*** This bug has been split off bug 146737 ***
------- Original comment by Josh Bressers (Security Response Team) on 2005.01.31
The following isuses were reported regarding running setuid perl executables
(I'm attaching the report as a text file as it is long).
buffer overflow caused by very long paths
and a PERLIO_DEBUG file overwrite bug.
The advisory is attachment 110480 [details]
The proposed patch is attachment 110481 [details]
This issue should also affect FC2.
CAN-2005-0155 for the privilege escalation in debug mode
CAN-2005-0156 for the buffer overflow
removing embargo (public by ubuntu)
should I cc fedora-legacy folks on this as well for FC1/FC2?
I think they're already working on it....
We've seen this exploited in the actual real world (there's easy-exploit code
all over the net); an update should be released as soon as possible.
Note that this doesn't actually require a perl script to be marked setuid, just
for perl-suidperl to be installed.
Date in the code above: 2005.01.30
Date this bug created: 2005.01.31
Today's date: 2005.03.22
Just another ping on this. We're coming up on the two-month mark. I've patched
our systems locally, but I worry for other people and for Fedora as a whole.
Almost three months now. This is beyond embarrassing.
As far as i can tell this is fixed in FC3 updates. Maybe Warren wants to
comment on this? He was about to release another perl update AFAIK.
A package which fixes this appeared in the updates tree on Apr. 27, but no
update announcement was sent out. Please, while it's good that the update is
finally there, it's important to send out the notices too.
Note also that when this problem was discovered, Fedora Core 2 was also still
(nominally, at least) maintained (See comment #1.) I'll let you decide if you
feel any responsibility about that. (Now separate Fedora Legacy bug #152845.)
Announcement sent for FC3 announcement. Please open a new bug for Legacy.
Thanks Warren. The Fedora Legacy bug already filed: bug #152845. I was just
suggesting that maybe Red Hat folks would consider helping Fedora Legacy put
together FC2 packages given the circumstances in this case.
The harsh reality is that RH engineers always have a huge pileup of unresolved
issues, so the fact that we haven't fixed FC2 is not unusual. Please handle
this in the community and don't distract the perpetually burnt out engineers
trying to make FC4 suck less.
s/distract/demand more from/
Believe me, I understand that reality, having just gone through 700 FC2 bugs for
conversion to Fedora Legacy. It just frustrates me that this *actively
exploited* *root compromise* bug was left ignored for so long, and then even
after I gave a heads-up on it to the security team and the issue was
"escalated", it continued to be ignored until, hey, how convenient, Fedora Core
2 is no longer maintained.
This makes me very frustrated about how well allegedly current Fedora Core
releases are supported, LET ALONE what we can do with Legacy with basically *no*
resources. If the general policy of Red Hat is to ignore root compromise bugs
with easy patches until the affected releases are no longer "maintained", the
whole thing is pretty much just a charade.
Michael Tiemann gave a very nice talk about how Fedora fits into the Red Hat
world, and how it's important to still address the "innovators" and "early
adaptors". Making FC4 be very slick is great for the innovators, but ignoring
*current* releases is very, very hard on the early adaptors. This *has* to be
more than just talk, or *we'll* get burned out. If you have a suggestion for how
to "handle this in the community", I'm very willing to listen.
Just to note that the Red Hat security response team do track the need to fix
issues that affect currently supported FC releases as well as RHEL releases and
the stats show that on average we actually fix security issues faster in FC
releases, even though there is no SLA for fixing security issues in FC. We
would not delay a security fix just to wait for some older release to move to
Unfortunately, for this flaw, we switched Perl maintainers during the lifetime
of this bug and the new maintainer wanted to gain some confidence in his patches
as he had to change a few things to build it, in addition to the security patch
itself, which added a further delay to the already delayed update.
I understand that your intentions aren't actually malicious here. However, the
fact remains that the Fedora Legacy project has been left to repair this root
compromise issue which should have been fixed when Fedora Core 2 was being
maintained, SLA or not, and internal maintainer change or not. It seems like it
would be a friendly token of goodwill to have a little help.
If not, it will be *okay*, because some people are putting in some very good
volunteer effort to pick up the slack. That's pretty much all I have to say in
this bug -- feel free to contact me directly (or in the FL bug). Thanks.