Bug 161053

Summary: CVE-2005-0448 perl File::Path.pm rmtree race condition
Product: Red Hat Enterprise Linux 3 Reporter: Mark J. Cox <mjc>
Component: perlAssignee: Jason Vas Dias <jvdias>
Status: CLOSED ERRATA QA Contact: David Lawrence <dkl>
Severity: medium Docs Contact:
Priority: medium    
Version: 3.0CC: jpdalbec
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: RHSA-2005-881 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-12-20 14:58:47 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 168424    
Attachments:
Description Flags
perl-5.8.0-CAN-2005-0448-rmtree.patch none

Description Mark J. Cox 2005-06-20 09:35:51 UTC 
+++ This bug was initially created as a clone of Bug #157694 +++

Race condition in the rmtree function in File::Path.pm in Perl before 5.8.4
allows local users to create arbitrary setuid binaries in the tree being
deleted, a different vulnerability than CAN-2004-0452.

http://marc.theaimsgroup.com/?l=bugtraq&m=111039131424834&w=2
Comment 1 David Eisenstein 2005-10-19 00:03:46 UTC 
Created attachment 120147 [details]
perl-5.8.0-CAN-2005-0448-rmtree.patch


This attachment is a patch we in Fedora Legacy have proposed to fix
CAN-2005-0448 for RH9 in bug #152845, which is also perl-5.8.0.  This patch is
courtesy of John Dalbec, who found it and (back?)ported it.  I believe its
original source is from Ubuntu, but I am not clear on that.  

In any event, this patch is almost identical to a similar patch that Debian did
for this same issue; you can see analysis for the legacy FC1 version of this
patch in Bug 152845 comment #8 and the RH9 patch (this one) in Bug 152845
comment #21.

SHA1SUM
cce62228741d6a6d927b06b6a2c4b8ebc29a30bf  perl-5.8.0-CAN-2005-0448-rmtree.patch


Cheers!  And hope this helps!  :-)
Comment 5 Jason Vas Dias 2005-11-03 18:43:11 UTC 
This bug was fixed with RHEL-3-U5's perl-5.8.0-89.10 version, which was in the
'RHEL-3-embargo' CVS branch and never integrated with the 'RHEL-3' CVS head 
branch. Chip Turner's patch for this issue ('perl-5.8.0-rmtree.patch') is now
applied in the head RHEL-3 branch with perl-5.8.0-90.+ .
Comment 6 Jason Vas Dias 2005-11-03 20:38:02 UTC 
Sorry, I was getting confused with CAN-2004-0452 , which is fixed in U5 .

CVE-2005-0448 STILL AFFECTS RHEL-3 .

Fixing now.
Comment 7 Jason Vas Dias 2005-11-08 18:23:26 UTC 
This bug is now fixed in perl-5.8.0-90.2 .
Comment 8 David Eisenstein 2005-11-11 04:43:17 UTC 
Have you all issued an RHSA / Errata for this fixed bug in RHEL 3?
Comment 9 Mark J. Cox 2005-11-14 10:08:51 UTC 
David, this flaw is not yet included in a published RHSA for RHEL3.  However the
bug is in MODIFIED state which means that a fix for this flaw has been tested,
committed, and will be part of a future RHSA for RHEL3 perl.
Comment 12 Red Hat Bugzilla 2005-12-20 14:58:33 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2005-881.html
Comment 13 Red Hat Bugzilla 2005-12-20 14:58:50 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2005-881.html