A vulnerability was found in perl File-Path. In the rmtree() and remove_tree() functions, the chmod()logic to make directories traversable can be abused to set the mode on an attacker-chosen file to an attacker-chosen value. This is due to the time-of-check-to-time-of-use (TOCTTOU) race condition between the stat() that decides the inode is a directory and the chmod() that tries to make it user-rwx. Upstream issue: https://rt.cpan.org/Public/Bug/Display.html?id=121951 Upstream patch: https://github.com/jkeenan/File-Path/commit/e5ef95276ee8ad471c66ee574a5d42552b3a6af2
Created perl-File-Path tracking bugs for this issue: Affects: fedora-all [bug 1457834]
Statement: Red Hat Product Security has rated this issue as having Low security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.