Hutchings <ben@decadent.org.uk>:
Extra info received and forwarded to list. Copy sent to Brendan O'Dea <bod@debian.org>. Full text and rfc822 format available.

Message #10 received at 487317@bugs.debian.org (full text, mbox):

From: Ben Hutchings <ben@decadent.org.uk>
To: 487317@bugs.debian.org
Cc: control@bugs.debian.org
Subject: Re: perl-modules: File::Path::rmtree sets symlink target permissions to 0777
Date: Fri, 20 Jun 2008 23:47:33 +0100
[Message part 1 (text/plain, inline)]
reassign 487317 debsums
retitle 487317 debsums: Calls File::Path::rmtree without using the safe word
thanks

debsums can pass the magic word 'safe' to turn this stupid behaviour
off.  (Yay for Perl, unsafe by default...)

Ben.

-- 
Ben Hutchings
Absolutum obsoletum. (If it works, it's out of date.) - Stafford Beer
[signature.asc (application/pgp-signature, inline)]

Bug reassigned from package `debsums' to `debsums'. Request was from Ben Hutchings <ben@decadent.org.uk> to control@bugs.debian.org. (Fri, 20 Jun 2008 22:51:04 GMT) Full text and rfc822 format available.

Changed Bug title to `debsums: Calls File::Path::rmtree without using the safe word' from `perl-modules: File::Path::rmtree sets symlink target permissions to 0777'. Request was from Ben Hutchings <ben@decadent.org.uk> to control@bugs.debian.org. (Fri, 20 Jun 2008 22:51:04 GMT) Full text and rfc822 format available.

Bug 487317 cloned as bug 487319. Request was from Ben Hutchings <ben@decadent.org.uk> to control@bugs.debian.org. (Fri, 20 Jun 2008 23:09:03 GMT) Full text and rfc822 format available.

Bug reassigned from package `debsums' to `perl-modules'. Request was from Ben Hutchings <ben@decadent.org.uk> to control@bugs.debian.org. (Fri, 20 Jun 2008 23:09:05 GMT) Full text and rfc822 format available.

Changed Bug title to `perl-modules: File::Path::rmtree safe is not really safe' from `debsums: Calls File::Path::rmtree without using the safe word'. Request was from Ben Hutchings <ben@decadent.org.uk> to control@bugs.debian.org. (Fri, 20 Jun 2008 23:09:06 GMT) Full text and rfc822 format available.

Bug no longer marked as found in version 5.8.8-7etch3. Request was from Ben Hutchings <ben@decadent.org.uk> to control@bugs.debian.org. (Fri, 20 Jun 2008 23:33:01 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Brendan O'Dea <bod@debian.org>:
Bug#487319; Package perl-modules. Full text and rfc822 format available.

Acknowledgement sent to Ben Hutchings <ben@decadent.org.uk>:
Extra info received and forwarded to list. Copy sent to Brendan O'Dea <bod@debian.org>. Full text and rfc822 format available.

Message #27 received at 487319@bugs.debian.org (full text, mbox):

From: Ben Hutchings <ben@decadent.org.uk>
To: 487319@bugs.debian.org
Subject: Re: perl-modules: File::Path::rmtree safe is not really safe
Date: Sat, 21 Jun 2008 00:40:22 +0100
[Message part 1 (text/plain, inline)]
What seems to have happened is that this code in lib/File/Path.pm in
Perl 5.8.8:

            chmod $rp | 0600, $root
              or carp "Can't make file $root writeable: $!"
                if $force_writeable;

was rewritten for 5.10 as:

            my $nperm = $perm & 07777 | 0600;
            if ($nperm != $perm and not chmod $nperm, $root) {
                if ($Force_Writeable) {
                    _error($arg, "cannot make file writeable", $canon);
                }
            }

This tests the $Force_Writeable variable only after attempting the
chmod, whereas the original correctly tested the $Force_Writeable
variable first.  This variable defines whether the OS requires write
permission when deleting a file, and is always false on Unix-like
systems including Debian.  I believe the correct code is:

            my $nperm = $perm & 07777 | 0600;
            if ($Force_Writeable && $nperm != $perm and not chmod $nperm, $root) {
                 _error($arg, "cannot make file writeable", $canon);
            }

All the other chmod calls in _rmtree appear to be dependent on whether
the directory entry being deleted is a directory (tested using lstat,
not stat) and the 'safe' word not being set.

Ben.

-- 
Ben Hutchings
Design a system any fool can use, and only a fool will want to use it.
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Brendan O'Dea <bod@debian.org>:
Bug#487319; Package perl-modules. Full text and rfc822 format available.

Acknowledgement sent to Ben Hutchings <ben@decadent.org.uk>:
Extra info received and forwarded to list. Copy sent to Brendan O'Dea <bod@debian.org>. Full text and rfc822 format available.

Message #32 received at 487319@bugs.debian.org (full text, mbox):

From: Ben Hutchings <ben@decadent.org.uk>
To: 487319@bugs.debian.org
Cc: security@debian.org
Subject: Re: perl-modules: File::Path::rmtree safe is not really safe
Date: Sat, 21 Jun 2008 02:47:14 +0100
[Message part 1 (text/plain, inline)]
A simple test case for this bug is:

touch foo  # permissions 0666 & ~umask
ln -s foo bar
perl -e 'use File::Path rmtree; rmtree bar'
ls -l foo  # permissions 0777

The following patch fixes that and the originally reported problem.  I
believe the other chmod() calls in the _rmtree subroutine will never be
applied to a sym-link if either (1) no concurrent modifications of the
directory tree or (2) the 'safe' option is used.  It would be worthwhile
for someone else to double-check that, though.

Ben.

diff -u perl-5.10.0/patches-applied perl-5.10.0/patches-applied
--- perl-5.10.0/patches-applied
+++ perl-5.10.0/patches-applied
@@ -10,6 +10,7 @@
 debian/patches/09_fix_memory_debugging
 debian/patches/10_fix_h2ph_include_quote
 debian/patches/11_disable_vstring_warning
+debian/patches/12_fix_file_path_rmtree_chmod
 debian/patches/50_debian_use_gdbm
 debian/patches/51_debian_ld_run_path
 debian/patches/52_debian_extutils_hacks
only in patch2:
unchanged:
--- perl-5.10.0.orig/debian/patches/12_fix_file_path_rmtree_chmod
+++ perl-5.10.0/debian/patches/12_fix_file_path_rmtree_chmod
@@ -0,0 +1,15 @@
+--- perl.orig/lib/File/Path.pm	2007-12-18 10:47:07.000000000 +0000
++++ perl/lib/File/Path.pm	2008-06-21 00:08:45.000000000 +0100
+@@ -351,10 +351,8 @@
+             }
+ 
+             my $nperm = $perm & 07777 | 0600;
+-            if ($nperm != $perm and not chmod $nperm, $root) {
+-                if ($Force_Writeable) {
+-                    _error($arg, "cannot make file writeable", $canon);
+-                }
++            if ($Force_Writeable && $nperm != $perm and not chmod $nperm, $root) {
++                _error($arg, "cannot make file writeable", $canon);
+             }
+             print "unlink $canon\n" if $arg->{verbose};
+             # delete all versions under VMS
only in patch2:
unchanged:
--- perl-5.10.0.orig/lib/File/Path.pm
+++ perl-5.10.0/lib/File/Path.pm
@@ -351,10 +351,8 @@
             }
 
             my $nperm = $perm & 07777 | 0600;
-            if ($nperm != $perm and not chmod $nperm, $root) {
-                if ($Force_Writeable) {
-                    _error($arg, "cannot make file writeable", $canon);
-                }
+            if ($Force_Writeable && $nperm != $perm and not chmod $nperm, $root) {
+                _error($arg, "cannot make file writeable", $canon);
             }
             print "unlink $canon\n" if $arg->{verbose};
             # delete all versions under VMS
--- END ---

-- 
Ben Hutchings
Design a system any fool can use, and only a fool will want to use it.
[signature.asc (application/pgp-signature, inline)]

Tags added: patch Request was from Ben Hutchings <ben@decadent.org.uk> to control@bugs.debian.org. (Sat, 21 Jun 2008 01:51:04 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Brendan O'Dea <bod@debian.org>:
Bug#487319; Package perl-modules. Full text and rfc822 format available.

Acknowledgement sent to Niko Tyni <ntyni@debian.org>:
Extra info received and forwarded to list. Copy sent to Brendan O'Dea <bod@debian.org>. Full text and rfc822 format available.

Message #39 received at 487319@bugs.debian.org (full text, mbox):

From: Niko Tyni <ntyni@debian.org>
To: Ben Hutchings <ben@decadent.org.uk>, 487319@bugs.debian.org
Cc: team@security.debian.org
Subject: Re: Bug#487319: perl-modules: File::Path::rmtree safe is not really safe
Date: Sat, 21 Jun 2008 10:07:30 +0300
tag 487319 confirmed
forwarded 487319 http://rt.cpan.org/Public/Bug/Display.html?id=36982
retitle 487319 perl-modules: File::Path::rmtree sets symlink target permissions to 0777
thanks

On Sat, Jun 21, 2008 at 02:47:14AM +0100, Ben Hutchings wrote:

> touch foo  # permissions 0666 & ~umask
> ln -s foo bar
> perl -e 'use File::Path rmtree; rmtree bar'
> ls -l foo  # permissions 0777
> 
> The following patch fixes that and the originally reported problem.  I
> believe the other chmod() calls in the _rmtree subroutine will never be
> applied to a sym-link if either (1) no concurrent modifications of the
> directory tree or (2) the 'safe' option is used.  It would be worthwhile
> for someone else to double-check that, though.

Thanks, Ben.

I just forwarded this to [rt.cpan.org #36982] and sent a notice to the
perl5-porters list too. I'm pretty short on time this weekend; an NMU
would be welcome if somebody feels sure enough the patch is sufficient.

I don't think the 'safe' option should really affect this at all. Even
without 'safe', the chmod shouldn't follow symlinks. Retitling back.

Brendan, please speak up if you want to handle this yourself instead.

Cc'ing the security team.
-- 
Niko Tyni   ntyni@debian.org




Tags added: confirmed Request was from Niko Tyni <ntyni@debian.org> to control@bugs.debian.org. (Sat, 21 Jun 2008 07:09:05 GMT) Full text and rfc822 format available.

Noted your statement that Bug has been forwarded to http://rt.cpan.org/Public/Bug/Display.html?id=36982. Request was from Niko Tyni <ntyni@debian.org> to control@bugs.debian.org. (Sat, 21 Jun 2008 07:09:06 GMT) Full text and rfc822 format available.

Changed Bug title to `perl-modules: File::Path::rmtree sets symlink target permissions to 0777' from `perl-modules: File::Path::rmtree safe is not really safe'. Request was from Niko Tyni <ntyni@debian.org> to control@bugs.debian.org. (Sat, 21 Jun 2008 07:09:07 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Brendan O'Dea <bod@debian.org>:
Bug#487319; Package perl-modules. Full text and rfc822 format available.

Acknowledgement sent to Ben Hutchings <ben@decadent.org.uk>:
Extra info received and forwarded to list. Copy sent to Brendan O'Dea <bod@debian.org>. Full text and rfc822 format available.

Message #50 received at 487319@bugs.debian.org (full text, mbox):

From: Ben Hutchings <ben@decadent.org.uk>
To: Drake Wilson <drake@begriffli.ch>
Cc: debian-devel@lists.debian.org, 487317@bugs.debian.org, 487319@bugs.debian.org
Subject: Re: Bug#487317: perl-modules: File::Path::rmtree sets symlink target permissions to 0777
Date: Sat, 21 Jun 2008 14:17:44 +0100
[Message part 1 (text/plain, inline)]
I cloned bug #487317 as #487319; the former is assigned to debsums and
the latter to perl-modules.

On Sat, 2008-06-21 at 00:43 -0500, Drake Wilson wrote:
> Quoth Ben Hutchings <ben@decadent.org.uk>, on 2008-06-20 23:36:51 +0100:
> > debsums is doing it:
> [strace elided]
> > It looks like it's unpacking the archive under /tmp, generating
> > checksums, then deleting the files as it goes.  Before unlinking it uses
> > chmod, presumably to ensure the unlink will succeed.  But chmod follows
> > sym-links, and these sym-links are absolute so it chmods the installed
> > files!
> > 
> > ...and a little investigation shows debsums is just using File::Path::rmtree.
> 
> The rmtree implementation actually tries to avoid this, but does it
> wrong: it _reads_ the permissions from the symbolic link, then
> _applies_ changed permissions through chmod, which affects the target
> instead.
> 
> It looks like this bug isn't as severe in perl-modules 5.8.8-12.

It doesn't appear to be present at all.

> The relevant lines of code appear to be:
> 
> >From <perl-modules 5.8.8-12> /usr/share/perl/5.8.8/File/Path.pm:
> |            chmod $rp | 0600, $root
> |              or carp "Can't make file $root writeable: $!"
> |                if $force_writeable;
> 
> >From <perl-modules 5.10.0-10> /usr/share/perl/5.10.0/File/Path.pm:
> |            my $nperm = $perm & 07777 | 0600;
> |            if ($nperm != $perm and not chmod $nperm, $root) {
> |                if ($Force_Writeable) {
> |                    _error($arg, "cannot make file writeable", $canon);
> |                }
> |            }
> 
> As can be seen above, the version from 5.8.8-12 only does the
> erroneous chmod if $force_writeable is turned on, whereas the version
> from 5.10.0-10 does the erroneous chmod in all cases where the target
> is a symbolic link.

Yes, and $force_writeable or $Force_Writeable is always false on Debian
systems.

> FWIW, I have a live report of this affecting more than terminfo on my
> machine, drache (as a partial confirmation of the analysis):
> 
> -rwxrwxrwx 1 root  root   194924 2008-06-01
> 06:44 /emul/ia32-linux/lib/libncurses.so.5.6
> -rwxrwxrwx 1 root  root    69560 2008-06-01
> 06:44 /emul/ia32-linux/lib/libtic.so.5.6
> -rwxrwxrwx 1 root  root   248288 2008-05-06
> 07:33 /lib/libncurses.so.5.6
> -rwxrwxrwx 1 root  root    74128 2008-05-06 07:33 /lib/libtic.so.5.6

It appears that package installation only triggers this if:

1. installation is done using APT with the debsums hook enabled
2. perl-modules 5.10 is installed
3. there are no md5sums in the package
4. the package contains sym-links to absolute paths

There are few packages for which 3 and 4 are true.

Ben.

-- 
Ben Hutchings
Design a system any fool can use, and only a fool will want to use it.
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Brendan O'Dea <bod@debian.org>:
Bug#487319; Package perl-modules. Full text and rfc822 format available.

Acknowledgement sent to Drake Wilson <drake@begriffli.ch>:
Extra info received and forwarded to list. Copy sent to Brendan O'Dea <bod@debian.org>. Full text and rfc822 format available.

Message #55 received at 487319@bugs.debian.org (full text, mbox):

From: Drake Wilson <drake@begriffli.ch>
To: debian-devel@lists.debian.org
Cc: 487317@bugs.debian.org, 487319@bugs.debian.org
Subject: Re: Bug#487317: perl-modules: File::Path::rmtree sets symlink target permissions to 0777
Date: Sat, 21 Jun 2008 12:33:15 -0500
Quoth Russ Allbery <rra@debian.org>, on 2008-06-21 09:29:33 -0700:
> There's an lchmod function that avoids this behavior, but I'm not sure
> that Perl provides an interface to it without a new XS module.  (It's not
> portable to all systems, but it is available on Linux.)

I'm basically familiar with lchmod, but is it really available on this
platform?  It doesn't seem to be.  With Debian GNU/Linux unstable on
AMD64 with Linux 2.6.24.2 and GCC 4.3.1 20080523 (prerelease) (Debian
4.3.0-5), I get the following results (newlines added for clarity):

  $ ln -s /dev/null foo
  $ ls -l foo
  lrwxrwxrwx 1 drake drake 9 2008-06-21 12:27 foo -> /dev/null

  $ man 2 lchmod
  No manual entry for lchmod in section 2
  $ man 3 lchmod
  No manual entry for lchmod in section 3

  $ cat >lchmod.c
  main() { lchmod("foo", 0700); }
  $ gcc -o lchmod lchmod.c
  /tmp/cc478IUh.o: In function `main':
  lchmod.c:(.text+0x18): warning: warning: lchmod is not implemented and will always fail
  $ ./lchmod
  $ ls -l foo
  lrwxrwxrwx 1 drake drake 9 2008-06-21 12:27 foo -> /dev/null

  $ gcc -static -o lchmod lchmod.c
  /tmp/ccqjaRGU.o: In function `main':
  lchmod.c:(.text+0x18): warning: warning: lchmod is not implemented and will always fail
  $ strace ./lchmod
  execve("./lchmod", ["./lchmod"], [/* 40 vars */]) = 0
  uname({sys="Linux", node="drache", ...}) = 0
  brk(0)                                  = 0x68b000
  brk(0x68bf10)                           = 0x68bf10
  arch_prctl(ARCH_SET_FS, 0x68b850)       = 0
  brk(0x6acf10)                           = 0x6acf10
  brk(0x6ad000)                           = 0x6ad000
  exit_group(-1)                          = ?
  Process 16730 detached

   ---> Drake Wilson




Information forwarded to debian-bugs-dist@lists.debian.org, Brendan O'Dea <bod@debian.org>:
Bug#487319; Package perl-modules. Full text and rfc822 format available.

Acknowledgement sent to Russ Allbery <rra@debian.org>:
Extra info received and forwarded to list. Copy sent to Brendan O'Dea <bod@debian.org>. Full text and rfc822 format available.

Message #60 received at 487319@bugs.debian.org (full text, mbox):

From: Russ Allbery <rra@debian.org>
To: debian-devel@lists.debian.org
Cc: 487317@bugs.debian.org, 487319@bugs.debian.org
Subject: Re: Bug#487317: perl-modules: File::Path::rmtree sets symlink target permissions to 0777
Date: Sat, 21 Jun 2008 10:36:56 -0700
Drake Wilson <drake@begriffli.ch> writes:

> I'm basically familiar with lchmod, but is it really available on this
> platform?  It doesn't seem to be.  With Debian GNU/Linux unstable on
> AMD64 with Linux 2.6.24.2 and GCC 4.3.1 20080523 (prerelease) (Debian
> 4.3.0-5), I get the following results (newlines added for clarity):
>
>   $ ln -s /dev/null foo
>   $ ls -l foo
>   lrwxrwxrwx 1 drake drake 9 2008-06-21 12:27 foo -> /dev/null
>
>   $ man 2 lchmod
>   No manual entry for lchmod in section 2
>   $ man 3 lchmod
>   No manual entry for lchmod in section 3
>
>   $ cat >lchmod.c
>   main() { lchmod("foo", 0700); }
>   $ gcc -o lchmod lchmod.c
>   /tmp/cc478IUh.o: In function `main':
>   lchmod.c:(.text+0x18): warning: warning: lchmod is not implemented and will always fail

Ah, indeed -- I was confusing it with lchown.  Looks like Linux doesn't
implement lchmod after all.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>




Information forwarded to debian-bugs-dist@lists.debian.org, Brendan O'Dea <bod@debian.org>:
Bug#487319; Package perl-modules. Full text and rfc822 format available.

Acknowledgement sent to Niko Tyni <ntyni@debian.org>:
Extra info received and forwarded to list. Copy sent to Brendan O'Dea <bod@debian.org>. Full text and rfc822 format available.

Message #65 received at 487319@bugs.debian.org (full text, mbox):

From: Niko Tyni <ntyni@debian.org>
To: Ben Hutchings <ben@decadent.org.uk>, 487319@bugs.debian.org
Cc: team@security.debian.org
Subject: Re: Bug#487319: perl-modules: File::Path::rmtree safe is not really safe
Date: Sat, 21 Jun 2008 22:54:30 +0300
tag 487319 pending
thanks

On Sat, Jun 21, 2008 at 10:07:30AM +0300, Niko Tyni wrote:
> 
> > touch foo  # permissions 0666 & ~umask
> > ln -s foo bar
> > perl -e 'use File::Path rmtree; rmtree bar'
> > ls -l foo  # permissions 0777

> I just forwarded this to [rt.cpan.org #36982] and sent a notice to the
> perl5-porters list too. I'm pretty short on time this weekend; an NMU
> would be welcome if somebody feels sure enough the patch is sufficient.

Fixed sid upload is now in incoming, no need to NMU after all.
-- 
Niko Tyni   ntyni@debian.org




Tags added: pending Request was from Niko Tyni <ntyni@debian.org> to control@bugs.debian.org. (Sat, 21 Jun 2008 19:57:03 GMT) Full text and rfc822 format available.

Reply sent to Niko Tyni <ntyni@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Ben Hutchings <ben@decadent.org.uk>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #72 received at 487319-close@bugs.debian.org (full text, mbox):

From: Niko Tyni <ntyni@debian.org>
To: 487319-close@bugs.debian.org
Subject: Bug#487319: fixed in perl 5.10.0-11
Date: Sat, 21 Jun 2008 21:02:38 +0000
Source: perl
Source-Version: 5.10.0-11

We believe that the bug you reported is fixed in the latest version of
perl, which is due to be installed in the Debian FTP archive:

libcgi-fast-perl_5.10.0-11_all.deb
  to pool/main/p/perl/libcgi-fast-perl_5.10.0-11_all.deb
libperl-dev_5.10.0-11_amd64.deb
  to pool/main/p/perl/libperl-dev_5.10.0-11_amd64.deb
libperl5.10_5.10.0-11_amd64.deb
  to pool/main/p/perl/libperl5.10_5.10.0-11_amd64.deb
perl-base_5.10.0-11_amd64.deb
  to pool/main/p/perl/perl-base_5.10.0-11_amd64.deb
perl-debug_5.10.0-11_amd64.deb
  to pool/main/p/perl/perl-debug_5.10.0-11_amd64.deb
perl-doc_5.10.0-11_all.deb
  to pool/main/p/perl/perl-doc_5.10.0-11_all.deb
perl-modules_5.10.0-11_all.deb
  to pool/main/p/perl/perl-modules_5.10.0-11_all.deb
perl-suid_5.10.0-11_amd64.deb
  to pool/main/p/perl/perl-suid_5.10.0-11_amd64.deb
perl_5.10.0-11.diff.gz
  to pool/main/p/perl/perl_5.10.0-11.diff.gz
perl_5.10.0-11.dsc
  to pool/main/p/perl/perl_5.10.0-11.dsc
perl_5.10.0-11_amd64.deb
  to pool/main/p/perl/perl_5.10.0-11_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 487319@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Niko Tyni <ntyni@debian.org> (supplier of updated perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 21 Jun 2008 15:18:50 +0300
Source: perl
Binary: perl-base libcgi-fast-perl perl-doc perl-modules perl-debug perl-suid libperl5.10 libperl-dev perl
Architecture: source all amd64
Version: 5.10.0-11
Distribution: unstable
Urgency: high
Maintainer: Brendan O'Dea <bod@debian.org>
Changed-By: Niko Tyni <ntyni@debian.org>
Description: 
 libcgi-fast-perl - CGI::Fast Perl module
 libperl-dev - Perl library: development files
 libperl5.10 - Shared Perl library
 perl       - Larry Wall's Practical Extraction and Report Language
 perl-base  - The Pathologically Eclectic Rubbish Lister
 perl-debug - Debug-enabled Perl interpreter
 perl-doc   - Perl documentation
 perl-modules - Core Perl modules
 perl-suid  - Runs setuid Perl scripts
Closes: 487319
Changes: 
 perl (5.10.0-11) unstable; urgency=high
 .
   * [SECURITY] File::Path::rmtree() no longer makes symlink targets
     world-writable. Patch by Ben Hutchings. (Closes: #487319)
Checksums-Sha1: 
 180aee7d33c7c201afea6d951fffe8c508814a12 1199 perl_5.10.0-11.dsc
 7170d164fae8789945718c4a1af308cb3f34d06d 104976 perl_5.10.0-11.diff.gz
 c9b9efe67d313208c03bfe0e5a187bf67f925b4b 42778 libcgi-fast-perl_5.10.0-11_all.deb
 2542408dd32c7509018bf5f0650c816554583b30 8241596 perl-doc_5.10.0-11_all.deb
 118c92406e673b2ca90e64ab26cfe21c10eba00e 3293564 perl-modules_5.10.0-11_all.deb
 f74bbf8f355a72fbcb3815a69b96644a756c9551 942998 perl-base_5.10.0-11_amd64.deb
 4d75205dd317893564cefe9150caffc1564be771 5569832 perl-debug_5.10.0-11_amd64.deb
 f811b6c7e6106fa5827a3fa5a4231972a05c180d 31518 perl-suid_5.10.0-11_amd64.deb
 30310f87064e4fc6842c6d092e52448e487bb307 1010 libperl5.10_5.10.0-11_amd64.deb
 e8c315215738c3b005d0e0b97c95ec699cfc40cd 2604354 libperl-dev_5.10.0-11_amd64.deb
 ca3230b8dd297b277b33469b113a4f0c19aace92 5247880 perl_5.10.0-11_amd64.deb
Checksums-Sha256: 
 de5de0fd5a6d66d40caeb0e9648bc19694c643b76d224f2dbd55c88787ae5907 1199 perl_5.10.0-11.dsc
 dbe2cb8a93d94fc644fc62f059a6a0b136479771b029ac6887606914a7a464c6 104976 perl_5.10.0-11.diff.gz
 c5b7cb0a499e002ea58dcb1c3db48e4b8e33f4fee6d7069d7abe118ac6255009 42778 libcgi-fast-perl_5.10.0-11_all.deb
 a3ee01c6266893623cafac46f6395d9d4f5dcd8222487e533738e07fee8039e4 8241596 perl-doc_5.10.0-11_all.deb
 1cd0c0c3bc03e67c25af1db6d99efcd54b77cc8938c93bb008a685cd67d61e5a 3293564 perl-modules_5.10.0-11_all.deb
 24af7655a83e4061a6a178591cdb8e732795e0ef2723e0787ae646147a62a21b 942998 perl-base_5.10.0-11_amd64.deb
 f5b5679b44cc6604933a2426e11f48daabdc12b62052cd0253d57b9e12a80b82 5569832 perl-debug_5.10.0-11_amd64.deb
 35e555dbc1f4449732fc23cddd91f7081abd9cf6b643a2128e0916c0d7ca52a4 31518 perl-suid_5.10.0-11_amd64.deb
 c8e6313e3a29c053a888cf69aeb106d2448cfd13b58d503e6970f7dc8d7334ea 1010 libperl5.10_5.10.0-11_amd64.deb
 963db0f223b4e99b7d7d8b94e6a6054c28477f6ee62d1fff9424a6059cac22b7 2604354 libperl-dev_5.10.0-11_amd64.deb
 60a5fdfabe90b026004f35c62a2ea701f5d488a2a5934008e891ce57f25c2fb8 5247880 perl_5.10.0-11_amd64.deb
Files: 
 a3338006c72eb0a4460c0484bfe8900d 1199 perl standard perl_5.10.0-11.dsc
 e7de340152f447ef938cf2b9ee0ce556 104976 perl standard perl_5.10.0-11.diff.gz
 bd1c326a4ab5d8b8763094f8497e9e33 42778 perl optional libcgi-fast-perl_5.10.0-11_all.deb
 b507b555d425fb47221c609bb6c72f77 8241596 doc optional perl-doc_5.10.0-11_all.deb
 6e8ce6f30e1041f9cf2da6b14a780b6d 3293564 perl standard perl-modules_5.10.0-11_all.deb
 49416b9021c94605e635923898253b0b 942998 perl required perl-base_5.10.0-11_amd64.deb
 5dfaac5a33ccef7e77473fea223fb90b 5569832 perl optional perl-debug_5.10.0-11_amd64.deb
 b8258115380560368df156a75f293b6d 31518 perl optional perl-suid_5.10.0-11_amd64.deb
 0d8548ed8d046e310834f7b5b6467c51 1010 libs optional libperl5.10_5.10.0-11_amd64.deb
 8746560858e84381edb048ad592d28f0 2604354 libdevel optional libperl-dev_5.10.0-11_amd64.deb
 95421bfd7a344b98bfa239c3a441ba7e 5247880 perl standard perl_5.10.0-11_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFIXVrTiyizGWoHLTkRAoVHAKCQQU5LeOzM+NxTYhy1poOgeeUrPQCgrD4v
aZOVvfaGoXjUg5GZm3zgEK4=
=GTUU
-----END PGP SIGNATURE-----





Information forwarded to debian-bugs-dist@lists.debian.org, Brendan O'Dea <bod@debian.org>:
Bug#487319; Package perl-modules. Full text and rfc822 format available.

Acknowledgement sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
Extra info received and forwarded to list. Copy sent to Brendan O'Dea <bod@debian.org>. Full text and rfc822 format available.

Message #77 received at 487319@bugs.debian.org (full text, mbox):

From: Steffen Joeris <steffen.joeris@skolelinux.de>
To: Frans Pop <elendil@planet.nl>
Cc: team@security.debian.org, Niko Tyni <ntyni@debian.org>, Ben Hutchings <ben@decadent.org.uk>, 487319@bugs.debian.org
Subject: Re: Bug#487319: perl-modules: File::Path::rmtree safe is not really safe
Date: Mon, 23 Jun 2008 20:25:17 +0200
[Message part 1 (text/plain, inline)]
Hi

A CVE id was assigned for this issue, please use this for future references.

Name: CVE-2008-2827
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2827
Reference: MISC:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=487319
Reference: MISC:http://rt.cpan.org/Public/Bug/Display.html?id=36982

The rmtree function in lib/File/Path.pm in Perl 5.10 does not properly
check permissions before performing a chmod, which allows local users
to modify the permissions of arbitrary files via a symlink attack, a
different vulnerability than CVE-2005-0448 and CVE-2004-0452.


Cheers
Steffen
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Brendan O'Dea <bod@debian.org>:
Bug#487319; Package perl-modules. Full text and rfc822 format available.

Acknowledgement sent to "Kevin B. McCarty" <kmccarty@debian.org>:
Extra info received and forwarded to list. Copy sent to Brendan O'Dea <bod@debian.org>. Full text and rfc822 format available.

Message #82 received at 487319@bugs.debian.org (full text, mbox):

From: "Kevin B. McCarty" <kmccarty@debian.org>
To: Steffen Joeris <steffen.joeris@skolelinux.de>
Cc: 487319@bugs.debian.org
Subject: Re: possible check for perl problem in Debian testing distribution
Date: Mon, 23 Jun 2008 18:35:37 -0700
[Message part 1 (text/plain, inline)]
Steffen Joeris wrote:
> On Sun, 22 Jun 2008 07:43:16 pm Kevin B. McCarty wrote:
>> Hi,
>>
>> On Sun, Jun 22, 2008 at 3:48 AM, Steffen Joeris
>>
>> <steffen.joeris@skolelinux.de> wrote:
>>> Hi Kevin
>>>
>>> I talked to dato and he recommended to talk to you. At the moment, the
>>> perl bug[0] probably affects a few packages in debian testing. It would
>>> now be good to find out how many packages are affected, so we could
>>> prepare an advisory. The fixed perl packages should migrate to testing
>>> soon, otherwise I have a DTSA ready. Now, I was wondering, if you have
>>> the time and energy to check, how many packages are affected. Some
>>> instructions (especially point 3+4) can be found here[1].

Hi,

I'm running a script now but it may not be done soon since it needs to
go through every package (no shortcut with Depends etc.)  It may not be
the most efficient way to do things since I typed it up really fast.

In case I botched the script, I'm also attaching it so you can take a
look at it and double check my results (which I'll email you when it's
done, maybe tomorrow).  Change the top of the script to your desired
mirror and arch(es).

best regards,

-- 
Kevin B. McCarty <kmccarty@gmail.com>
WWW: http://www.starplot.org/
WWW: http://people.debian.org/~kmccarty/
GPG: public key ID 4F83C751
[find-nomd5-abssymlinks.sh (application/x-shellscript, inline)]
[signature.asc (application/pgp-signature, attachment)]

Bug marked as fixed in version 5.10.0-10+lenny1. Request was from Nico Golde <nion@debian.org> to control@bugs.debian.org. (Tue, 24 Jun 2008 18:12:06 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Brendan O'Dea <bod@debian.org>:
Bug#487319; Package perl-modules. Full text and rfc822 format available.

Acknowledgement sent to "Kevin B. McCarty" <kmccarty@debian.org>:
Extra info received and forwarded to list. Copy sent to Brendan O'Dea <bod@debian.org>. Full text and rfc822 format available.

Message #89 received at 487319@bugs.debian.org (full text, mbox):

From: "Kevin B. McCarty" <kmccarty@debian.org>
To: Steffen Joeris <steffen.joeris@skolelinux.de>
Cc: 487319@bugs.debian.org
Subject: Re: possible check for perl problem in Debian testing distribution
Date: Tue, 24 Jun 2008 17:57:00 -0700
Kevin B. McCarty wrote:

> Hi,
> 
> I'm running a script now but it may not be done soon since it needs to
> go through every package (no shortcut with Depends etc.)  It may not be
> the most efficient way to do things since I typed it up really fast.
> 
> In case I botched the script, I'm also attaching it so you can take a
> look at it and double check my results (which I'll email you when it's
> done, maybe tomorrow).  Change the top of the script to your desired
> mirror and arch(es).

The script got through libx or so before stopping for some reason ...
here's the list of packages ("i386" and "all", only in "main") detected
up to this point alphabetically:

ed_0.7-1_i386.deb
inn_1.7.2q-35_i386.deb
java-gcj-compat-plugin_1.0.78-1_i386.deb
lib64ncurses5-dev_5.6+20080614-1_i386.deb
libbz2-dev_1.0.5-0.1_i386.deb
libncurses5-dev_5.6+20080614-1_i386.deb
libncursesw5-dev_5.6+20080614-1_i386.deb
libvolume-id-dev_0.114-2_i386.deb

Now off to figure out how to restart it without starting from scratch...

-- 
Kevin B. McCarty <kmccarty@gmail.com>
WWW: http://www.starplot.org/
WWW: http://people.debian.org/~kmccarty/
GPG: public key ID 4F83C751




Information forwarded to debian-bugs-dist@lists.debian.org, Brendan O'Dea <bod@debian.org>:
Bug#487319; Package perl-modules. Full text and rfc822 format available.

Acknowledgement sent to "Kevin B. McCarty" <kmccarty@debian.org>:
Extra info received and forwarded to list. Copy sent to Brendan O'Dea <bod@debian.org>. Full text and rfc822 format available.

Message #94 received at 487319@bugs.debian.org (full text, mbox):

From: "Kevin B. McCarty" <kmccarty@debian.org>
To: Steffen Joeris <steffen.joeris@skolelinux.de>
Cc: 487319@bugs.debian.org
Subject: Re: possible check for perl problem in Debian testing distribution
Date: Wed, 25 Jun 2008 18:16:29 -0700
[Message part 1 (text/plain, inline)]
Hi again Steffen,

Kevin B. McCarty wrote:

> ed_0.7-1_i386.deb
> inn_1.7.2q-35_i386.deb
> java-gcj-compat-plugin_1.0.78-1_i386.deb
> lib64ncurses5-dev_5.6+20080614-1_i386.deb
> libbz2-dev_1.0.5-0.1_i386.deb
> libncurses5-dev_5.6+20080614-1_i386.deb
> libncursesw5-dev_5.6+20080614-1_i386.deb
> libvolume-id-dev_0.114-2_i386.deb

Here are the remainder of the "i386" and "all" packages that contain
absolute symlinks but do not include md5sums in the debian control
information:

module-init-tools_3.4-1_i386.deb
ncurses-base_5.6+20080614-1_all.deb
smartlist_3.15-20_i386.deb
latex2html_2002-2-1-20050114-6_all.deb

[N.B. latex2html is in non-free, all the rest are in main]

I hope this information proves useful!

best regards,

-- 
Kevin B. McCarty <kmccarty@gmail.com>
WWW: http://www.starplot.org/
WWW: http://people.debian.org/~kmccarty/
GPG: public key ID 4F83C751

[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Brendan O'Dea <bod@debian.org>:
Bug#487319; Package perl-modules. Full text and rfc822 format available.

Acknowledgement sent to Osamu Aoki <osamu@debian.org>:
Extra info received and forwarded to list. Copy sent to Brendan O'Dea <bod@debian.org>. Full text and rfc822 format available.

Message #99 received at 487319@bugs.debian.org (full text, mbox):

From: Osamu Aoki <osamu@debian.org>
To: 487319@bugs.debian.org
Cc: Frans Pop <elendil@planet.nl>
Subject: libncurses5 is affected too
Date: Sat, 28 Jun 2008 18:22:43 +0900
Hi,

The affected package list in the Debian Testing Security Announcement
http://lists.debian.org/debian-testing-security-announce/2008/06/msg00016.html
was not complete for me.

I needed to reinstall libncurses5.

~$ ls -l /lib/libncurses.so.5.6 /lib/libtic.so.5.6
-rwxrwxrwx 1 root root 255904 2008-06-17 14:13 /lib/libncurses.so.5.6
-rwxrwxrwx 1 root root  77328 2008-06-17 14:13 /lib/libtic.so.5.6
~$ dpkg -S /lib/libncurses.so.5.6 /lib/libtic.so.5.6
libncurses5: /lib/libncurses.so.5.6
libncurses5: /lib/libtic.so.5.6
(reinstall in different terminal)
~$ ls -l /lib/libncurses.so.5.6 /lib/libtic.so.5.6
-rw-r--r-- 1 root root 255904 2008-06-17 14:13 /lib/libncurses.so.5.6
-rw-r--r-- 1 root root  77328 2008-06-17 14:13 /lib/libtic.so.5.6





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 27 Jul 2008 07:27:37 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 01:53:46 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.