Ben Hutchings
2008-Jun-20 22:36 UTC
[Secure-testing-team] Bug#487317: perl-modules: File::Path::rmtree sets symlink target permissions to 0777
Package: debsums Version: 5.10.0-10 Severity: critical Tags: security Justification: root security hole -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Fri, 2008-06-20 at 23:26 +0200, Cyril Brulebois wrote:> Frans Pop <elendil at planet.nl> (20/06/2008): > > $ sudo aptitude reinstall ncurses-base > > $ ls -l /lib/terminfo/*/* > > -rwxrwxrwx 1 root root 1481 2008-06-16 22:40 /lib/terminfo/a/ansi > > -rwxrwxrwx 1 root root 1502 2008-06-16 22:40 /lib/terminfo/c/cons25 > > -rwxrwxrwx 1 root root 1529 2008-06-16 22:40 /lib/terminfo/c/cygwin > > -rwxrwxrwx 1 root root 308 2008-06-16 22:40 /lib/terminfo/d/dumb > > [...] > > Maybe you could provide us with the part of your dpkg.log relative to > that particular ?aptitude reinstall? run, maybe there are some leads > there. > > You could also strace it, following its childs.debsums is doing it: 32321 execve("/usr/bin/debsums", ["/usr/bin/debsums", "--generate=nocheck", "-sp", "/var/cache/apt/archives"], [/* 18 vars */]) = 0 ... 32321 lstat64("wsvt25", {st_mode=S_IFLNK|0777, st_size=22, ...}) = 0 32321 chmod("wsvt25", 0777) = 0 32321 lstat64("wsvt25", {st_mode=S_IFLNK|0777, st_size=22, ...}) = 0 32321 unlink("wsvt25") = 0 It looks like it''s unpacking the archive under /tmp, generating checksums, then deleting the files as it goes. Before unlinking it uses chmod, presumably to ensure the unlink will succeed. But chmod follows sym-links, and these sym-links are absolute so it chmods the installed files! ...and a little investigation shows debsums is just using File::Path::rmtree. Ben. - -- System Information: Debian Release: lenny/sid APT prefers unstable APT policy: (500, ''unstable''), (500, ''stable''), (100, ''experimental'') Architecture: i386 (i686) Kernel: Linux 2.6.25-2-686 (SMP w/1 CPU core) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages debsums depends on: ii debconf [debconf-2.0] 1.5.22 Debian configuration management sy ii perl 5.10.0-10 Larry Wall''s Practical Extraction debsums recommends no packages. - -- debconf information: debsums/apt-autogen: true -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFIXDED79ZNCRIGYgcRAjqKAKCx2e/tBqjv0VSxmshtCgLwddKKyACghswA pcsZLTltsPcRMAmBiBW4q0s=FSgb -----END PGP SIGNATURE-----