Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[ GLSA 201709-12 ] Perl
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index News & Announcements
View previous topic :: View next topic  
Author Message
GLSA
Advocate
Advocate


Joined: 12 May 2004
Posts: 2663

PostPosted: Mon Sep 18, 2017 2:26 am    Post subject: [ GLSA 201709-12 ] Perl Reply with quote

Gentoo Linux Security Advisory

Title: Perl: Race condition vulnerability (GLSA 201709-12)
Severity: normal
Exploitable: local
Date: 2017-09-17
Bug(s): #620304
ID: 201709-12

Synopsis

A vulnerability in module File::Path for Perl allows local
attackers to set arbitrary mode values on arbitrary files bypassing
security restrictions.


Background

File::Path module provides a convenient way to create directories of
arbitrary depth and to delete an entire directory subtree from the
filesystem.


Affected Packages

Package: dev-lang/perl
Vulnerable: < 5.24.1-r2
Unaffected: >= 5.24.1-r2
Architectures: All supported architectures

Package: perl-core/File-Path
Vulnerable: < 2.130.0
Unaffected: >= 2.130.0
Architectures: All supported architectures

Package: virtual/perl-File-Path
Vulnerable: < 2.130.0
Unaffected: >= 2.130.0
Architectures: All supported architectures


Description

A race condition occurs within concurrent environments. This condition
was discovered by The cPanel Security Team in the rmtree and remove_tree
functions in the File-Path module before 2.13 for Perl. This is due to
the time-of-check-to-time-of-use (TOCTOU) race condition between the
stat() that decides the inode is a directory and the chmod() that tries
to make it user-rwx.


Impact

A local attacker could exploit this condition to set arbitrary mode
values on arbitrary files and hence bypass security restrictions.


Workaround

There is no known workaround at this time.

Resolution

All Perl users should upgrade to the latest version:
Code:
# emerge --sync
      # emerge --ask --oneshot --verbose ">=dev-lang/perl-5.24.1-r2"
   
All File-Path users should upgrade to the latest version:
Code:
# emerge --sync
      # emerge --ask --oneshot --verbose ">=perl-core/File-Path-2.130.0"
   
All Perl-File-Path users should upgrade to the latest version:
Code:
# emerge --sync
      # emerge --ask --oneshot --verbose ">=virtual/perl-File-Path-2.130.0"
   


References


CVE-2017-6512
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index News & Announcements All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum