[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[DTSA-142-2] perl vulnerability affects other packages

Debian Security Advisory DTSA-142-2              security@debian.org
http://www.debian.org/security/                         Steffen Joeris
June 26, 2008                   http://www.debian.org/security/faq

Joey Hess and Frans Pop discovered permission problems in a few
packages, which Ben Hutchings identified as a problem in
File::Path::rmtree from perl 5.10, when the debsums package is
installed.  He discovered that it follows symlinks and changes the
permissions of the link target to the permission of the link.

For the testing distribution (lenny), this problem has been fixed in version

For the unstable distribution (sid), this problem has been fixed in version

The stable distribution (etch) is not affected by this problem.

The perl DTSA announcement has already been sent through our daily
announcement mails. This announcement informs about other packages
in the testing distribution, which are affected by this problem.
We recommend that you upgrade your perl packages. Additionally,
if you have the packages from the list below installed, we recommend
that you run a reinstall for all these packages in order to fix
exploitable permissions set on package files. The packages listed below
are only affected if they were installed or upgraded after perl 5.10
was installed, however reinstalling them should do no harm.
More information about this issue can be found in the bugreport #487319.

Special thanks go to Ben Hutchings for the patch, Niko Tyni for the
coordination as the package maintainer and Kevin B. McCarty, who
provided the list of vulnerable packages.

Reinstall instructions

apt-get --reinstall install package

List of affected packages


Additional vulnerabilites caused by this issue

We further advice that other programs using File::Path::rmtree may have
caused the same problem. Therefore, we suggest that you check your
system for incorrect file permissions.
For experienced users, the following command might help.

find / -perm 777 -a \! -type s -a \! -type l -a \! \( -type d -a -perm 1777 \)

Please note that chroot environments should be checked separately.

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply to: