Red Hat Bugzilla – Bug 473450
CVE-2008-5302 perl: File::Path rmtree race condition (CVE-2005-0448) reintroduced after upstream rebase to 5.8.8-1
Last modified: 2010-06-08 02:22:03 EDT
Created attachment 325021 [details]
Ours perl-5.8.0-CAN-2005-0448-rmtree.patch applied against perl_5.8.0-90.4
Common Vulnerabilities and Exposures originally assigned an identifier CVE-2005-0448 to the following vulnerability:
Race condition in the rmtree function in File::Path.pm in Perl before 5.8.4 allows local users to create arbitrary setuid binaries in the tree being
deleted, a different vulnerability than CVE-2004-0452.
It was discovered that after upstream perl rebase to 5.8.8-1, this issue
was reintroduced (seems upstream didn't apply fix for CVE-2005-0448).
This issue already fixed again in perl-5.10.
Link to original CVE-2005-0448 patch:
Patch we applied in RHSA-2005:881(el3) and in RHSA-2005:674(el4):
Note: This is different vulnerability then CVE-2004-0452, CVE-2005-0448
and yet different to CVE-2008-2827.
The Red Hat Security Response Team has rated this issue as having low security
impact, a future update may address this flaw. More information regarding
issue severity can be found here:
This issue has been addressed in following products:
Red Hat Enterprise Linux 5
Via RHSA-2010:0458 https://rhn.redhat.com/errata/RHSA-2010-0458.html