Skip Menu |
 

This queue is for tickets about the File-Path CPAN distribution.

Report information
The Basics
Id: 36982
Status: resolved
Priority: 0/
Queue: File-Path

People
Owner: dland [...] cpan.org
Requestors: david [...] landgren.net
ntyni [...] iki.fi
Cc:
AdminCc:

Bug Information
Severity: Critical
Broken in: 2.04
Fixed in: (no value)



Subject: rmtree() makes symlink targets world-writable
Download (untitled) / with headers
text/plain 756b
Hi, as reported in <http://bugs.debian.org/487319>, when rmtree() encounters a symlink, it will change the permissions of the link target to the permissions of the link, usually 0777. % touch foo % ln -s foo bar % ls -l foo bar lrwxrwxrwx 1 niko niko 3 2008-06-21 09:06 bar -> foo -rw-r--r-- 1 niko niko 0 2008-06-21 09:06 foo % perl -e 'use File::Path rmtree; rmtree bar' % ls -l foo bar ls: cannot access bar: No such file or directory -rwxrwxrwx 1 niko niko 0 2008-06-21 09:06 foo This is with Perl 5.10.0, containing File-Path 2.04, but I have verified it with the 2.06_04 CPAN version too. There's a proposed patch by Ben Hutchings in the Debian report linked above, please have a look. -- Niko Tyni ntyni@debian.org
Subject: Re: [rt.cpan.org #36982]: rmtree() makes symlink targets world-writable
Date: Mon, 23 Jun 2008 21:43:49 +0300
To: Bugs in File-Path via RT <bug-File-Path [...] rt.cpan.org>
From: Niko Tyni <ntyni [...] debian.org>
Download (untitled) / with headers
text/plain 994b
On Sat, Jun 21, 2008 at 02:11:57AM -0400, Bugs in File-Path via RT wrote: Show quoted text
> as reported in <http://bugs.debian.org/487319>, when rmtree() encounters > a symlink, it will change the permissions of the link target to the > permissions of the link, usually 0777.
For the record, this has now been assigned a CVE id: Name: CVE-2008-2827 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2827 Reference: MISC:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=487319 Reference: MISC:http://rt.cpan.org/Public/Bug/Display.html?id=36982 The rmtree function in lib/File/Path.pm in Perl 5.10 does not properly check permissions before performing a chmod, which allows local users to modify the permissions of arbitrary files via a symlink attack, a different vulnerability than CVE-2005-0448 and CVE-2004-0452. Sorry about the triplicate report on the p5p list, I wasn't aware the CPAN ticket submissions get forwarded there too. -- Niko Tyni ntyni@debian.org
CC: perl5-porters [...] perl.org, bug-File-Path [...] rt.cpan.org
Subject: Re: File::Path::rmtree makes symlink targets world-writable
Date: Mon, 23 Jun 2008 21:56:33 +0200
To: Niko Tyni <ntyni [...] debian.org>
From: David Landgren <david [...] landgren.net>
Download (untitled) / with headers
text/plain 1.3k
Niko Tyni wrote, some time around 21/06/2008 08:58: Show quoted text
> Hi p5p, > > as reported in <http://bugs.debian.org/487319> and > <http://rt.cpan.org/Public/Bug/Display.html?id=36982>, when > File::Path::rmtree() encounters a symlink, it will change the permissions > of the link target to the permissions of the link, usually 0777. This is > obviously a Bad Thing with security implications. The 'safe' parameter > doesn't seem to help here. > > There's a proposed patch by Ben Hutchings in the Debian report. The bug > is present (at least) in File-Path-2.04, in both 5.10.0 and blead.
Just to follow up for the list (not quite sure how to CC: RT@perl.org but I've taken the ticket there), I'll have a fix for this in 2.07. The latter is currently stalled for lack of tuits; I've fixed up the new/old interface issues for mkpath(), now I just have to do the same for rmtree(). I'm just slightly curious: this problem must have always been present in previous versions, the essence of the rmtree() function remains the same, I only added an alternate error reporting channel into the code. If someone can find the time to prove or disprove that this behaviour has crept in since 2.x it would be of great help. That will allow me to figure out if code needs to be added or removed/reverted... Thanks, David -- stubborn tiny lights vs. clustering darkness forever ok?
Attached is the patch with test case I've applied to ActivePerl to fix this.
Download rmtree.patch
text/x-diff 1.8k
commit 678079171cdf9cb8f6c2cfe937949f08d644ef81 Author: Gisle Aas <gisle@aas.no> Date: Sat Jul 26 11:05:52 2008 +0200 rmtree symlink attack CVE-2004-0452 diff --git a/MANIFEST b/MANIFEST index f58018c..1366f97 100644 --- a/MANIFEST +++ b/MANIFEST @@ -7,6 +7,7 @@ Path.pm README TODO eg/setup-extra-tests +t/CVE-2008-2827.t t/Path.t t/pod.t t/taint.t diff --git a/Path.pm b/Path.pm index 5508b4e..f2c99ea 100644 --- a/Path.pm +++ b/Path.pm @@ -359,9 +359,9 @@ sub _rmtree { next ROOT_DIR; } - my $nperm = $perm & 07777 | 0600; - if ($nperm != $perm and not chmod $nperm, $root) { - if ($Force_Writeable) { + if ($Force_Writeable) { + my $nperm = $perm & 07777 | 0600; + if ($nperm != $perm and not chmod $nperm, $root) { _error($arg, "cannot make file writeable", $canon); } } diff --git a/t/CVE-2008-2827.t b/t/CVE-2008-2827.t new file mode 100644 index 0000000..19fa451 --- /dev/null +++ b/t/CVE-2008-2827.t @@ -0,0 +1,39 @@ +#!perl -w + +# Test case derived from http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=487319 + +my $foo = "foo-$$"; +my $bar = "bar-$$"; + +die "Not clean [$foo] [$bar]" if -e $foo || -e $bar; + +eval { + symlink($foo, $bar) || die "Can't symlink $foo --> $bar"; +}; +if ($@) { + print "1..0 # Skipped: Only systems that can do symlinks are affected\n"; + print "$@\n"; + exit; +} + +use Test; +plan tests => 5; + +umask(0027); + +# touch foo +open(my $fh, ">", $foo) || die "Can't create $foo\n"; +close($fh); + +my $m = (stat $foo)[2]; +ok(defined $m); + +require File::Path; +ok(File::Path::rmtree($bar)); +ok(!-e $bar); + +# If the mode of $foo changed as a result of removing $bar then we are vulnerable +ok($m, (stat $foo)[2]); + +unlink($foo); +ok(!-e $foo);
Download (untitled) / with headers
text/plain 284b
On Sat Jul 26 05:11:41 2008, GAAS wrote: Show quoted text
> Attached is the patch with test case I've applied to ActivePerl to fix
this. Thanks Niko, Gisle - this issue has been affecting me too. Security nightmare come true! Fortunately we caught it before releasing to production. Cheers, -Steve
On Sat Jun 21 02:11:56 2008, ntyni@iki.fi wrote: Show quoted text
> Hi, > > as reported in <http://bugs.debian.org/487319>, when rmtree() encounters > a symlink, it will change the permissions of the link target to the > permissions of the link, usually 0777. > > % touch foo > % ln -s foo bar > % ls -l foo bar > lrwxrwxrwx 1 niko niko 3 2008-06-21 09:06 bar -> foo > -rw-r--r-- 1 niko niko 0 2008-06-21 09:06 foo > % perl -e 'use File::Path rmtree; rmtree bar' > % ls -l foo bar > ls: cannot access bar: No such file or directory > -rwxrwxrwx 1 niko niko 0 2008-06-21 09:06 foo > > This is with Perl 5.10.0, containing File-Path 2.04, but I have verified > it with the 2.06_04 CPAN version too. > > There's a proposed patch by Ben Hutchings in the Debian report linked > above, please have a look.
Hello, I must apologise for this problem and the grief it caused. It was a case of refactoring that went wrong. I have fixed this up as per the original Debian bug report and it is available in version 2.06_07, which will soon become 2.07 Thanks, David
Fixed in 2.07. Thanks, David


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.