Bug 1457832 (CVE-2017-6512)

Summary: CVE-2017-6512 perl-File-Path: rmtree/remove_tree race condition
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: carnil, hhorak, jorton, perl-devel, perl-maint-list, ppisar, sardella
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: perl-File-Path 2.13 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-06-30 12:28:30 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1457834    
Bug Blocks: 1457837    

Description Andrej Nemec 2017-06-01 11:58:26 UTC
A vulnerability was found in perl File-Path. In the rmtree() and remove_tree() functions, the chmod()logic to make directories traversable can be abused to set the mode on an attacker-chosen file to an attacker-chosen value.  This is due to the time-of-check-to-time-of-use (TOCTTOU) race condition between the stat() that decides the inode is a directory and the chmod() that tries to make it user-rwx.

Upstream issue:

https://rt.cpan.org/Public/Bug/Display.html?id=121951

Upstream patch:

https://github.com/jkeenan/File-Path/commit/e5ef95276ee8ad471c66ee574a5d42552b3a6af2

Comment 1 Andrej Nemec 2017-06-01 11:59:31 UTC
Created perl-File-Path tracking bugs for this issue:

Affects: fedora-all [bug 1457834]

Comment 2 Stefan Cornelius 2017-06-30 12:28:42 UTC
Statement:

Red Hat Product Security has rated this issue as having Low security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.