[Security Bug] Perl's CPANPLUS.pm Creates World-writable Files

["Shlomi Fish" <shlomif () gmail com>]

Hi all.

As reported here:

http://rt.cpan.org/Public/Bug/Display.html?id=39516

And discussed here:

http://www.nntp.perl.org/group/perl.qa/2008/09/msg11582.html

<<<
CPANPLUS will happily unpack and continue to build distributions that
contain world-writable files, including program files that are executed
by Perl. By writing to these world-writable programs, a malicious user
will be able to execute arbitrary code as the user running the CPANPLUS
process.

After smoking CPANPLUS as user "cpan", I got the following errors from
Mandriva's msec process:

{{{{{{{{
/home/cpan/.cpanplus/5.10.0/build/Data-Dump-Streamer-2.08-40/Makefile.PL
/home/cpan/.cpanplus/5.10.0/build/Digest-JHash-0.05/Makefile.PL
/home/cpan/.cpanplus/5.10.0/build/Getopt-ArgvFile-1.11/Makefile.PL
/home/cpan/.cpanplus/5.10.0/build/HTML-Scrubber-0.08/Makefile.PL
/home/cpan/.cpanplus/5.10.0/build/Kephra-0.3.10.11/Makefile.PL
/home/cpan/.cpanplus/5.10.0/build/Readonly-1.03/Makefile.PL
/home/cpan/.cpanplus/5.10.0/build/OOTools-2.21/Makefile.PL
}}}}}}}}

Each of these is a world-writable file, and each of these gets executed
after the unpacking stage. A malicious user can append something like
qq{system('rm -fr /');} there while the archive is unpacking, and so
I'll lose all the files on my system.

CPANPLUS should check for any world-writable files, and if they exist -
refuse to build the distribution.
> > >

Regards,

-- Shlomi Fish

------------------------------------------
Shlomi Fish http://www.shlomifish.org/

Electrical Engineering studies. In the Technion. Been there. Done
that. Forgot a lot. Remember too much.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/