Bug#863870: perl: File-Path rmtree/remove_tree race condition [CVE-2017-6512]
Dominic Hargreaves
dom at earth.li
Thu Jun 1 22:41:08 UTC 2017
On Thu, Jun 01, 2017 at 10:41:56AM +0100, Dominic Hargreaves wrote:
> Similar to #286905, a new race condition has been reported in File-Path:
>
> https://rt.cpan.org/Public/Bug/Display.html?id=121951
>
> In the rmtree() and remove_tree() functions, the chmod()logic to make
> directories traversable can be abused to set the mode on an
> attacker-chosen file to an attacker-chosen value. This is due to the
> time-of-check-to-time-of-use (TOCTTOU) race condition
> (https://en.wikipedia.org/wiki/Time_of_check_to_time_of_use) between the
> stat() that decides the inode is a directory and the chmod() that tries
> to make it user-rwx.
>
> Fixed on CPAN with 2.13.
I've uploaded a fix to sid. As evidenced by the additional patch I
included, and upstream's testing, one package out of the CPAN top 2000
was broken by the change: a test in ExtUtils::MakeMaker; see
https://github.com/Perl-Toolchain-Gang/ExtUtils-MakeMaker/pull/294
Given the potential for other code to be affected, we are running a
rebuild of all perl rdeps with the new package. The results are available here:
http://perl.debian.net/rebuild-logs/experimental/report.html
(ignore everything with a date older than today).
Assuming that no breakage that we can't live with is found, I'll file
an unblock request.
Work on jessie is still ongoing.
Dominic.
More information about the Perl-maintainers
mailing list