P-086: Perl Insecure Temporary Files/Directories

P-086: Perl Insecure Temporary Files/Directories Privacy and Legal Notice INFORMATION BULLETIN P-086: Perl Insecure Temporary Files/Directories [DSA-620-1 perl -- insecure temporary files / directories] January 3, 2005 20:00 GMT
[REVISED 22 Feb 2005]


PROBLEM:	A vulnerability was discovered in the rmtree function in File::Path module in Perl 5.6.1 and 5.8.4. Also vulnerabilities in multiple scripts may allow a symlink attack on temporary files.
PLATFORM:	Perl 5.6.1, 5.8.4 Debian GNU/Linux 3.0 (woody) Red Hat Desktop (v. 4) Red Hat Enterprise Linux AS, ES, WS (v. 4)
DAMAGE:	A race condition in the rmtree function in the File::Path module in Perl 5.6.1 and 5.8.4 sets read/write permissions for the world, allowing local users to delete files and directories and possible read files and directories via a symlink attack. Multiple scripts in the Perl package allow local users to overwrite files via a symlink attack on temporary files.
SOLUTION:	Apply the available security updates.

VULNERABILITY ASSESSMENT:	The risk is LOW. Symlink attacks are typically difficult to exploit.

LINKS:
CIAC BULLETIN:	http://www.ciac.org/ciac/bulletins/p-086.shtml
ORIGINAL BULLETIN:	http://www.debian.org/security/2004/dsa-620
ADDITIONAL LINK:	Red Hat Security Advisory RHSA-2005:103-04 https://rhn.redhat.com/errata/RHSA-2005-103.html
CVE/CAN:	http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CAN-2004-0452, CAN-2004-0976

REVISION HISTORY: 02/22/2005 - revised to add a link to Red Hat Security Advisory RHSA-2005:103-04 for Red Hat Desktop (v. 4) and Red Hat Enterprise Linux AS, ES, WS (v. 4). [***** Start DSA-620-1 perl -- insecure temporary files / directories *****] Debian Security Advisory DSA-620-1 perl -- insecure temporary files / directories Date Reported: 30 Dec 2004 Affected Packages: perl Vulnerable: Yes Security database references: In Mitre's CVE dictionary: CAN-2004-0452, CAN-2004-0976. More information: Several vulnerabilities have been discovered in Perl, the popular scripting language. The Common Vulnerabilities and Exposures project identifies the following problems: CAN-2004-0452 Jeroen van Wolffelaar discovered that the rmtree() function in the File::Path module removes directory trees in an insecure manner which could lead to the removal of arbitrary files and directories through a symlink attack. CAN-2004-0976 Trustix developers discovered several insecure uses of temporary files in many modules which allow a local attacker to overwrite files via a symlink attack. For the stable distribution (woody) these problems have been fixed in version 5.6.1-8.8. For the unstable distribution (sid) these problems have been fixed in version 5.8.4-5. We recommend that you upgrade your perl packages. Fixed in: Debian GNU/Linux 3.0 (woody)

Source:: http://security.debian.org/pool/updates/main/p/perl/perl_5.6.1-8.8.dsc; http://security.debian.org/pool/updates/main/p/perl/perl_5.6.1-8.8.diff.gz; http://security.debian.org/pool/updates/main/p/perl/perl_5.6.1.orig.tar.gz
Architecture-independent component:: http://security.debian.org/pool/updates/main/p/perl/libcgi-fast-perl_5.6.1-8.8_all.deb; http://security.debian.org/pool/updates/main/p/perl/perl-doc_5.6.1-8.8_all.deb; http://security.debian.org/pool/updates/main/p/perl/perl-modules_5.6.1-8.8_all.deb
Alpha:: http://security.debian.org/pool/updates/main/p/perl/libperl-dev_5.6.1-8.8_alpha.deb; http://security.debian.org/pool/updates/main/p/perl/libperl5.6_5.6.1-8.8_alpha.deb; http://security.debian.org/pool/updates/main/p/perl/perl_5.6.1-8.8_alpha.deb; http://security.debian.org/pool/updates/main/p/perl/perl-base_5.6.1-8.8_alpha.deb; http://security.debian.org/pool/updates/main/p/perl/perl-debug_5.6.1-8.8_alpha.deb; http://security.debian.org/pool/updates/main/p/perl/perl-suid_5.6.1-8.8_alpha.deb
ARM:: http://security.debian.org/pool/updates/main/p/perl/libperl-dev_5.6.1-8.8_arm.deb; http://security.debian.org/pool/updates/main/p/perl/libperl5.6_5.6.1-8.8_arm.deb; http://security.debian.org/pool/updates/main/p/perl/perl_5.6.1-8.8_arm.deb; http://security.debian.org/pool/updates/main/p/perl/perl-base_5.6.1-8.8_arm.deb; http://security.debian.org/pool/updates/main/p/perl/perl-debug_5.6.1-8.8_arm.deb; http://security.debian.org/pool/updates/main/p/perl/perl-suid_5.6.1-8.8_arm.deb
Intel IA-32:: http://security.debian.org/pool/updates/main/p/perl/libperl-dev_5.6.1-8.8_i386.deb; http://security.debian.org/pool/updates/main/p/perl/libperl5.6_5.6.1-8.8_i386.deb; http://security.debian.org/pool/updates/main/p/perl/perl_5.6.1-8.8_i386.deb; http://security.debian.org/pool/updates/main/p/perl/perl-base_5.6.1-8.8_i386.deb; http://security.debian.org/pool/updates/main/p/perl/perl-debug_5.6.1-8.8_i386.deb; http://security.debian.org/pool/updates/main/p/perl/perl-suid_5.6.1-8.8_i386.deb
Intel IA-64:: http://security.debian.org/pool/updates/main/p/perl/libperl-dev_5.6.1-8.8_ia64.deb; http://security.debian.org/pool/updates/main/p/perl/libperl5.6_5.6.1-8.8_ia64.deb; http://security.debian.org/pool/updates/main/p/perl/perl_5.6.1-8.8_ia64.deb; http://security.debian.org/pool/updates/main/p/perl/perl-base_5.6.1-8.8_ia64.deb; http://security.debian.org/pool/updates/main/p/perl/perl-debug_5.6.1-8.8_ia64.deb; http://security.debian.org/pool/updates/main/p/perl/perl-suid_5.6.1-8.8_ia64.deb
HPPA:: http://security.debian.org/pool/updates/main/p/perl/libperl-dev_5.6.1-8.8_hppa.deb; http://security.debian.org/pool/updates/main/p/perl/libperl5.6_5.6.1-8.8_hppa.deb; http://security.debian.org/pool/updates/main/p/perl/perl_5.6.1-8.8_hppa.deb; http://security.debian.org/pool/updates/main/p/perl/perl-base_5.6.1-8.8_hppa.deb; http://security.debian.org/pool/updates/main/p/perl/perl-debug_5.6.1-8.8_hppa.deb; http://security.debian.org/pool/updates/main/p/perl/perl-suid_5.6.1-8.8_hppa.deb
Motorola 680x0:: http://security.debian.org/pool/updates/main/p/perl/libperl-dev_5.6.1-8.8_m68k.deb; http://security.debian.org/pool/updates/main/p/perl/libperl5.6_5.6.1-8.8_m68k.deb; http://security.debian.org/pool/updates/main/p/perl/perl_5.6.1-8.8_m68k.deb; http://security.debian.org/pool/updates/main/p/perl/perl-base_5.6.1-8.8_m68k.deb; http://security.debian.org/pool/updates/main/p/perl/perl-debug_5.6.1-8.8_m68k.deb; http://security.debian.org/pool/updates/main/p/perl/perl-suid_5.6.1-8.8_m68k.deb
Big endian MIPS:: http://security.debian.org/pool/updates/main/p/perl/libperl-dev_5.6.1-8.8_mips.deb; http://security.debian.org/pool/updates/main/p/perl/libperl5.6_5.6.1-8.8_mips.deb; http://security.debian.org/pool/updates/main/p/perl/perl_5.6.1-8.8_mips.deb; http://security.debian.org/pool/updates/main/p/perl/perl-base_5.6.1-8.8_mips.deb; http://security.debian.org/pool/updates/main/p/perl/perl-debug_5.6.1-8.8_mips.deb; http://security.debian.org/pool/updates/main/p/perl/perl-suid_5.6.1-8.8_mips.deb
Little endian MIPS:: http://security.debian.org/pool/updates/main/p/perl/libperl-dev_5.6.1-8.8_mipsel.deb; http://security.debian.org/pool/updates/main/p/perl/libperl5.6_5.6.1-8.8_mipsel.deb; http://security.debian.org/pool/updates/main/p/perl/perl_5.6.1-8.8_mipsel.deb; http://security.debian.org/pool/updates/main/p/perl/perl-base_5.6.1-8.8_mipsel.deb; http://security.debian.org/pool/updates/main/p/perl/perl-debug_5.6.1-8.8_mipsel.deb; http://security.debian.org/pool/updates/main/p/perl/perl-suid_5.6.1-8.8_mipsel.deb
PowerPC:: http://security.debian.org/pool/updates/main/p/perl/libperl-dev_5.6.1-8.8_powerpc.deb; http://security.debian.org/pool/updates/main/p/perl/libperl5.6_5.6.1-8.8_powerpc.deb; http://security.debian.org/pool/updates/main/p/perl/perl_5.6.1-8.8_powerpc.deb; http://security.debian.org/pool/updates/main/p/perl/perl-base_5.6.1-8.8_powerpc.deb; http://security.debian.org/pool/updates/main/p/perl/perl-debug_5.6.1-8.8_powerpc.deb; http://security.debian.org/pool/updates/main/p/perl/perl-suid_5.6.1-8.8_powerpc.deb
IBM S/390:: http://security.debian.org/pool/updates/main/p/perl/libperl-dev_5.6.1-8.8_s390.deb; http://security.debian.org/pool/updates/main/p/perl/libperl5.6_5.6.1-8.8_s390.deb; http://security.debian.org/pool/updates/main/p/perl/perl_5.6.1-8.8_s390.deb; http://security.debian.org/pool/updates/main/p/perl/perl-base_5.6.1-8.8_s390.deb; http://security.debian.org/pool/updates/main/p/perl/perl-debug_5.6.1-8.8_s390.deb; http://security.debian.org/pool/updates/main/p/perl/perl-suid_5.6.1-8.8_s390.deb
Sun Sparc:: http://security.debian.org/pool/updates/main/p/perl/libperl-dev_5.6.1-8.8_sparc.deb; http://security.debian.org/pool/updates/main/p/perl/libperl5.6_5.6.1-8.8_sparc.deb; http://security.debian.org/pool/updates/main/p/perl/perl_5.6.1-8.8_sparc.deb; http://security.debian.org/pool/updates/main/p/perl/perl-base_5.6.1-8.8_sparc.deb; http://security.debian.org/pool/updates/main/p/perl/perl-debug_5.6.1-8.8_sparc.deb; http://security.debian.org/pool/updates/main/p/perl/perl-suid_5.6.1-8.8_sparc.deb

MD5 checksums of the listed files are available in the original advisory.

[***** End DSA-620-1 perl -- insecure temporary files / directories *****]

CIAC wishes to acknowledge the contributions of Debian for the information contained in this bulletin.

DOE-CIRC can be contacted at:

    Voice:          +1 866-941-2472 (7 x 24)
    E-mail:          doecirc@doecirc.energy.gov
    World Wide Web:  http://www.doecirc.energy.gov/