Perl File::Path::rmtree insecure permissions

perl-filepathrmtree-insecure-permissions (18650) The risk level is classified as MediumMedium Risk

Description:

Perl (Practical Extraction and Reporting Language) is vulnerable to a race condition and could allow a local attacker to possibly obtain sensitive information. The File::Path::rmtree function fails to properly modify a file or directory's permissions when removing them, if the removal fails. This could leave the file/directory with world-readable and world-writable permissions.


Consequences:

Obtain Information

Remedy:

For Ubuntu Linux:
Upgrade to the latest perl-modules package (5.8.4-2ubuntu0.2 or later), as listed in USN-44-1 December 21, 2004 for more information. See References.

For Debian GNU/Linux 3.0 (alias woody):
Upgrade to the latest perl package (5.6.1-8.8 or later), as listed in DSA-620-1. See References.

For Gentoo Linux:
Upgrade the latest version of libextractor (0.5.0 or later), as listed in Gentoo Linux Security Announcement GLSA 200506-06. See References.

For Gentoo Linux (perl):
Refer to Gentoo Linux Security Announcement GLSA 2005-01-38 for patch, upgrade, or suggested workaround information. See References.

For Red Hat Linux:
Refer to RHSA-2005:103-04 or RHSA-2005:105-11 for patch, upgrade, or suggested workaround information. See References.

For OpenPKG:
Refer to OpenPKG Security Advisory OpenPKG-SA-2005.001 for patch, upgrade, or suggested workaround information. See References.

For other distributions:
Contact your vendor for upgrade or patch information.

References:

  • CIAC Information Bulletin P-086: Perl Insecure Temporary Files/Directories.
  • BID-12072: Perl RMTree Local Race Condition Vulnerability
  • CVE-2004-0452: Race condition in the rmtree function in the File::Path module in Perl 5.6.1 and 5.8.4 sets read/write permissions for the world, which allows local users to delete arbitrary files and directories, and possibly read files and directories, via a symlink attack.
  • DSA-1678: perl -- design flaws
  • DSA-620: perl -- insecure temporary files / directories
  • GLSA-200501-38: Perl: rmtree and DBI tmpfile vulnerabilities
  • MDKSA-2005:031: Updated perl packages fix multiple vulnerabilities
  • OpenPKG-SA-2005.001: Perl File::Path
  • RHSA-2005-103: perl security update
  • RHSA-2005-105: perl security update
  • SA12991: Perl Multiple Scripts Insecure Temporary File Creation Vulnerabilities
  • SA55314: Oracle Solaris Perl Multiple Vulnerabilities
  • SUSE-SR:2005:004: SUSE Security Summary Report

Platforms Affected:

  • Canonical Ubuntu 4.10
  • Debian Debian Linux 3.0
  • Debian Debian Linux 3.1
  • Debian Debian Linux 4.0
  • Gentoo Linux
  • Larry Wall Perl
  • MandrakeSoft Mandrake Linux 10.0 AMD64
  • MandrakeSoft Mandrake Linux 10.0
  • MandrakeSoft Mandrake Linux 10.1
  • MandrakeSoft Mandrake Linux 10.1 X86_64
  • MandrakeSoft Mandrake Linux 9.2 AMD64
  • MandrakeSoft Mandrake Linux 9.2
  • MandrakeSoft Mandrake Linux Corporate Server 2.1
  • MandrakeSoft Mandrake Linux Corporate Server 2.1 X86_64
  • MandrakeSoft Mandrake Linux Corporate Server 3.0
  • MandrakeSoft Mandrake Linux Corporate Server 3.0 X86_64
  • OpenPKG OpenPKG 2.1
  • OpenPKG OpenPKG 2.2
  • OpenPKG OpenPKG CURRENT
  • RedHat Enterprise Linux 3 Desktop
  • RedHat Enterprise Linux 3 ES
  • RedHat Enterprise Linux 3 AS
  • RedHat Enterprise Linux 3 WS
  • RedHat Enterprise Linux 4 Desktop
  • RedHat Enterprise Linux 4 ES
  • RedHat Enterprise Linux 4 AS
  • RedHat Enterprise Linux 4 WS
  • Turbolinux Turbolinux 10 Desktop
  • Turbolinux Turbolinux 10 F...
  • Turbolinux Turbolinux 10 Server
  • Turbolinux Turbolinux 7 Server
  • Turbolinux Turbolinux 7 Workstation
  • Turbolinux Turbolinux 8 Server
  • Turbolinux Turbolinux 8 Workstation
  • Turbolinux Turbolinux Home
  • Turbolinux Turbolinux Appliance Server 1.0 Hosting Ed
  • Turbolinux Turbolinux Appliance Server 1.0 Workgroup Ed

Reported:

Dec 21, 2004

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email ignore thisxforceignore this@ignore thisus.ignore thisibm.comignore this

Return to the main page