Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 2 Dec 2008 13:51:21 +0300
From: Eygene Ryabinkin <>
Cc:, "Steven M. Christey" <>
Subject: Re: CVE Request - cups, dovecot-managesieve, perl,

Steven, *, good day.

Mon, Dec 01, 2008 at 11:36:45AM -0500, Steven M. Christey wrote:
> Regarding the Perl issues: as seen in this list and elsewhere, there seems
> to be a ton of confusion about which CVE's were originally fixed (or not),
> and which CVE's have since reappeared (or not), and which versions of Perl
> and File::Path are or are not affected, plus Eygene's commentary on other
> race conditions.

It seems to me that the original issue for the 'setuid' stuff was
not completely fixed in Perl 5.8.4: it misses the stanza 'if
$force_writable' at the second chmod (this is from virgin perl-5.8.5):
            chmod 0777, $root
              or carp "Can't make directory $root writeable: $!"
                if $force_writeable;
            print "rmdir $root\n" if $verbose;
            if (rmdir $root) {
            else {
                carp "Can't remove directory $root: $!";
                chmod($rp, ($Is_VMS ? VMS::Filespec::fileify($root) : $root))
                    or carp("and can't restore permissions to "
                            . sprintf("0%o",$rp) . "\n");
This is in line with the Niko Tyni's patch:;filename=sid_fix_file_path;att=2;bug=286922

So perl >= 5.8 <= 5.8.8 seems to be affected too.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.