Perl: Race condition vulnerability — GLSA 201709-12

A vulnerability in module File::Path for Perl allows local attackers to set arbitrary mode values on arbitrary files bypassing security restrictions.

Affected packages

dev-lang/perl on all architectures
Affected versions < 5.24.1-r2
Unaffected versions >= 5.24.1-r2
perl-core/File-Path on all architectures
Affected versions < 2.130.0
Unaffected versions >= 2.130.0
virtual/perl-File-Path on all architectures
Affected versions < 2.130.0
Unaffected versions >= 2.130.0

Background

File::Path module provides a convenient way to create directories of arbitrary depth and to delete an entire directory subtree from the filesystem.

Description

A race condition occurs within concurrent environments. This condition was discovered by The cPanel Security Team in the rmtree and remove_tree functions in the File-Path module before 2.13 for Perl. This is due to the time-of-check-to-time-of-use (TOCTOU) race condition between the stat() that decides the inode is a directory and the chmod() that tries to make it user-rwx.

Impact

A local attacker could exploit this condition to set arbitrary mode values on arbitrary files and hence bypass security restrictions.

Workaround

There is no known workaround at this time.

Resolution

All Perl users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=dev-lang/perl-5.24.1-r2"
 

All File-Path users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=perl-core/File-Path-2.130.0"
 

All Perl-File-Path users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=virtual/perl-File-Path-2.130.0"
 

References

Release date
September 17, 2017

Latest revision
September 17, 2017: 1

Severity
normal

Exploitable
local

Bugzilla entries