perl: File-Path rmtree/remove_tree race condition [CVE-2017-6512]

Debian Bug report logs - #863870
perl: File-Path rmtree/remove_tree race condition [CVE-2017-6512]

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Dominic Hargreaves <dom@earth.li>

To: submit@bugs.debian.org

Subject: perl: File-Path rmtree/remove_tree race condition [CVE-2017-6512]

Date: Thu, 1 Jun 2017 10:41:56 +0100

Package: perl
Version: 5.26.0~rc1-1
Severity: critical
Justification: privilege escalation in library code

Similar to #286905, a new race condition has been reported in File-Path:

https://rt.cpan.org/Public/Bug/Display.html?id=121951

In the rmtree() and remove_tree() functions, the chmod()logic to make
directories traversable can be abused to set the mode on an
attacker-chosen file to an attacker-chosen value.  This is due to the
time-of-check-to-time-of-use (TOCTTOU) race condition
(https://en.wikipedia.org/wiki/Time_of_check_to_time_of_use) between the
stat() that decides the inode is a directory and the chmod() that tries
to make it user-rwx.

Fixed on CPAN with 2.13.

Message #24 received at 863870-close@bugs.debian.org (full text, mbox, reply):

From: Dominic Hargreaves <dom@earth.li>

To: 863870-close@bugs.debian.org

Subject: Bug#863870: fixed in perl 5.24.1-3

Date: Thu, 01 Jun 2017 16:19:14 +0000

Source: perl
Source-Version: 5.24.1-3

We believe that the bug you reported is fixed in the latest version of
perl, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 863870@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Dominic Hargreaves <dom@earth.li> (supplier of updated perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 01 Jun 2017 16:09:52 +0100
Source: perl
Binary: perl-base perl-doc perl-debug libperl5.24 libperl-dev perl-modules-5.24 perl
Architecture: source
Version: 5.24.1-3
Distribution: unstable
Urgency: high
Maintainer: Niko Tyni <ntyni@debian.org>
Changed-By: Dominic Hargreaves <dom@earth.li>
Description:
 libperl-dev - Perl library: development files
 libperl5.24 - shared Perl library
 perl       - Larry Wall's Practical Extraction and Report Language
 perl-base  - minimal Perl system
 perl-debug - debug-enabled Perl interpreter
 perl-doc   - Perl documentation
 perl-modules-5.24 - Core Perl modules
Closes: 863870
Changes:
 perl (5.24.1-3) unstable; urgency=high
 .
   * [CVE-2017-6512] Fix file permissions race condition in File-Path;
     patch from John Lightsey (Closes: #863870)
   * Also fix test logic in ExtUtils-MakeMaker required for the above
Checksums-Sha1:
 9cbad4c48884de4456f76fffc69220c95762a4db 2316 perl_5.24.1-3.dsc
 5faa1d3adc81fe75b682409cff77316d10357474 168260 perl_5.24.1-3.debian.tar.xz
Checksums-Sha256:
 7ebd421bbb9252f5c2ebd6d4cdd04174a58f51ff6bbe542215ca37104d82c51c 2316 perl_5.24.1-3.dsc
 a9ca981bb0fe9aea39d0f3e72d1ccf5a40378b8402002ac6e155ab568d0e9d24 168260 perl_5.24.1-3.debian.tar.xz
Files:
 e21b982373169ad46b0858696b1899c6 2316 perl standard perl_5.24.1-3.dsc
 3e8fc3b91b9cc20ed2c5a5effdcced3a 168260 perl standard perl_5.24.1-3.debian.tar.xz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJZMDwdAAoJEMAFfnFNaU+yQeQQALAcF45qASZEg/PUH9v2atGP
tBwPZS6ytYaBaOyhm5dM9HbJ6T41sDg7FjAAKxfc/6AgkOGlUmXyZNN+M5+JkRSA
5zNrt2F48rZfUEk9qB3QnipZ+pP0ChA+/vHTui4KI+5mR22EmsnNRkyVgBulM9lO
Ov2bKsqZAs/xMT2Cr6gA0+hgw+HjoWe3CpY6o+yjmP7ivmWGsjbeSYoAF0AtQsxe
LNm9YVytZ1RAPqqHeJyjClOwmIHUqrNzXPLuCPvhMKoItz9vcvHLeCvGaCYQr+KZ
R3lGS9c1h0HNWEGS60mZ88WsujUUwQpwNZnoC23FQE7GVlkFT25XDp9e4cjLy5lC
5DKo8HoyQbYEeieO+ZmraeOQDUabJb4zMuxTn8ygBLKj70HuM/fG097dW6iZ8gfZ
/NxhX/Q+cofsT2iOgrK2RuqpnbS1o5A5PfwZtiqnAs9pX1smvOUwPhjCAPwJjli4
IY3fOkUn/Q9f9yP0CGcP1RgtOmxI0Bm2rfRNHHhKqWvefu3BQl1TxM0sgBz9KVil
L4qptfegxJJs9nkd8aIwXSMCJ6rrwBCnn6h5vWQLtMF2ranpnASx2asVTM4euQT2
RMviEkfIvYh0R9FMWeaL3xqu/CMdgudsDOL1SVz1QetYU7tLncMv1175TtFWdJX4
RaZxj//KE+rSF6/GPv/H
=OOJQ
-----END PGP SIGNATURE-----

Message #29 received at 863870@bugs.debian.org (full text, mbox, reply):

From: Dominic Hargreaves <dom@earth.li>

To: 863870@bugs.debian.org

Subject: Re: Bug#863870: perl: File-Path rmtree/remove_tree race condition [CVE-2017-6512]

Date: Thu, 1 Jun 2017 23:41:08 +0100

On Thu, Jun 01, 2017 at 10:41:56AM +0100, Dominic Hargreaves wrote:
> Similar to #286905, a new race condition has been reported in File-Path:
> 
> https://rt.cpan.org/Public/Bug/Display.html?id=121951
> 
> In the rmtree() and remove_tree() functions, the chmod()logic to make
> directories traversable can be abused to set the mode on an
> attacker-chosen file to an attacker-chosen value.  This is due to the
> time-of-check-to-time-of-use (TOCTTOU) race condition
> (https://en.wikipedia.org/wiki/Time_of_check_to_time_of_use) between the
> stat() that decides the inode is a directory and the chmod() that tries
> to make it user-rwx.
> 
> Fixed on CPAN with 2.13.

I've uploaded a fix to sid. As evidenced by the additional patch I
included, and upstream's testing, one package out of the CPAN top 2000
was broken by the change: a test in ExtUtils::MakeMaker; see

https://github.com/Perl-Toolchain-Gang/ExtUtils-MakeMaker/pull/294

Given the potential for other code to be affected, we are running a
rebuild of all perl rdeps with the new package. The results are available here:

http://perl.debian.net/rebuild-logs/experimental/report.html

(ignore everything with a date older than today).

Assuming that no breakage that we can't live with is found, I'll file
an unblock request.

Work on jessie is still ongoing.

Dominic.

Message #34 received at 863870-close@bugs.debian.org (full text, mbox, reply):

From: Dominic Hargreaves <dom@earth.li>

To: 863870-close@bugs.debian.org

Subject: Bug#863870: fixed in perl 5.26.0-1

Date: Mon, 12 Jun 2017 01:03:49 +0000

Source: perl
Source-Version: 5.26.0-1

We believe that the bug you reported is fixed in the latest version of
perl, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 863870@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Dominic Hargreaves <dom@earth.li> (supplier of updated perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 11 Jun 2017 23:37:03 +0100
Source: perl
Binary: perl-base perl-doc perl-debug libperl5.26 libperl-dev perl-modules-5.26 perl
Architecture: source
Version: 5.26.0-1
Distribution: experimental
Urgency: medium
Maintainer: Niko Tyni <ntyni@debian.org>
Changed-By: Dominic Hargreaves <dom@earth.li>
Description:
 libperl-dev - Perl library: development files
 libperl5.26 - shared Perl library
 perl       - Larry Wall's Practical Extraction and Report Language
 perl-base  - minimal Perl system
 perl-debug - debug-enabled Perl interpreter
 perl-doc   - Perl documentation
 perl-modules-5.26 - Core Perl modules
Closes: 863870
Changes:
 perl (5.26.0-1) experimental; urgency=medium
 .
   [ Niko Tyni ]
   * Make perl-base Break debconf (<< 1.5.61) due to POSIX::tmpnam() usage.
     (See #863071)
 .
   [ Dominic Hargreaves ]
   * Remove /etc/perl/sitecustomize.pl as the interpreter's initial @INC
     no longer contains '.'
   * Revert local patch setting sitecustomize path
   * Merged 5.24.1-3 from unstable:
     + [CVE-2017-6512] Fix file permissions race condition in File-Path;
       patch from John Lightsey (Closes: #863870)
     + Also fix test logic in ExtUtils-MakeMaker required for the above
   * New upstream release
Checksums-Sha1:
 10ccdbeac544b9ccf942f007f5d2da92e0409ca5 2316 perl_5.26.0-1.dsc
 50f14ebdaa509ff5ef9b32ad388a1e6237c882dd 11961692 perl_5.26.0.orig.tar.xz
 9a631cff0d4ee230c6a0a5f0cb540646bda74be1 153132 perl_5.26.0-1.debian.tar.xz
Checksums-Sha256:
 8da1c2dd48622fbafb8b32f71b409b46b3bc2ec1965104c596a8a24786dfe865 2316 perl_5.26.0-1.dsc
 9bf2e3d0d72aad77865c3bdbc20d3b576d769c5c255c4ceb30fdb9335266bf55 11961692 perl_5.26.0.orig.tar.xz
 9dfee809fd268b1d2ca66c21457d7d2516c576aa0e75970604f5f0cff5f7592d 153132 perl_5.26.0-1.debian.tar.xz
Files:
 2cb66b3c2479e641f7d001c75eed6bb1 2316 perl standard perl_5.26.0-1.dsc
 8c6995718e4cb62188f0d5e3488cd91f 11961692 perl standard perl_5.26.0.orig.tar.xz
 919ff7f21cb79f0bc1f933fa9264f93f 153132 perl standard perl_5.26.0-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJZPeGcAAoJEMAFfnFNaU+yCe4P/3Xy52ZDDyg5178ihkASTy7E
/Tpu2n2wKExrf1vcteN7YzRYBnF9z0kiMXXAQ7Nhlzxj8bN2QfFcJl5j+Z94/rP3
GAps5JwfM5GrlEgc4abe43LpWYQ4BjIcdsE9PRAgnMCboIMQqETE/MBtA7f3Z3Sp
OR08cx1jyXJhIGTI9PY/lk0BrxbsO8vPRkpCgo/5J+H0gWvOZlomBCxcOCJjKtmY
95LTHRtxd5t4Ra3Ogsli5NVg/OU6DbP8DHd4FW4appZ9piXN6X9h40oIdLtF29/y
WhZVbOcD7XI3Ub4Hmt+0ACevxtjG5WQDATbI06mw2O8vZhHgKWt0pPocafuvuem/
qe4KK5LnZIvTzL97PeEyLxstfzmkgsOFqO9fFnzjUQzz7em0H7Fbb29WeNDzcZN7
9M30vfYxL0wQCvLgo1l7oDG1PR7Bvr2ZbWiGUNODMSQpVUe8rruCiPQ5UCvpQT0v
701J4zr1GQJvKuwNJd+q6x/eW1FzkJPYlukAgr33mH74gDdGpwjJ9yeVUfeg5ByX
K9Z89AaYAPDP+mgJg/N0Ay9Mb7c8nc7QJIUu3zeof5IAICQhripCgjN7OVDZ8beq
aX5npH0VHVXOxMhNKwRhE2buNT8ArXY0VbrAVjh46gpLLtFveW86hVp/J8ZI6vjV
+eB8FePqVN1GCvlBAEpj
=dkU4
-----END PGP SIGNATURE-----

Message #39 received at 863870-close@bugs.debian.org (full text, mbox, reply):

From: Dominic Hargreaves <dom@earth.li>

To: 863870-close@bugs.debian.org

Subject: Bug#863870: fixed in perl 5.20.2-3+deb8u7

Date: Mon, 12 Jun 2017 18:02:10 +0000

Source: perl
Source-Version: 5.20.2-3+deb8u7

We believe that the bug you reported is fixed in the latest version of
perl, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 863870@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Dominic Hargreaves <dom@earth.li> (supplier of updated perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 03 Jun 2017 13:11:53 +0100
Source: perl
Binary: perl-base perl-doc perl-debug libperl5.20 libperl-dev perl-modules perl
Architecture: all amd64 source
Version: 5.20.2-3+deb8u7
Distribution: jessie-security
Urgency: high
Maintainer: Niko Tyni <ntyni@debian.org>
Changed-By: Dominic Hargreaves <dom@earth.li>
Closes: 863870
Description: 
 libperl5.20 - shared Perl library
 libperl-dev - Perl library: development files
 perl-base  - minimal Perl system
 perl-debug - debug-enabled Perl interpreter
 perl-doc   - Perl documentation
 perl       - Larry Wall's Practical Extraction and Report Language
 perl-modules - Core Perl modules
Changes:
 perl (5.20.2-3+deb8u7) jessie-security; urgency=high
 .
   * [CVE-2017-6512] Fix file permissions race condition in File-Path;
     patch from John Lightsey (Closes: #863870)
   * Also fix test logic in ExtUtils-MakeMaker required for the above
Checksums-Sha1: 
 85aa2fd0cc9d5a63f47f31ae7026ef7d36510be7 2324 perl_5.20.2-3+deb8u7.dsc
 c768a8ade4b984ab76cccf0d29d2fe1d2e867941 150676 perl_5.20.2-3+deb8u7.debian.tar.xz
 7fd92cd9ff20c3b77b31bf7b5c3925d69ea83c32 7345710 perl-doc_5.20.2-3+deb8u7_all.deb
 5f3c41e0dfe8f3182910020c32b94a19ef693180 2546608 perl-modules_5.20.2-3+deb8u7_all.deb
 22a8fb2eb2fb2a4fd9a47c521107bf0851fba3bb 1227242 perl-base_5.20.2-3+deb8u7_amd64.deb
 070eb899a563bba702d4c8a059d61b3fd4eb7d02 4484114 perl-debug_5.20.2-3+deb8u7_amd64.deb
 bc05767443bc8dd06ee605015939133d77c16a7f 1354 libperl5.20_5.20.2-3+deb8u7_amd64.deb
 4af9575361689a82a5ba47a63e43a12d24dda5e9 2144054 libperl-dev_5.20.2-3+deb8u7_amd64.deb
 9167cdac7db030266afd74a25457e78708d301dc 2631362 perl_5.20.2-3+deb8u7_amd64.deb
Checksums-Sha256: 
 f073cef0fa155c02dc84cc2d70477ea467142c4cd2b298874e960210592a519a 2324 perl_5.20.2-3+deb8u7.dsc
 645fd8fd5470f9b2570f75956e03afaee0b2f769cbc66f7fd71b98777e9e3798 150676 perl_5.20.2-3+deb8u7.debian.tar.xz
 10e31601de91d454a012ebfb65f8c2391334c17937b8334940329162e87f1224 7345710 perl-doc_5.20.2-3+deb8u7_all.deb
 4e9c1d96f557005fd71625d2ba061d9701047557f454eb0a4ec3989dba8c663b 2546608 perl-modules_5.20.2-3+deb8u7_all.deb
 b74abf873885167725d221129eb2583402b4715de033029a542f73c1b590d0b2 1227242 perl-base_5.20.2-3+deb8u7_amd64.deb
 825508d391dbd85e1367e50d7945d8694d736ec220d68a233b475942aff2dc7b 4484114 perl-debug_5.20.2-3+deb8u7_amd64.deb
 568876f3b20261c45715ab298ab279a41a67d19fe455290b924f850a9bce2243 1354 libperl5.20_5.20.2-3+deb8u7_amd64.deb
 fca2f44f54ca2f1fb09a57ef22b5f152066686a82d482ad02bde90495219cc77 2144054 libperl-dev_5.20.2-3+deb8u7_amd64.deb
 662366ec4e5de23c88e36ed415e86da073d5b519088b5765c895cffbbdaae129 2631362 perl_5.20.2-3+deb8u7_amd64.deb
Files: 
 19da000b2a8bf074fff6af5149fe5f38 2324 perl standard perl_5.20.2-3+deb8u7.dsc
 2341c7ae6a80a12374108a8736eb7d12 150676 perl standard perl_5.20.2-3+deb8u7.debian.tar.xz
 192b8252f96a5a03bbe075b8df761917 7345710 doc optional perl-doc_5.20.2-3+deb8u7_all.deb
 d6390333ef67a4f5cb3780906d02ab78 2546608 perl standard perl-modules_5.20.2-3+deb8u7_all.deb
 830ec0021db5e005868e92a1e988f7fb 1227242 perl required perl-base_5.20.2-3+deb8u7_amd64.deb
 45eafe8a3fb6fc8fccfb4ffefb3f1355 4484114 debug extra perl-debug_5.20.2-3+deb8u7_amd64.deb
 e1b819f595edd4100f389c9e47134fe4 1354 libs optional libperl5.20_5.20.2-3+deb8u7_amd64.deb
 49be7d89b874b3738195a1b749d3a784 2144054 libdevel optional libperl-dev_5.20.2-3+deb8u7_amd64.deb
 e3472f95894e5f778a9f4635a4e5225d 2631362 perl standard perl_5.20.2-3+deb8u7_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJZM+LqAAoJEMAFfnFNaU+yPicP/iCUnUjmFSSE8ruL/aWsASRn
QoWXH2ZNnD9A7xj1Sn5ksivc7tg2wcZhKBl475kf53wwwwfx4uDGuD0KxzRmowax
R5rxVnyNgmsFAD9YI7rTdhy8W7HD3xqrhu2SH8ACWmW8FydeHFrDQsYnVzywjIDp
SGriABO0MpEQO6qT2tfzd49wlLbWdx52hPWJL1fZv0JfDV53P2Um17qqYOqj1SOZ
iJCyhRXmdxinyRQhsByMZbaUMWMEaTxnmoQ2O4Tiw6nIccBHSevTumDaluNfh7EJ
CfbLmmTWYFei0ok1Fkmf7O3Bp+ZXDukl4PmkYKSLeDrPOIfOiwQakd0FF0Y6myDS
Pd0eRFHyOgD5FvuWvVyX+woZ4DrS/vukS4DKutYmc/SK8ZC8VmrvmRivEKSfMXSU
i9EiAkLUhGwRjKtFl2h42lgzQB7kVA9mqPRYDGsqhU85mF1usBBORuOWmuEAOf1j
ZOrGkZQNCYlv6tmEMKqJ5NWBJ8POMRqxAAx8+zVfeOQdjp0kOyuT+CwyNl8+lHsh
+pR4/Eag8SNwxJJHxOwDBj9JM5MUzSt84jWGgp1JcDxhJTI9fqi21ZIKASLsHohQ
J47H83DfClOddAkjZNRi2kRqeBO7M2xe9GGCW0jSlwDQWjrJh9Bb29fV85wm4N9y
IaU8eS7BEnLDoHHXMvKk
=b2w/
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.