Bug#1098226: perl: thread creation while a directory handle is open does a fchdir, affecting other threads
Control: reassign -1 perl 5.40.1-2
Control: retitle -1 perl: thread creation while a directory handle is open does a fchdir, affecting other threads (race condition)
Control: tags -1 security upstream
Control: severity -1 grave
Control: forwarded -1 https://github.com/Perl/perl5/issues/23010
This is a bug visible in the perl code, so I've just reported the bug
upstream.
(Not sure about the severity, but this can yield incorrect file
operations in the involved directory, which may be very problematic
if this directory is untrusted.)
On 2025-02-18 14:26:54 +0100, Vincent Lefevre wrote:
> Hmm... There's a fchdir in the strace output. If the current directory
> is global to the process, this could be an issue. I now really suspect
> a bug in perl.
Yes, thread creation does a chdir when a directory handle is open.
As the current working directory is global to the process, this
can affect other threads, if they do file operations with relative
pathnames. Even though the current working directory is set back
to the old value, this is a race condition, which can affect real
scripts (this is how I identified this bug).
--
Vincent Lefèvre <vincent@vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / Pascaline project (LIP, ENS-Lyon)
Reply to: