Bug 161053 - CVE-2005-0448 perl File::Path.pm rmtree race condition
Summary: CVE-2005-0448 perl File::Path.pm rmtree race condition
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: perl
Version: 3.0
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Jason Vas Dias
QA Contact: David Lawrence
URL:
Whiteboard:
Depends On:
Blocks: 168424
TreeView+ depends on / blocked
 
Reported: 2005-06-20 09:35 UTC by Mark J. Cox
Modified: 2007-11-30 22:07 UTC (History)
1 user (show)

Fixed In Version: RHSA-2005-881
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2005-12-20 14:58:47 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
perl-5.8.0-CAN-2005-0448-rmtree.patch (7.52 KB, patch)
2005-10-19 00:03 UTC, David Eisenstein 		no flags Details | Diff
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2005:881 0 normal SHIPPED_LIVE Moderate: perl security update 2005-12-20 05:00:00 UTC

Description Mark J. Cox 2005-06-20 09:35:51 UTC 
+++ This bug was initially created as a clone of Bug #157694 +++

Race condition in the rmtree function in File::Path.pm in Perl before 5.8.4
allows local users to create arbitrary setuid binaries in the tree being
deleted, a different vulnerability than CAN-2004-0452.

http://marc.theaimsgroup.com/?l=bugtraq&m=111039131424834&w=2
Comment 1 David Eisenstein 2005-10-19 00:03:46 UTC 
Created attachment 120147 [details]
perl-5.8.0-CAN-2005-0448-rmtree.patch


This attachment is a patch we in Fedora Legacy have proposed to fix
CAN-2005-0448 for RH9 in bug #152845, which is also perl-5.8.0.  This patch is
courtesy of John Dalbec, who found it and (back?)ported it.  I believe its
original source is from Ubuntu, but I am not clear on that.  

In any event, this patch is almost identical to a similar patch that Debian did
for this same issue; you can see analysis for the legacy FC1 version of this
patch in Bug 152845 comment #8 and the RH9 patch (this one) in Bug 152845
comment #21.

SHA1SUM
cce62228741d6a6d927b06b6a2c4b8ebc29a30bf  perl-5.8.0-CAN-2005-0448-rmtree.patch


Cheers!  And hope this helps!  :-)
Comment 5 Jason Vas Dias 2005-11-03 18:43:11 UTC 
This bug was fixed with RHEL-3-U5's perl-5.8.0-89.10 version, which was in the
'RHEL-3-embargo' CVS branch and never integrated with the 'RHEL-3' CVS head 
branch. Chip Turner's patch for this issue ('perl-5.8.0-rmtree.patch') is now
applied in the head RHEL-3 branch with perl-5.8.0-90.+ .
Comment 6 Jason Vas Dias 2005-11-03 20:38:02 UTC 
Sorry, I was getting confused with CAN-2004-0452 , which is fixed in U5 .

CVE-2005-0448 STILL AFFECTS RHEL-3 .

Fixing now.
Comment 7 Jason Vas Dias 2005-11-08 18:23:26 UTC 
This bug is now fixed in perl-5.8.0-90.2 .
Comment 8 David Eisenstein 2005-11-11 04:43:17 UTC 
Have you all issued an RHSA / Errata for this fixed bug in RHEL 3?
Comment 9 Mark J. Cox 2005-11-14 10:08:51 UTC 
David, this flaw is not yet included in a published RHSA for RHEL3.  However the
bug is in MODIFIED state which means that a fix for this flaw has been tested,
committed, and will be part of a future RHSA for RHEL3 perl.
Comment 12 Red Hat Bugzilla 2005-12-20 14:58:33 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2005-881.html
Comment 13 Red Hat Bugzilla 2005-12-20 14:58:50 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2005-881.html
Note You need to log in before you can comment on or make changes to this bug.