[gentoo-announce] [ GLSA 201709-12 ] Perl: Race condition vulnerability - gentoo-announce

From:	Aaron Bauman <bman@g.o>
To:	gentoo-announce@l.g.o
Subject:	[gentoo-announce] [ GLSA 201709-12 ] Perl: Race condition vulnerability
Date:	Sun, 17 Sep 2017 19:30:17
Message-Id:	`4333513.QLSqFa2OKk@localhost.localdomain`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory                           GLSA 201709-12

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                           https://security.gentoo.org/

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

 Severity: Normal

8

    Title: Perl: Race condition vulnerability

9

     Date: September 17, 2017

10

     Bugs: #620304

11

       ID: 201709-12

12

13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

14

15

Synopsis

16

========

17

18

A vulnerability in module File::Path for Perl allows local attackers to

19

set arbitrary mode values on arbitrary files bypassing security

20

restrictions.

21

22

Background

23

==========

24

25

File::Path module provides a convenient way to create directories of

26

arbitrary depth and to delete an entire directory subtree from the

27

filesystem.

28

29

Affected packages

30

=================

31

32

    -------------------------------------------------------------------

33

     Package              /     Vulnerable     /            Unaffected

34

    -------------------------------------------------------------------

35

  1  dev-lang/perl              < 5.24.1-r2              >= 5.24.1-r2 

36

  2  perl-core/File-Path         < 2.130.0                 >= 2.130.0 

37

  3  virtual/perl-File-Path      < 2.130.0                 >= 2.130.0 

38

    -------------------------------------------------------------------

39

     3 affected packages

40

41

Description

42

===========

43

44

A race condition occurs within concurrent environments. This condition

45

was discovered by The cPanel Security Team in the rmtree and

46

remove_tree functions in the File-Path module before 2.13 for Perl.

47

This is due to the  time-of-check-to-time-of-use (TOCTOU) race

48

condition between the stat() that decides the inode is a directory and

49

the chmod() that tries to make it user-rwx.

50

51

Impact

52

======

53

54

A local attacker could exploit this condition to set arbitrary mode

55

values on arbitrary files and hence bypass security restrictions.

56

57

Workaround

58

==========

59

60

There is no known workaround at this time.

61

62

Resolution

63

==========

64

65

All Perl users should upgrade to the latest version:

66

67

  # emerge --sync

68

  # emerge --ask --oneshot --verbose ">=dev-lang/perl-5.24.1-r2"

69

70

All File-Path users should upgrade to the latest version:

71

72

  # emerge --sync

73

  # emerge --ask --oneshot --verbose ">=perl-core/File-Path-2.130.0"

74

75

All Perl-File-Path users should upgrade to the latest version:

76

77

  # emerge --sync

78

  # emerge --ask --oneshot --verbose ">=virtual/perl-File-Path-2.130.0"

79

80

References

81

==========

82

83

[ 1 ] CVE-2017-6512

84

      https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6512

85

86

Availability

87

============

88

89

This GLSA and any updates to it are available for viewing at

90

the Gentoo Security Website:

91

92

 https://security.gentoo.org/glsa/201709-12

93

94

Concerns?

95

=========

96

97

Security is a primary focus of Gentoo Linux and ensuring the

98

confidentiality and security of our users' machines is of utmost

99

importance to us. Any security concerns should be addressed to

100

security@g.o or alternatively, you may file a bug at

101

https://bugs.gentoo.org.

102

103

License

104

=======

105

106

Copyright 2017 Gentoo Foundation, Inc; referenced text

107

belongs to its owner(s).

108

109

The contents of this document are licensed under the

110

Creative Commons - Attribution / Share Alike license.

111

112

http://creativecommons.org/licenses/by-sa/2.5

Gentoo Archives: gentoo-announce

Attachments

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory GLSA 201709-12
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	https://security.gentoo.org/
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: Normal
8	Title: Perl: Race condition vulnerability
9	Date: September 17, 2017
10	Bugs: #620304
11	ID: 201709-12
12
13	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15	Synopsis
16	========
17
18	A vulnerability in module File::Path for Perl allows local attackers to
19	set arbitrary mode values on arbitrary files bypassing security
20	restrictions.
21
22	Background
23	==========
24
25	File::Path module provides a convenient way to create directories of
26	arbitrary depth and to delete an entire directory subtree from the
27	filesystem.
28
29	Affected packages
30	=================
31
32	-------------------------------------------------------------------
33	Package / Vulnerable / Unaffected
34	-------------------------------------------------------------------
35	1 dev-lang/perl < 5.24.1-r2 >= 5.24.1-r2
36	2 perl-core/File-Path < 2.130.0 >= 2.130.0
37	3 virtual/perl-File-Path < 2.130.0 >= 2.130.0
38	-------------------------------------------------------------------
39	3 affected packages
40
41	Description
42	===========
43
44	A race condition occurs within concurrent environments. This condition
45	was discovered by The cPanel Security Team in the rmtree and
46	remove_tree functions in the File-Path module before 2.13 for Perl.
47	This is due to the time-of-check-to-time-of-use (TOCTOU) race
48	condition between the stat() that decides the inode is a directory and
49	the chmod() that tries to make it user-rwx.
50
51	Impact
52	======
53
54	A local attacker could exploit this condition to set arbitrary mode
55	values on arbitrary files and hence bypass security restrictions.
56
57	Workaround
58	==========
59
60	There is no known workaround at this time.
61
62	Resolution
63	==========
64
65	All Perl users should upgrade to the latest version:
66
67	# emerge --sync
68	# emerge --ask --oneshot --verbose ">=dev-lang/perl-5.24.1-r2"
69
70	All File-Path users should upgrade to the latest version:
71
72	# emerge --sync
73	# emerge --ask --oneshot --verbose ">=perl-core/File-Path-2.130.0"
74
75	All Perl-File-Path users should upgrade to the latest version:
76
77	# emerge --sync
78	# emerge --ask --oneshot --verbose ">=virtual/perl-File-Path-2.130.0"
79
80	References
81	==========
82
83	[ 1 ] CVE-2017-6512
84	https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6512
85
86	Availability
87	============
88
89	This GLSA and any updates to it are available for viewing at
90	the Gentoo Security Website:
91
92	https://security.gentoo.org/glsa/201709-12
93
94	Concerns?
95	=========
96
97	Security is a primary focus of Gentoo Linux and ensuring the
98	confidentiality and security of our users' machines is of utmost
99	importance to us. Any security concerns should be addressed to
100	security@g.o or alternatively, you may file a bug at
101	https://bugs.gentoo.org.
102
103	License
104	=======
105
106	Copyright 2017 Gentoo Foundation, Inc; referenced text
107	belongs to its owner(s).
108
109	The contents of this document are licensed under the
110	Creative Commons - Attribution / Share Alike license.
111
112	http://creativecommons.org/licenses/by-sa/2.5