Date: Wed, 31 May 2017 20:04:51 -0400 From: James E Keenan <jkeenan@pobox.com> To: perl@freebsd.org Subject: Perl extension File-Path: vulnerability in two functions: CVE-2017-6512 Message-ID: <bea10dd0-fe1d-9c44-1b5d-92e872cb64cb@pobox.com>
next in thread | raw e-mail | index | archive | help
A vulnerability has been reported in Perl extension File-Path (http://search.cpan.org/dist/File-Path/) versions 2.12 and earlier. In the rmtree() and remove_tree() functions, the chmod()logic to make directories traversable can be abused to set the mode on an attacker-chosen file to an attacker-chosen value. This is due to the time-of-check-to-time-of-use (TOCTTOU) race condition (https://en.wikipedia.org/wiki/Time_of_check_to_time_of_use) between the stat() that decides the inode is a directory and the chmod() that tries to make it user-rwx. This vulnerability was reported by the cPanel Security Team. It has been assigned the following CVE ID: CVE-2017-6512 CPAN versions 2.13 and later incorporate a patch to address this problem. As File-Path is an extension distributed with the Perl 5 core distribution, you are encouraged to upgrade your Perl package to include File-Path 2.13 or later. For further (public) discussion of this issue I have opened a ticket in the File-Path bug tracker: https://rt.cpan.org/Ticket/Display.html?id=121951 You can contribute to this discussion either through the web interface or by email to bug-File-Path@rt.cpan.org, including the following string in the Subject line: [rt.cpan.org #121951] This is the first time I have had to report a security vulnerability, so I don't claim to fully grasp the protocol for making such a report. If there is a better email address or other way to make this report, please let me know. Thank you very much. James E Keenan CPAN ID: JKEENAN
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bea10dd0-fe1d-9c44-1b5d-92e872cb64cb>