Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 524
Alerts This Week
Warning Icon 1 524

Gentoo: GLSA-201709-12 Normal: Perl Race Condition Threat

gentoo
Calendar Grey September 17, 2017
Dist Gentoo Esm H88
Critical notice for Gentoo Linux regarding a security flaw in Perl's File::Path module due to a concurrency issue. Immediate upgrade is advised.
A vulnerability in module File::Path for Perl allows local attackers to set arbitrary mode values on arbitrary files bypassing security restrictions

Summary

A race condition occurs within concurrent environments. This condition was discovered by The cPanel Security Team in the rmtree and remove_tree functions in the File-Path module before 2.13 for Perl. This is due to the time-of-check-to-time-of-use (TOCTOU) race condition between the stat() that decides the inode is a directory and the chmod() that tries to make it user-rwx.

Resolution

All Perl users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-lang/perl-5.24.1-r2"
All File-Path users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=perl-core/File-Path-2.130.0"
All Perl-File-Path users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=virtual/perl-File-Path-2.130.0"

References

[ 1 ] CVE-2017-6512 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6512

Availability

This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201709-12
style>.gentoo_availability{display:block;}

Concerns

Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.

Severity: Normal
Title: Perl: Race condition vulnerability
Date: September 17, 2017
Bugs: #620304
ID: 201709-12

Synopsis

A vulnerability in module File::Path for Perl allows local attackers to set arbitrary mode values on arbitrary files bypassing security restrictions.

Background

File::Path module provides a convenient way to create directories of arbitrary depth and to delete an entire directory subtree from the filesystem.

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Affected Packages

------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 dev-lang/perl < 5.24.1-r2 >= 5.24.1-r2 2 perl-core/File-Path < 2.130.0 >= 2.130.0 3 virtual/perl-File-Path < 2.130.0 >= 2.130.0 ------------------------------------------------------------------- 3 affected packages

Impact

===== A local attacker could exploit this condition to set arbitrary mode values on arbitrary files and hence bypass security restrictions.

Workaround

There is no known workaround at this time.