[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[security] Incorrect file permissions due to (now fixed) perl 5.10 issue

Likely affected: any unstable/testing system that has 'debsums' installed
Possibly affected: any unstable/testing system

Today a Debian Testing Security Announcement [1] was published describing 
an issue where files may have gotten world readable/writable/executable 
permissions due to a bug in perl 5.10. As not everybody reads DTSAs, it 
seems proper to give this issue a bit wider publication.

The issue was first spotted by Joey Hess and myself for terminfo files 
from the ncurses-base package [2] and traced to debsums being run by APT 
during post-install. From there, Ben Hutchings traced it to a bug in the 
function File::Path::rmtree in perl 5.10.

So far the issue has only been confirmed for the use of File::Path::rmtree 
in debsums, but in theory any program using that function can result in 
files with incorrect permissions.

Although the cause of the bug has now been fixed, many systems may still 
have files with incorrect permissions around and thus be vulnerable to 
attack. Checking if your systems are affected is strongly recommended.

Please see the DTSA [1] for further details.

Just to be clear: systems running stable (etch) are NOT affected.


Attachment: signature.asc
Description: This is a digitally signed message part.

Reply to: