GLSA Advocate
Joined: 12 May 2004 Posts: 2663
|
Posted: Mon Sep 18, 2017 2:26 am Post subject: [ GLSA 201709-12 ] Perl |
|
|
Gentoo Linux Security Advisory
Title: Perl: Race condition vulnerability (GLSA 201709-12)
Severity: normal
Exploitable: local
Date: 2017-09-17
Bug(s): #620304
ID: 201709-12
Synopsis
A vulnerability in module File::Path for Perl allows local
attackers to set arbitrary mode values on arbitrary files bypassing
security restrictions.
Background
File::Path module provides a convenient way to create directories of
arbitrary depth and to delete an entire directory subtree from the
filesystem.
Affected Packages
Package: dev-lang/perl
Vulnerable: < 5.24.1-r2
Unaffected: >= 5.24.1-r2
Architectures: All supported architectures
Package: perl-core/File-Path
Vulnerable: < 2.130.0
Unaffected: >= 2.130.0
Architectures: All supported architectures
Package: virtual/perl-File-Path
Vulnerable: < 2.130.0
Unaffected: >= 2.130.0
Architectures: All supported architectures
Description
A race condition occurs within concurrent environments. This condition
was discovered by The cPanel Security Team in the rmtree and remove_tree
functions in the File-Path module before 2.13 for Perl. This is due to
the time-of-check-to-time-of-use (TOCTOU) race condition between the
stat() that decides the inode is a directory and the chmod() that tries
to make it user-rwx.
Impact
A local attacker could exploit this condition to set arbitrary mode
values on arbitrary files and hence bypass security restrictions.
Workaround
There is no known workaround at this time.
Resolution
All Perl users should upgrade to the latest version: Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=dev-lang/perl-5.24.1-r2"
| All File-Path users should upgrade to the latest version: Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=perl-core/File-Path-2.130.0"
| All Perl-File-Path users should upgrade to the latest version: Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=virtual/perl-File-Path-2.130.0"
|
References
CVE-2017-6512
|
|