------------------------------------------------------------------------ Debian Security Advisory DTSA-142-2 security@debian.org http://www.debian.org/security/ Steffen Joeris June 26, 2008 http://www.debian.org/security/faq ------------------------------------------------------------------------ Joey Hess and Frans Pop discovered permission problems in a few packages, which Ben Hutchings identified as a problem in File::Path::rmtree from perl 5.10, when the debsums package is installed. He discovered that it follows symlinks and changes the permissions of the link target to the permission of the link. For the testing distribution (lenny), this problem has been fixed in version 5.10.0-10+lenny1. For the unstable distribution (sid), this problem has been fixed in version 5.10.0-11. The stable distribution (etch) is not affected by this problem. The perl DTSA announcement has already been sent through our daily announcement mails. This announcement informs about other packages in the testing distribution, which are affected by this problem. We recommend that you upgrade your perl packages. Additionally, if you have the packages from the list below installed, we recommend that you run a reinstall for all these packages in order to fix exploitable permissions set on package files. The packages listed below are only affected if they were installed or upgraded after perl 5.10 was installed, however reinstalling them should do no harm. More information about this issue can be found in the bugreport #487319. Special thanks go to Ben Hutchings for the patch, Niko Tyni for the coordination as the package maintainer and Kevin B. McCarty, who provided the list of vulnerable packages. Reinstall instructions --------------------------- apt-get --reinstall install package List of affected packages -------------------------------- ed inn java-gcj-compat-plugin lib64ncurses5-dev libbz2-dev libncurses5-dev libncursesw5-dev libvolume-id-dev module-init-tools ncurses-base smartlist Additional vulnerabilites caused by this issue -------------------------------------------------- We further advice that other programs using File::Path::rmtree may have caused the same problem. Therefore, we suggest that you check your system for incorrect file permissions. For experienced users, the following command might help. find / -perm 777 -a \! -type s -a \! -type l -a \! \( -type d -a -perm 1777 \) Please note that chroot environments should be checked separately.
Attachment:
signature.asc
Description: This is a digitally signed message part.