Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CAN-2005-0448 perl File::Path.pm rmtree race condition https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=173793 jvdias@xxxxxxxxxx changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |CLOSED Resolution| |NOTABUG ------- Additional Comments From jvdias@xxxxxxxxxx 2005-11-21 18:18 EST ------- perl 5.8.6 in FC-4 and perl-5.8.7 in FC-5 should NOT be vulnerable to this exploit - if anyone has found to the contrary, please supply a test case (perl script that exploits the vulnerability). I think the CVE is correct in stating that this is only a problem with 5.8.3(-). The 5.8.7 rmtree differs from that of 5.8.6 ONLY in potentially adding more privileges when it does the chmod before the remove - it sets the permissions of each file to ($rp | 0x00), where $rp is the permissions of the path being removed, instead of FC-4's 0x00, and in adding better support for VMS . Debian has gone with its own implementation of Path::rmtree, which is incompatible with the upstream version and shows no sign of being accepted there, and still carries the same warnings about the fundamental insecurity of the whole algorithm used by Path::rmtree . Gentoo basically copies Debian's patch. Neither Trustix nor OWL patch the upstream 5.8.7/5.8.6 Path::rmtree code at all. I think we should minimise the differences between our perl distribution and the upstream version. Since neither trustix nor owl have seen fit to patch the 5.8.6 or 5.8.7 Path::rmtree, and since no exploits for the 5.8.6/5.8.7 rmtree have been reported, I think we should stick with the upstream version. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
