Bug 161053 - CVE-2005-0448 perl File::Path.pm rmtree race condition
CVE-2005-0448 perl File::Path.pm rmtree race condition
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: perl (Show other bugs)
3.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: Jason Vas Dias
David Lawrence
: Security
Depends On:
Blocks: 168424
  Show dependency treegraph
 
Reported: 2005-06-20 05:35 EDT by Mark J. Cox (Product Security)
Modified: 2007-11-30 17:07 EST (History)
1 user (show)

See Also:
Fixed In Version: RHSA-2005-881
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-12-20 09:58:47 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
perl-5.8.0-CAN-2005-0448-rmtree.patch (7.52 KB, patch)
2005-10-18 20:03 EDT, David Eisenstein
no flags Details | Diff

  None (edit)
Description Mark J. Cox (Product Security) 2005-06-20 05:35:51 EDT
+++ This bug was initially created as a clone of Bug #157694 +++

Race condition in the rmtree function in File::Path.pm in Perl before 5.8.4
allows local users to create arbitrary setuid binaries in the tree being
deleted, a different vulnerability than CAN-2004-0452.

http://marc.theaimsgroup.com/?l=bugtraq&m=111039131424834&w=2
Comment 1 David Eisenstein 2005-10-18 20:03:46 EDT
Created attachment 120147 [details]
perl-5.8.0-CAN-2005-0448-rmtree.patch


This attachment is a patch we in Fedora Legacy have proposed to fix
CAN-2005-0448 for RH9 in bug #152845, which is also perl-5.8.0.  This patch is
courtesy of John Dalbec, who found it and (back?)ported it.  I believe its
original source is from Ubuntu, but I am not clear on that.  

In any event, this patch is almost identical to a similar patch that Debian did
for this same issue; you can see analysis for the legacy FC1 version of this
patch in Bug 152845 comment #8 and the RH9 patch (this one) in Bug 152845
comment #21.

SHA1SUM
cce62228741d6a6d927b06b6a2c4b8ebc29a30bf  perl-5.8.0-CAN-2005-0448-rmtree.patch


Cheers!  And hope this helps!  :-)
Comment 5 Jason Vas Dias 2005-11-03 13:43:11 EST
This bug was fixed with RHEL-3-U5's perl-5.8.0-89.10 version, which was in the
'RHEL-3-embargo' CVS branch and never integrated with the 'RHEL-3' CVS head 
branch. Chip Turner's patch for this issue ('perl-5.8.0-rmtree.patch') is now
applied in the head RHEL-3 branch with perl-5.8.0-90.+ .
Comment 6 Jason Vas Dias 2005-11-03 15:38:02 EST
Sorry, I was getting confused with CAN-2004-0452 , which is fixed in U5 .

CVE-2005-0448 STILL AFFECTS RHEL-3 .

Fixing now.
Comment 7 Jason Vas Dias 2005-11-08 13:23:26 EST
This bug is now fixed in perl-5.8.0-90.2 .
Comment 8 David Eisenstein 2005-11-10 23:43:17 EST
Have you all issued an RHSA / Errata for this fixed bug in RHEL 3?
Comment 9 Mark J. Cox (Product Security) 2005-11-14 05:08:51 EST
David, this flaw is not yet included in a published RHSA for RHEL3.  However the
bug is in MODIFIED state which means that a fix for this flaw has been tested,
committed, and will be part of a future RHSA for RHEL3 perl.
Comment 12 Red Hat Bugzilla 2005-12-20 09:58:33 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2005-881.html
Comment 13 Red Hat Bugzilla 2005-12-20 09:58:50 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2005-881.html

Note You need to log in before you can comment on or make changes to this bug.