[Secure-testing-team] Bug#487317: perl-modules: File::Path::rmtree sets symlink target permissions to 0777

Ben Hutchings ben at decadent.org.uk
Fri Jun 20 22:36:51 UTC 2008 

Package: debsums
Version: 5.10.0-10
Severity: critical
Tags: security
Justification: root security hole

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Fri, 2008-06-20 at 23:26 +0200, Cyril Brulebois wrote:
> Frans Pop <elendil at planet.nl> (20/06/2008):
> > $ sudo aptitude reinstall ncurses-base
> > $ ls -l /lib/terminfo/*/*
> > -rwxrwxrwx 1 root root 1481 2008-06-16 22:40 /lib/terminfo/a/ansi
> > -rwxrwxrwx 1 root root 1502 2008-06-16 22:40 /lib/terminfo/c/cons25
> > -rwxrwxrwx 1 root root 1529 2008-06-16 22:40 /lib/terminfo/c/cygwin
> > -rwxrwxrwx 1 root root  308 2008-06-16 22:40 /lib/terminfo/d/dumb
> > [...]
> 
> Maybe you could provide us with the part of your dpkg.log relative to
> that particular “aptitude reinstall” run, maybe there are some leads
> there.
>
> You could also strace it, following its childs.

debsums is doing it:

32321 execve("/usr/bin/debsums", ["/usr/bin/debsums", "--generate=nocheck", "-sp", "/var/cache/apt/archives"], [/* 18 vars */]) = 0
...
32321 lstat64("wsvt25", {st_mode=S_IFLNK|0777, st_size=22, ...}) = 0
32321 chmod("wsvt25", 0777)             = 0
32321 lstat64("wsvt25", {st_mode=S_IFLNK|0777, st_size=22, ...}) = 0
32321 unlink("wsvt25")                  = 0

It looks like it's unpacking the archive under /tmp, generating
checksums, then deleting the files as it goes.  Before unlinking it uses
chmod, presumably to ensure the unlink will succeed.  But chmod follows
sym-links, and these sym-links are absolute so it chmods the installed
files!

...and a little investigation shows debsums is just using File::Path::rmtree.

Ben.

- -- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'stable'), (100, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.25-2-686 (SMP w/1 CPU core)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages debsums depends on:
ii  debconf [debconf-2.0]         1.5.22     Debian configuration management sy
ii  perl                          5.10.0-10  Larry Wall's Practical Extraction 

debsums recommends no packages.

- -- debconf information:
  debsums/apt-autogen: true

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFIXDED79ZNCRIGYgcRAjqKAKCx2e/tBqjv0VSxmshtCgLwddKKyACghswA
pcsZLTltsPcRMAmBiBW4q0s=
=FSgb
-----END PGP SIGNATURE-----

More information about the Secure-testing-team mailing list