[Bug 173793] CAN-2005-0448 perl File::Path.pm rmtree race condition

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.

Summary: CAN-2005-0448 perl File::Path.pm rmtree race condition


https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=173793


jvdias@xxxxxxxxxx changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|ASSIGNED                    |CLOSED
         Resolution|                            |NOTABUG




------- Additional Comments From jvdias@xxxxxxxxxx  2005-11-21 18:18 EST -------
perl 5.8.6 in FC-4 and perl-5.8.7 in FC-5 should NOT be vulnerable to this 
exploit - if anyone has found to the contrary, please supply a test case
(perl script that exploits the vulnerability). 

I think the CVE is correct in stating that this is only a problem with 5.8.3(-).

The 5.8.7 rmtree differs from that of 5.8.6 ONLY in potentially adding more
privileges when it does the chmod before the remove - it sets the permissions
of each file to ($rp | 0x00), where $rp is the permissions of the path being
removed, instead of FC-4's 0x00, and in adding better support for VMS .

Debian has gone with its own implementation of Path::rmtree, which is 
incompatible with the upstream version and shows no sign of being accepted
there, and still carries the same warnings about the fundamental insecurity
of the whole algorithm used by Path::rmtree . 

Gentoo basically copies Debian's patch.

Neither Trustix nor OWL patch the upstream 5.8.7/5.8.6 Path::rmtree code at all.

I think we should minimise the differences between our perl distribution and
the upstream version. Since neither trustix nor owl have seen fit to patch
the 5.8.6 or 5.8.7 Path::rmtree, and since no exploits for the 5.8.6/5.8.7
rmtree have been reported, I think we should stick with the upstream version.

-- 
Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.


[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Legacy Announce]     [Fedora PHP Devel]     [Kernel Devel]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Big List of Linux Books]     [Gimp]     [Yosemite Information]
  Powered by Linux