Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=173793 Summary: CAN-2005-0448 perl File::Path.pm rmtree race condition Product: Fedora Core Version: fc4 Platform: All OS/Version: Linux Status: NEW Severity: security Priority: normal Component: perl AssignedTo: jvdias@xxxxxxxxxx ReportedBy: mjc@xxxxxxxxxx QAContact: dkl@xxxxxxxxxx CC: fedora-perl-devel-list@xxxxxxxxxx,wtogami@xxxxxxxxxx +++ This bug was initially created as a clone of Bug #157695 +++ Race condition in the rmtree function in File::Path.pm in Perl before 5.8.4 allows local users to create arbitrary setuid binaries in the tree being deleted, a different vulnerability than CAN-2004-0452. http://marc.theaimsgroup.com/?l=bugtraq&m=111039131424834&w=2 attachment 114350 contains the ubuntu patch (it needs some cleaning up) -- Additional comment from wtogami@xxxxxxxxxx on 2005-05-28 02:05 EST -- "Race condition in the rmtree function in File::Path.pm in Perl before 5.8.4 allows local users to create arbitrary setuid binaries" 5.8.4 means FC3 is unaffected because we have perl-5.8.5? Can someone confirm? -- Additional comment from bressers@xxxxxxxxxx on 2005-05-28 08:41 EST -- Warren, I just took a look at the latest perl source, this issue has not been fixed by upstream. It's proving very hard to do right, which is probably why upstream hasn't done it yet. -- Additional comment from wtogami@xxxxxxxxxx on 2005-05-31 06:40 EST -- https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=114350 Attachment to fix this security bug is from Ubuntu, but we require help cleaning it up and testing before issuing a FC3 update. Apparently this is a difficult problem to fix, and this is our second attempt doing so. =( -- Additional comment from prockai@xxxxxxxxxx on 2005-06-15 14:01 EST -- Created an attachment (id=115494) --> (https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=115494&action=view) debian's 03_fix_file_path Why not just use the debian patch? (attached) -- Additional comment from prockai@xxxxxxxxxx on 2005-06-16 04:22 EST -- Assigning to self. -- Additional comment from prockai@xxxxxxxxxx on 2005-06-16 08:15 EST -- Patched in CVS. Testing requested - if anyone has an exploit or something like that, please try out. The testsuite passes exactly like before patching, but regression testing is welcome as well. -- Additional comment from prockai@xxxxxxxxxx on 2005-07-28 09:07 EST -- Fixed in FC3 update perl-5.8.5-14.FC3 -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
