oss-sec mailing list archives
Re: CVE Request - cups, dovecot-managesieve, perl, wireshark
From: Eygene Ryabinkin <rea-sec () codelabs ru>
Date: Tue, 2 Dec 2008 13:51:21 +0300
Steven, *, good day. Mon, Dec 01, 2008 at 11:36:45AM -0500, Steven M. Christey wrote:
Regarding the Perl issues: as seen in this list and elsewhere, there seems to be a ton of confusion about which CVE's were originally fixed (or not), and which CVE's have since reappeared (or not), and which versions of Perl and File::Path are or are not affected, plus Eygene's commentary on other race conditions.
It seems to me that the original issue for the 'setuid' stuff was not completely fixed in Perl 5.8.4: it misses the stanza 'if $force_writable' at the second chmod (this is from virgin perl-5.8.5): ----- chmod 0777, $root or carp "Can't make directory $root writeable: $!" if $force_writeable; print "rmdir $root\n" if $verbose; if (rmdir $root) { ++$count; } else { carp "Can't remove directory $root: $!"; chmod($rp, ($Is_VMS ? VMS::Filespec::fileify($root) : $root)) or carp("and can't restore permissions to " . sprintf("0%o",$rp) . "\n"); } ----- This is in line with the Niko Tyni's patch: http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=36;filename=sid_fix_file_path;att=2;bug=286922 So perl >= 5.8 <= 5.8.8 seems to be affected too. -- Eygene
Current thread:
- CVE Request - cups, dovecot-managesieve, perl, wireshark Jan Lieskovsky (Nov 28)
- Re: CVE Request - cups, dovecot-managesieve, perl, wireshark Jan Lieskovsky (Nov 28)
- Re: CVE Request - cups, dovecot-managesieve, perl, wireshark Eygene Ryabinkin (Nov 30)
- Re: CVE Request - cups, dovecot-managesieve, perl, wireshark Eygene Ryabinkin (Nov 30)
- Re: CVE Request - cups, dovecot-managesieve, perl, wireshark Steven M. Christey (Dec 01)
- Re: CVE Request - cups, dovecot-managesieve, perl, wireshark Eygene Ryabinkin (Dec 02)
- Re: CVE Request - cups, dovecot-managesieve, perl, wireshark Eygene Ryabinkin (Nov 30)
- Re: CVE Request - cups, dovecot-managesieve, perl, wireshark Jan Lieskovsky (Nov 28)