Your message dated Thu, 01 Jun 2017 16:19:14 +0000 with message-id <e1dgsoc-00099j...@fasolo.debian.org> and subject line Bug#863870: fixed in perl 5.24.1-3 has caused the Debian Bug report #863870, regarding perl: File-Path rmtree/remove_tree race condition [CVE-2017-6512] to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 863870: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863870 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: perl Version: 5.26.0~rc1-1 Severity: critical Justification: privilege escalation in library code Similar to #286905, a new race condition has been reported in File-Path: https://rt.cpan.org/Public/Bug/Display.html?id=121951 In the rmtree() and remove_tree() functions, the chmod()logic to make directories traversable can be abused to set the mode on an attacker-chosen file to an attacker-chosen value. This is due to the time-of-check-to-time-of-use (TOCTTOU) race condition (https://en.wikipedia.org/wiki/Time_of_check_to_time_of_use) between the stat() that decides the inode is a directory and the chmod() that tries to make it user-rwx. Fixed on CPAN with 2.13.
--- End Message ---
--- Begin Message ---Source: perl Source-Version: 5.24.1-3 We believe that the bug you reported is fixed in the latest version of perl, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 863...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Dominic Hargreaves <d...@earth.li> (supplier of updated perl package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Thu, 01 Jun 2017 16:09:52 +0100 Source: perl Binary: perl-base perl-doc perl-debug libperl5.24 libperl-dev perl-modules-5.24 perl Architecture: source Version: 5.24.1-3 Distribution: unstable Urgency: high Maintainer: Niko Tyni <nt...@debian.org> Changed-By: Dominic Hargreaves <d...@earth.li> Description: libperl-dev - Perl library: development files libperl5.24 - shared Perl library perl - Larry Wall's Practical Extraction and Report Language perl-base - minimal Perl system perl-debug - debug-enabled Perl interpreter perl-doc - Perl documentation perl-modules-5.24 - Core Perl modules Closes: 863870 Changes: perl (5.24.1-3) unstable; urgency=high . * [CVE-2017-6512] Fix file permissions race condition in File-Path; patch from John Lightsey (Closes: #863870) * Also fix test logic in ExtUtils-MakeMaker required for the above Checksums-Sha1: 9cbad4c48884de4456f76fffc69220c95762a4db 2316 perl_5.24.1-3.dsc 5faa1d3adc81fe75b682409cff77316d10357474 168260 perl_5.24.1-3.debian.tar.xz Checksums-Sha256: 7ebd421bbb9252f5c2ebd6d4cdd04174a58f51ff6bbe542215ca37104d82c51c 2316 perl_5.24.1-3.dsc a9ca981bb0fe9aea39d0f3e72d1ccf5a40378b8402002ac6e155ab568d0e9d24 168260 perl_5.24.1-3.debian.tar.xz Files: e21b982373169ad46b0858696b1899c6 2316 perl standard perl_5.24.1-3.dsc 3e8fc3b91b9cc20ed2c5a5effdcced3a 168260 perl standard perl_5.24.1-3.debian.tar.xz -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJZMDwdAAoJEMAFfnFNaU+yQeQQALAcF45qASZEg/PUH9v2atGP tBwPZS6ytYaBaOyhm5dM9HbJ6T41sDg7FjAAKxfc/6AgkOGlUmXyZNN+M5+JkRSA 5zNrt2F48rZfUEk9qB3QnipZ+pP0ChA+/vHTui4KI+5mR22EmsnNRkyVgBulM9lO Ov2bKsqZAs/xMT2Cr6gA0+hgw+HjoWe3CpY6o+yjmP7ivmWGsjbeSYoAF0AtQsxe LNm9YVytZ1RAPqqHeJyjClOwmIHUqrNzXPLuCPvhMKoItz9vcvHLeCvGaCYQr+KZ R3lGS9c1h0HNWEGS60mZ88WsujUUwQpwNZnoC23FQE7GVlkFT25XDp9e4cjLy5lC 5DKo8HoyQbYEeieO+ZmraeOQDUabJb4zMuxTn8ygBLKj70HuM/fG097dW6iZ8gfZ /NxhX/Q+cofsT2iOgrK2RuqpnbS1o5A5PfwZtiqnAs9pX1smvOUwPhjCAPwJjli4 IY3fOkUn/Q9f9yP0CGcP1RgtOmxI0Bm2rfRNHHhKqWvefu3BQl1TxM0sgBz9KVil L4qptfegxJJs9nkd8aIwXSMCJ6rrwBCnn6h5vWQLtMF2ranpnASx2asVTM4euQT2 RMviEkfIvYh0R9FMWeaL3xqu/CMdgudsDOL1SVz1QetYU7tLncMv1175TtFWdJX4 RaZxj//KE+rSF6/GPv/H =OOJQ -----END PGP SIGNATURE-----
--- End Message ---
