Re: CVE Request - cups, dovecot-managesieve, perl, wireshark

[Eygene Ryabinkin <rea-sec () codelabs ru>]

Steven, *, good day.

Mon, Dec 01, 2008 at 11:36:45AM -0500, Steven M. Christey wrote:
> Regarding the Perl issues: as seen in this list and elsewhere, there seems
> to be a ton of confusion about which CVE's were originally fixed (or not),
> and which CVE's have since reappeared (or not), and which versions of Perl
> and File::Path are or are not affected, plus Eygene's commentary on other
> race conditions.

It seems to me that the original issue for the 'setuid' stuff was
not completely fixed in Perl 5.8.4: it misses the stanza 'if
$force_writable' at the second chmod (this is from virgin perl-5.8.5):
-----
            chmod 0777, $root
              or carp "Can't make directory $root writeable: $!"
                if $force_writeable;
            print "rmdir $root\n" if $verbose;
            if (rmdir $root) {
                ++$count;
            }
            else {
                carp "Can't remove directory $root: $!";
                chmod($rp, ($Is_VMS ? VMS::Filespec::fileify($root) : $root))
                    or carp("and can't restore permissions to "
                            . sprintf("0%o",$rp) . "\n");
            }
-----
This is in line with the Niko Tyni's patch:
  http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=36;filename=sid_fix_file_path;att=2;bug=286922

So perl >= 5.8 <= 5.8.8 seems to be affected too.
-- 
Eygene