[<prev] [next>] [<thread-prev] [month] [year] [list]
Date: Tue, 2 Dec 2008 13:51:21 +0300
From: Eygene Ryabinkin <rea-sec@...elabs.ru>
To: oss-security@...ts.openwall.com
Cc: jlieskov@...hat.com, "Steven M. Christey" <coley@...us.mitre.org>
Subject: Re: CVE Request - cups, dovecot-managesieve, perl,
wireshark
Steven, *, good day.
Mon, Dec 01, 2008 at 11:36:45AM -0500, Steven M. Christey wrote:
> Regarding the Perl issues: as seen in this list and elsewhere, there seems
> to be a ton of confusion about which CVE's were originally fixed (or not),
> and which CVE's have since reappeared (or not), and which versions of Perl
> and File::Path are or are not affected, plus Eygene's commentary on other
> race conditions.
It seems to me that the original issue for the 'setuid' stuff was
not completely fixed in Perl 5.8.4: it misses the stanza 'if
$force_writable' at the second chmod (this is from virgin perl-5.8.5):
-----
chmod 0777, $root
or carp "Can't make directory $root writeable: $!"
if $force_writeable;
print "rmdir $root\n" if $verbose;
if (rmdir $root) {
++$count;
}
else {
carp "Can't remove directory $root: $!";
chmod($rp, ($Is_VMS ? VMS::Filespec::fileify($root) : $root))
or carp("and can't restore permissions to "
. sprintf("0%o",$rp) . "\n");
}
-----
This is in line with the Niko Tyni's patch:
http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=36;filename=sid_fix_file_path;att=2;bug=286922
So perl >= 5.8 <= 5.8.8 seems to be affected too.
--
Eygene
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Hosted by DataForce ISP -
Powered by Openwall GNU/*/Linux