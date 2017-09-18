|
Sicherheit: Unsichere Verwendung temporärer Dateien in Perl
|Unsichere Verwendung temporärer Dateien in Perl
|201709-12
|Gentoo
|Keine Angabe
|Mo, 18. September 2017, 09:09
|https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6512
Originalnachricht
|
Gentoo Linux Security Advisory GLSA 201709-12
https://security.gentoo.org/
Severity: Normal
Title: Perl: Race condition vulnerability
Date: September 17, 2017
Bugs: #620304
ID: 201709-12
Synopsis
A vulnerability in module File::Path for Perl allows local attackers to
set arbitrary mode values on arbitrary files bypassing security
restrictions.
Background
File::Path module provides a convenient way to create directories of
arbitrary depth and to delete an entire directory subtree from the
filesystem.
Affected packages
Package / Vulnerable / Unaffected
1 dev-lang/perl < 5.24.1-r2 >= 5.24.1-r2
2 perl-core/File-Path < 2.130.0 >= 2.130.0
3 virtual/perl-File-Path < 2.130.0 >= 2.130.0
3 affected packages
Description
A race condition occurs within concurrent environments. This condition
was discovered by The cPanel Security Team in the rmtree and
remove_tree functions in the File-Path module before 2.13 for Perl.
This is due to the time-of-check-to-time-of-use (TOCTOU) race
condition between the stat() that decides the inode is a directory and
the chmod() that tries to make it user-rwx.
Impact
A local attacker could exploit this condition to set arbitrary mode
values on arbitrary files and hence bypass security restrictions.
Workaround
There is no known workaround at this time.
Resolution
All Perl users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-lang/perl-5.24.1-r2"
All File-Path users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=perl-core/File-Path-2.130.0"
All Perl-File-Path users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose
">=virtual/perl-File-Path-2.130.0"
References
[ 1 ] CVE-2017-6512
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6512
Availability
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201709-12
Concerns?
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
Copyright 2017 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
