Skip Menu |
 

This queue is for tickets about the File-Path CPAN distribution.

Report information
The Basics
Id: 121951
Status: open
Priority: 0/
Queue: File-Path

People
Owner: Nobody in particular
Requestors: jkeenan [...] pobox.com
Cc:
AdminCc:

Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)

Attachments
0001-Prevent-directory-chmod-race-attack.patch



MIME-Version: 1.0
X-Spam-Status: No, score=-2.662 tagged_above=-99.9 required=10 tests=[AWL=-1.441, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_NEUTRAL=0.779] autolearn=no
X-Cpan.org: This message routed through the cpan.org mail forwarding service. Please use PAUSE pause.perl.org to configure your delivery settings.
X-Spam-Flag: NO
Content-Language: en-US
content-type: text/plain; charset="utf-8"; format="flowed"
Message-ID: <e464bd1d-acde-25ec-714c-9497f6488935 [...] pobox.com>
X-Virus-Scanned: Debian amavisd-new at bestpractical.com
X-Spam-Score: -2.662
Received: from localhost (localhost [127.0.0.1]) by hipster.bestpractical.com (Postfix) with ESMTP id A58CC2403CE for <cpan-bug+File-Path [...] hipster.bestpractical.com>; Wed, 31 May 2017 19:47:20 -0400 (EDT)
Received: from hipster.bestpractical.com ([127.0.0.1]) by localhost (hipster.bestpractical.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BYPD8WMiUZ9O for <cpan-bug+File-Path [...] hipster.bestpractical.com>; Wed, 31 May 2017 19:47:19 -0400 (EDT)
Received: from xx1.develooper.com (xx1.develooper.com [207.171.7.115]) by hipster.bestpractical.com (Postfix) with ESMTPS id 3C57B2403C8 for <bug-File-Path [...] rt.cpan.org>; Wed, 31 May 2017 19:47:18 -0400 (EDT)
Received: from localhost (xx1.develooper.com [127.0.0.1]) by localhost (Postfix) with ESMTP id AD55711EBC3 for <bug-File-Path [...] rt.cpan.org>; Wed, 31 May 2017 16:47:17 -0700 (PDT)
Received: from xx1.develooper.com (xx1.develooper.com [127.0.0.1]) by localhost (Postfix) with SMTP id A35A711EBC7 for <bug-File-Path [...] rt.cpan.org>; Wed, 31 May 2017 16:47:15 -0700 (PDT)
Received: from sasl.smtp.pobox.com (pb-smtp2.pobox.com [64.147.108.71]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by xx1.develooper.com (Postfix) with ESMTPS id 2FA8E11EBC3 for <bug-File-Path [...] rt.cpan.org>; Wed, 31 May 2017 16:47:14 -0700 (PDT)
Received: from sasl.smtp.pobox.com (unknown [127.0.0.1]) by pb-smtp2.pobox.com (Postfix) with ESMTP id 885927360B for <bug-File-Path [...] rt.cpan.org>; Wed, 31 May 2017 19:47:13 -0400 (EDT)
Received: from pb-smtp2.nyi.icgroup.com (unknown [127.0.0.1]) by pb-smtp2.pobox.com (Postfix) with ESMTP id 80A397360A for <bug-File-Path [...] rt.cpan.org>; Wed, 31 May 2017 19:47:13 -0400 (EDT)
Received: from [192.168.1.44] (unknown [71.246.114.76]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pb-smtp2.pobox.com (Postfix) with ESMTPSA id F018B73609 for <bug-File-Path [...] rt.cpan.org>; Wed, 31 May 2017 19:47:12 -0400 (EDT)
Authentication-Results: hipster.bestpractical.com (amavisd-new); dkim=pass header.i= [...] pobox.com
Authentication-Results: hipster.bestpractical.com (amavisd-new); domainkeys=pass header.from=jkeenan [...] pobox.com
Delivered-To: cpan-bug+File-Path [...] hipster.bestpractical.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.1.1
Subject: Vulnerability in rmtree() and remove_tree(): CVE-2017-6512
Return-Path: <jkeenan [...] pobox.com>
Domainkey-Signature: a=rsa-sha1; c=nofws; d=pobox.com; h=to:from:subject :message-id:date:mime-version:content-type :content-transfer-encoding; q=dns; s=sasl; b=nw2L3yDm7mNoYPykfvb RtXuQfSWYYxEQR7YuGDU0kcu5k3Vlxt30fDkSDPtsryx6yZDbsbDwpOwf+ASF+M2 31865P2u5nOikDVejKpHPEkIDW58qcZVZHjJsinFKBlDmnHk0RKjLMy+Y9/ztarF BHuUO/z2Rt6Z6iiu7FNjKUeg=
X-RT-Mail-Extension: file-path
X-Original-To: cpan-bug+File-Path [...] hipster.bestpractical.com
Dkim-Signature: v=1; a=rsa-sha1; c=relaxed; d=pobox.com; h=to:from :subject:message-id:date:mime-version:content-type :content-transfer-encoding; s=sasl; bh=+hQMHkUjuzbwEx6YMXKc6VT1P Rs=; b=MeuwFnjQ8+SkTjTvQcYxAQWEevmWiNmhIaV1BMjFOMY950a5RtkAx+BD9 4DVE0y560BnVNsGdV+xPbmRIFIO/qkjb0TqsHjF9+Lml8L5pnh+0Z02KRff/5kvt pJ2AoN3deyJX1efK+eLzz8lQVYQiyn0J5ZkxxoyYg3eJQGU1LY=
X-PMX-Spam: Gauge=IIIIIIII, Probability=8%, Report=' HTML_00_01 0.05, HTML_00_10 0.05, BODYTEXTP_SIZE_3000_LESS 0, BODY_SIZE_1000_LESS 0, BODY_SIZE_2000_LESS 0, BODY_SIZE_5000_LESS 0, BODY_SIZE_7000_LESS 0, BODY_SIZE_900_999 0, DATE_TZ_NA 0, DKIM_SIGNATURE 0, DOMAINKEY_SIG 0, SINGLE_URI_IN_BODY 0, SPF_PASS 0, URI_WITH_PATH_ONLY 0, __ANY_URI 0, __CP_URI_IN_BODY 0, __CT 0, __CTE 0, __CT_TEXT_PLAIN 0, __HAS_FROM 0, __HAS_MSGID 0, __HTTPS_URI 0, __MIME_TEXT_ONLY 0, __MIME_TEXT_P 0, __MIME_TEXT_P1 0, __MIME_VERSION 0, __MOZILLA_USER_AGENT 0, __NO_HTML_TAG_RAW 0, __SANE_MSGID 0, __SINGLE_URI_TEXT 0, __STOCK_PHRASE_24 0, __TO_MALFORMED_2 0, __TO_NO_NAME 0, __URI_IN_BODY 0, __URI_NOT_IMG 0, __URI_NO_MAILTO 0, __URI_NO_WWW 0, __URI_NS , __URI_WITH_PATH 0, __USER_AGENT 0, __zen.spamhaus.org_ERROR '
Date: Wed, 31 May 2017 19:47:12 -0400
X-Spam-Level:
X-PMX-Version: 5.6.1.2065439, Antispam-Engine: 2.7.2.376379, Antispam-Data: 2017.5.31.233915
To: bug-File-Path [...] rt.cpan.org
X-Pobox-Relay-ID: 782C882A-465B-11E7-9EAF-61520C78B957-57062903!pb-smtp2.pobox.com
Content-Transfer-Encoding: 7bit
From: James E Keenan <jkeenan [...] pobox.com>
X-RT-Original-Encoding: utf-8
X-RT-Interface: Email
Content-Length: 909
Download (untitled) / with headers
text/plain 909b
This ticket will serve as a placeholder for public discussion of a security vulnerability in File-Path originally reported by the cPanel Security Team on February 28 2017. This vulnerability has been assigned the following ID: CVE-2017-6512 In the rmtree() and remove_tree() functions, the chmod()logic to make directories traversable can be abused to set the mode on an attacker-chosen file to an attacker-chosen value. This is due to the time-of-check-to-time-of-use (TOCTTOU) race condition (https://en.wikipedia.org/wiki/Time_of_check_to_time_of_use) between the stat() that decides the inode is a directory and the chmod() that tries to make it user-rwx. The vulnerability has been addressed with the upload to CPAN of File-Path version 2.13. We will use this RT, among other things, to record links to web pages where this vulnerability is discussed or addressed. Thank you very much. Jim Keenan
MIME-Version: 1.0
In-Reply-To: <e464bd1d-acde-25ec-714c-9497f6488935 [...] pobox.com>
X-Mailer: MIME-tools 5.504 (Entity 5.504)
Content-Disposition: inline
X-RT-Interface: Web
References: <e464bd1d-acde-25ec-714c-9497f6488935 [...] pobox.com>
Content-Type: text/plain; charset="utf-8"
Message-ID: <rt-4.0.18-12059-1496276832-1996.121951-0-0 [...] rt.cpan.org>
Content-Transfer-Encoding: binary
X-RT-Original-Encoding: utf-8
X-RT-Encrypt: 0
X-RT-Sign: 0
Content-Length: 443
Download (untitled) / with headers
text/plain 443b
MIME-Version: 1.0
In-Reply-To: <e464bd1d-acde-25ec-714c-9497f6488935 [...] pobox.com>
X-Mailer: MIME-tools 5.504 (Entity 5.504)
X-RT-Interface: Web
References: <e464bd1d-acde-25ec-714c-9497f6488935 [...] pobox.com>
Content-Type: multipart/mixed; boundary="----------=_1496311299-22695-2"
Message-ID: <rt-4.0.18-22695-1496311299-848.121951-0-0 [...] rt.cpan.org>
X-RT-Original-Encoding: utf-8
X-RT-Encrypt: 0
X-RT-Sign: 0
Content-Length: 0
Content-Disposition: inline
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: binary
X-RT-Original-Encoding: utf-8
Content-Length: 134
Download (untitled) / with headers
text/plain 134b
I've attached what I believe to be the original patch from John Lightsey, taken from https://github.com/jkeenan/File-Path/commits/2.13
MIME-Version: 1.0
Subject: 0001-Prevent-directory-chmod-race-attack.patch
X-Mailer: MIME-tools 5.504 (Entity 5.504)
Content-Type: text/x-patch; name="0001-Prevent-directory-chmod-race-attack.patch"
Content-Disposition: inline; filename="0001-Prevent-directory-chmod-race-attack.patch"
Content-Transfer-Encoding: binary
Content-Length: 5739
From e5ef95276ee8ad471c66ee574a5d42552b3a6af2 Mon Sep 17 00:00:00 2001 From: John Lightsey <john@nixnuts.net> Date: Tue, 2 May 2017 12:03:52 -0500 Subject: [PATCH] Prevent directory chmod race attack. CVE-2017-6512 is a race condition attack where the chmod() of directories that cannot be entered is misused to change the permissions on other files or directories on the system. This has been corrected by limiting the directory-permission loosening logic to systems where fchmod() is supported. --- lib/File/Path.pm | 39 +++++++++++++++++++++++++-------------- t/Path.t | 42 +++++++++++++++++++++++++++--------------- 2 files changed, 52 insertions(+), 29 deletions(-) diff --git a/lib/File/Path.pm b/lib/File/Path.pm index c7d7eb8..7fc44c6 100644 --- a/lib/File/Path.pm +++ b/lib/File/Path.pm @@ -400,21 +400,32 @@ sub _rmtree { # see if we can escalate privileges to get in # (e.g. funny protection mask such as -w- instead of rwx) - $perm &= oct '7777'; - my $nperm = $perm | oct '700'; - if ( - !( - $data->{safe} - or $nperm == $perm - or chmod( $nperm, $root ) - ) - ) - { - _error( $data, - "cannot make child directory read-write-exec", $canon ); - next ROOT_DIR; + # This uses fchmod to avoid traversing outside of the proper + # location (CVE-2017-6512) + my $root_fh; + if (open($root_fh, '<', $root)) { + my ($fh_dev, $fh_inode) = (stat $root_fh )[0,1]; + $perm &= oct '7777'; + my $nperm = $perm | oct '700'; + local $@; + if ( + !( + $data->{safe} + or $nperm == $perm + or !-d _ + or $fh_dev ne $ldev + or $fh_inode ne $lino + or eval { chmod( $nperm, $root_fh ) } + ) + ) + { + _error( $data, + "cannot make child directory read-write-exec", $canon ); + next ROOT_DIR; + } + close $root_fh; } - elsif ( !chdir($root) ) { + if ( !chdir($root) ) { _error( $data, "cannot chdir to child", $canon ); next ROOT_DIR; } diff --git a/t/Path.t b/t/Path.t index 25a06f1..29d4e48 100644 --- a/t/Path.t +++ b/t/Path.t @@ -3,7 +3,7 @@ use strict; -use Test::More tests => 168; +use Test::More tests => 167; use Config; use Fcntl ':mode'; use lib './t'; @@ -26,6 +26,13 @@ BEGIN { my $Is_VMS = $^O eq 'VMS'; +my $fchmod_supported = 0; +if (open my $fh, curdir()) { + my ($perm) = (stat($fh))[2]; + $perm &= 07777; + eval { $fchmod_supported = chmod( $perm, $fh); }; +} + # first check for stupid permissions second for full, so we clean up # behind ourselves for my $perm (0111,0777) { @@ -307,16 +314,19 @@ is($created[0], $dir, "created directory (old style 3 mode undef) cross-check"); is(rmtree($dir, 0, undef), 1, "removed directory 3 verbose undef"); -$dir = catdir($tmp_base,'G'); -$dir = VMS::Filespec::unixify($dir) if $Is_VMS; +SKIP: { + skip "fchmod of directories not supported on this platform", 3 unless $fchmod_supported; + $dir = catdir($tmp_base,'G'); + $dir = VMS::Filespec::unixify($dir) if $Is_VMS; -@created = mkpath($dir, undef, 0200); + @created = mkpath($dir, undef, 0400); -is(scalar(@created), 1, "created write-only dir"); + is(scalar(@created), 1, "created read-only dir"); -is($created[0], $dir, "created write-only directory cross-check"); + is($created[0], $dir, "created read-only directory cross-check"); -is(rmtree($dir), 1, "removed write-only dir"); + is(rmtree($dir), 1, "removed read-only dir"); +} # borderline new-style heuristics if (chdir $tmp_base) { @@ -458,26 +468,28 @@ SKIP: { } SKIP : { - my $skip_count = 19; + my $skip_count = 18; # this test will fail on Windows, as per: # http://perldoc.perl.org/perlport.html#chmod skip "Windows chmod test skipped", $skip_count if $^O eq 'MSWin32'; + skip "fchmod() on directories is not supported on this platform", $skip_count + unless $fchmod_supported; my $mode; my $octal_mode; my @inputs = ( - 0777, 0700, 0070, 0007, - 0333, 0300, 0030, 0003, - 0111, 0100, 0010, 0001, - 0731, 0713, 0317, 0371, 0173, 0137, - 00 ); + 0777, 0700, 0470, 0407, + 0433, 0400, 0430, 0403, + 0111, 0100, 0110, 0101, + 0731, 0713, 0317, 0371, + 0173, 0137); my $input; my $octal_input; - $dir = catdir($tmp_base, 'chmod_test'); foreach (@inputs) { $input = $_; + $dir = catdir($tmp_base, sprintf("chmod_test%04o", $input)); # We can skip from here because 0 is last in the list. skip "Mode of 0 means assume user defaults on VMS", 1 if ($input == 0 && $Is_VMS); @@ -489,7 +501,7 @@ SKIP : { skip "permissions are not fully supported by the filesystem", 1 if (($^O eq 'MSWin32' || $^O eq 'cygwin') && ((Win32::FsType())[1] & 8) == 0); is($octal_mode,$input, "create a new directory with chmod $input ($octal_input)"); - } + } rmtree( $dir ); } } -- 2.1.4
MIME-Version: 1.0
In-Reply-To: <rt-4.0.18-12059-1496276832-1996.121951-0-0 [...] rt.cpan.org>
X-Mailer: MIME-tools 5.504 (Entity 5.504)
Content-Disposition: inline
X-RT-Interface: Web
References: <e464bd1d-acde-25ec-714c-9497f6488935 [...] pobox.com> <rt-4.0.18-12059-1496276832-1996.121951-0-0 [...] rt.cpan.org>
Content-Type: text/plain; charset="utf-8"
Message-ID: <rt-4.0.18-31448-1496319951-491.121951-0-0 [...] rt.cpan.org>
Content-Transfer-Encoding: binary
X-RT-Original-Encoding: utf-8
X-RT-Encrypt: 0
X-RT-Sign: 0
Content-Length: 587
Download (untitled) / with headers
text/plain 587b
On Wed May 31 20:27:12 2017, JKEENAN wrote: Show quoted text
Tracking in RedHat Linux: https://bugzilla.redhat.com/show_bug.cgi?id=1457832
MIME-Version: 1.0
In-Reply-To: <rt-4.0.18-31448-1496319951-491.121951-0-0 [...] rt.cpan.org>
X-Mailer: MIME-tools 5.504 (Entity 5.504)
Content-Disposition: inline
X-RT-Interface: Web
References: <e464bd1d-acde-25ec-714c-9497f6488935 [...] pobox.com> <rt-4.0.18-12059-1496276832-1996.121951-0-0 [...] rt.cpan.org> <rt-4.0.18-31448-1496319951-491.121951-0-0 [...] rt.cpan.org>
Content-Type: text/plain; charset="utf-8"
Message-ID: <rt-4.0.18-29624-1496369575-97.121951-0-0 [...] rt.cpan.org>
Content-Transfer-Encoding: binary
X-RT-Original-Encoding: utf-8
X-RT-Encrypt: 0
X-RT-Sign: 0
Content-Length: 858
Download (untitled) / with headers
text/plain 858b


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.