Bug#863870: perl: File-Path rmtree/remove_tree race condition [CVE-2017-6512]
Dominic Hargreaves
dom at earth.li
Thu Jun 1 09:41:56 UTC 2017
Package: perl
Version: 5.26.0~rc1-1
Severity: critical
Justification: privilege escalation in library code
Similar to #286905, a new race condition has been reported in File-Path:
https://rt.cpan.org/Public/Bug/Display.html?id=121951
In the rmtree() and remove_tree() functions, the chmod()logic to make
directories traversable can be abused to set the mode on an
attacker-chosen file to an attacker-chosen value. This is due to the
time-of-check-to-time-of-use (TOCTTOU) race condition
(https://en.wikipedia.org/wiki/Time_of_check_to_time_of_use) between the
stat() that decides the inode is a directory and the chmod() that tries
to make it user-rwx.
Fixed on CPAN with 2.13.
More information about the Perl-maintainers
mailing list