From owner-freebsd-perl@freebsd.org Thu Jun 1 00:09:26 2017 Return-Path: Delivered-To: freebsd-perl@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5BEB8BEDA74 for ; Thu, 1 Jun 2017 00:09:26 +0000 (UTC) (envelope-from jkeenan@pobox.com) Received: from mailman.ysv.freebsd.org (unknown [127.0.1.3]) by mx1.freebsd.org (Postfix) with ESMTP id 3DFFF72064 for ; Thu, 1 Jun 2017 00:09:26 +0000 (UTC) (envelope-from jkeenan@pobox.com) Received: by mailman.ysv.freebsd.org (Postfix) id 3A4E4BEDA73; Thu, 1 Jun 2017 00:09:26 +0000 (UTC) Delivered-To: perl@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 39E84BEDA72 for ; Thu, 1 Jun 2017 00:09:26 +0000 (UTC) (envelope-from jkeenan@pobox.com) Received: from sasl.smtp.pobox.com (pb-smtp2.pobox.com [64.147.108.71]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 10A7F72063 for ; Thu, 1 Jun 2017 00:09:25 +0000 (UTC) (envelope-from jkeenan@pobox.com) Received: from sasl.smtp.pobox.com (unknown [127.0.0.1]) by pb-smtp2.pobox.com (Postfix) with ESMTP id 4F38A73A71 for ; Wed, 31 May 2017 20:04:52 -0400 (EDT) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=pobox.com; h=to:from :subject:message-id:date:mime-version:content-type :content-transfer-encoding; s=sasl; bh=6g72tp8RQO3eYkFUti05oYw8n Xk=; b=cH3U2YuE9Z+4N1gCSZTbKpQagXavCl0lKc2E7ySrR20zVnCiGEFzOAZqu iFZa2rz3ETcpg9CMAowTaEl1NFSPnB9PFTW35SkiusQn5ww/XqoxENbn8I5Amz4s cVmYWT+wjCniaffAd3nj8dJem/2lAX03jfte++wxvmYlM3CFQc= DomainKey-Signature: a=rsa-sha1; c=nofws; d=pobox.com; h=to:from:subject :message-id:date:mime-version:content-type :content-transfer-encoding; q=dns; s=sasl; b=nlzJqvQIlHxylqAAQEt iQLjtBvXOr0br2I5AEgMz6TmjCSKGF4qsGKfaTYm73nRd1iXIx17drHM0JaHfWiM brSFooTmOH5Xyqhr6LpLIqmAmlHl6fd28pnFkmKm0rMl0C8jJx1lQtJbzditFH7U Q6Ppr51vbEJdL/B2Hi6mf/CM= Received: from pb-smtp2.nyi.icgroup.com (unknown [127.0.0.1]) by pb-smtp2.pobox.com (Postfix) with ESMTP id 4849673A70 for ; Wed, 31 May 2017 20:04:52 -0400 (EDT) Received: from [192.168.1.44] (unknown [71.246.114.76]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pb-smtp2.pobox.com (Postfix) with ESMTPSA id BA51573A6F for ; Wed, 31 May 2017 20:04:51 -0400 (EDT) To: perl@freebsd.org From: James E Keenan Subject: Perl extension File-Path: vulnerability in two functions: CVE-2017-6512 Message-ID: Date: Wed, 31 May 2017 20:04:51 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.1.1 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-Pobox-Relay-ID: EF41AAE2-465D-11E7-AF00-61520C78B957-57062903!pb-smtp2.pobox.com X-BeenThere: freebsd-perl@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: maintainer of a number of perl-related ports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Jun 2017 00:09:26 -0000 A vulnerability has been reported in Perl extension File-Path (http://search.cpan.org/dist/File-Path/) versions 2.12 and earlier. In the rmtree() and remove_tree() functions, the chmod()logic to make directories traversable can be abused to set the mode on an attacker-chosen file to an attacker-chosen value. This is due to the time-of-check-to-time-of-use (TOCTTOU) race condition (https://en.wikipedia.org/wiki/Time_of_check_to_time_of_use) between the stat() that decides the inode is a directory and the chmod() that tries to make it user-rwx. This vulnerability was reported by the cPanel Security Team. It has been assigned the following CVE ID: CVE-2017-6512 CPAN versions 2.13 and later incorporate a patch to address this problem. As File-Path is an extension distributed with the Perl 5 core distribution, you are encouraged to upgrade your Perl package to include File-Path 2.13 or later. For further (public) discussion of this issue I have opened a ticket in the File-Path bug tracker: https://rt.cpan.org/Ticket/Display.html?id=121951 You can contribute to this discussion either through the web interface or by email to bug-File-Path@rt.cpan.org, including the following string in the Subject line: [rt.cpan.org #121951] This is the first time I have had to report a security vulnerability, so I don't claim to fully grasp the protocol for making such a report. If there is a better email address or other way to make this report, please let me know. Thank you very much. James E Keenan CPAN ID: JKEENAN