Perl extension File-Path: vulnerability in two functions: CVE-2017-6512
James E Keenan
jkeenan at pobox.com
Thu Jun 1 00:09:26 UTC 2017
A vulnerability has been reported in Perl extension File-Path
(http://search.cpan.org/dist/File-Path/) versions 2.12 and earlier.
In the rmtree() and remove_tree() functions, the chmod()logic to make
directories traversable can be abused to set the mode on an
attacker-chosen file to an attacker-chosen value. This is due to the
time-of-check-to-time-of-use (TOCTTOU) race condition
(https://en.wikipedia.org/wiki/Time_of_check_to_time_of_use) between the
stat() that decides the inode is a directory and the chmod() that tries
to make it user-rwx.
This vulnerability was reported by the cPanel Security Team. It has
been assigned the following CVE ID:
CVE-2017-6512
CPAN versions 2.13 and later incorporate a patch to address this
problem. As File-Path is an extension distributed with the Perl 5 core
distribution, you are encouraged to upgrade your Perl package to include
File-Path 2.13 or later.
For further (public) discussion of this issue I have opened a ticket in
the File-Path bug tracker:
https://rt.cpan.org/Ticket/Display.html?id=121951
You can contribute to this discussion either through the web interface
or by email to bug-File-Path at rt.cpan.org, including the following string
in the Subject line:
[rt.cpan.org #121951]
This is the first time I have had to report a security vulnerability, so
I don't claim to fully grasp the protocol for making such a report. If
there is a better email address or other way to make this report, please
let me know.
Thank you very much.
James E Keenan
CPAN ID: JKEENAN
More information about the freebsd-perl
mailing list