Likely affected: any unstable/testing system that has 'debsums' installed Possibly affected: any unstable/testing system Today a Debian Testing Security Announcement [1] was published describing an issue where files may have gotten world readable/writable/executable permissions due to a bug in perl 5.10. As not everybody reads DTSAs, it seems proper to give this issue a bit wider publication. The issue was first spotted by Joey Hess and myself for terminfo files from the ncurses-base package [2] and traced to debsums being run by APT during post-install. From there, Ben Hutchings traced it to a bug in the function File::Path::rmtree in perl 5.10. So far the issue has only been confirmed for the use of File::Path::rmtree in debsums, but in theory any program using that function can result in files with incorrect permissions. Although the cause of the bug has now been fixed, many systems may still have files with incorrect permissions around and thus be vulnerable to attack. Checking if your systems are affected is strongly recommended. Please see the DTSA [1] for further details. Just to be clear: systems running stable (etch) are NOT affected. [1]http://lists.debian.org/debian-testing-security-announce/2008/06/msg00016.html [2]http://lists.debian.org/debian-devel/2008/06/msg00543.html http://bugs.debian.org/487319
Attachment:
signature.asc
Description: This is a digitally signed message part.