GNU bug report logs -
#27263
Perl CVE-2017-6512
Previous Next
Reported by: Leo Famulari <leo <at> famulari.name>
Date: Tue, 6 Jun 2017 03:03:01 UTC
Severity: normal
Done: Leo Famulari <leo <at> famulari.name>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 27263 in the body.
You can then email your comments to 27263 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
guix-patches <at> gnu.org:
bug#27263; Package
guix-patches.
(Tue, 06 Jun 2017 03:03:01 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Leo Famulari <leo <at> famulari.name>:
New bug report received and forwarded. Copy sent to
guix-patches <at> gnu.org.
(Tue, 06 Jun 2017 03:03:01 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
These patches fix CVE-2017-6512 in perl-file-path and the copy of
File::Path in perl itself.
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
guix-patches <at> gnu.org:
bug#27263; Package
guix-patches.
(Tue, 06 Jun 2017 03:06:01 GMT)
Full text and
rfc822 format available.
Message #8 received at 27263 <at> debbugs.gnu.org (full text, mbox):
This fixes CVE-2017-6512.
* gnu/packages/perl.scm (perl-file-path): Update to 2.13.
---
gnu/packages/perl.scm | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/gnu/packages/perl.scm b/gnu/packages/perl.scm
index 812d7548c..e56c80609 100644
--- a/gnu/packages/perl.scm
+++ b/gnu/packages/perl.scm
@@ -2986,17 +2986,17 @@ platforms.")
(define-public perl-file-path
(package
(name "perl-file-path")
- (version "2.12")
+ (version "2.13")
(source
(origin
(method url-fetch)
(uri (string-append
- "mirror://cpan/authors/id/R/RI/RICHE/File-Path-"
+ "mirror://cpan/authors/id/J/JK/JKEENAN/File-Path-"
version
".tar.gz"))
(sha256
(base32
- "0znihrlcnlpa0ziml0hkq9s59p1bjd2a6khgx2accdf16w6imxmv"))))
+ "039gc0i5cbdmidl8j8x195yykwcdmzwawmpapnysvljl8l33jqwj"))))
(build-system perl-build-system)
(home-page "http://search.cpan.org/dist/File-Path")
(synopsis "Create or remove directory trees")
--
2.13.0
Information forwarded
to
guix-patches <at> gnu.org:
bug#27263; Package
guix-patches.
(Tue, 06 Jun 2017 03:06:02 GMT)
Full text and
rfc822 format available.
Message #11 received at 27263 <at> debbugs.gnu.org (full text, mbox):
* gnu/packages/perl.scm (perl)[replacement]: New field.
(perl/fixed): New variable.
* gnu/packages/patches/perl-file-path-CVE-2017-6512.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
---
gnu/local.mk | 1 +
.../patches/perl-file-path-CVE-2017-6512.patch | 173 +++++++++++++++++++++
gnu/packages/perl.scm | 13 ++
3 files changed, 187 insertions(+)
create mode 100644 gnu/packages/patches/perl-file-path-CVE-2017-6512.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index 4b2bdfe37..ab3fbb2d3 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -884,6 +884,7 @@ dist_patch_DATA = \
%D%/packages/patches/pcre-CVE-2017-7186.patch \
%D%/packages/patches/pcre2-CVE-2017-7186.patch \
%D%/packages/patches/pcre2-CVE-2017-8786.patch \
+ %D%/packages/patches/perl-file-path-CVE-2017-6512.patch \
%D%/packages/patches/perl-autosplit-default-time.patch \
%D%/packages/patches/perl-deterministic-ordering.patch \
%D%/packages/patches/perl-finance-quote-unuse-mozilla-ca.patch \
diff --git a/gnu/packages/patches/perl-file-path-CVE-2017-6512.patch b/gnu/packages/patches/perl-file-path-CVE-2017-6512.patch
new file mode 100644
index 000000000..28ab06759
--- /dev/null
+++ b/gnu/packages/patches/perl-file-path-CVE-2017-6512.patch
@@ -0,0 +1,173 @@
+Fix CVE-2017-6512:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6512
+https://rt.cpan.org/Public/Bug/Display.html?id=121951
+
+Patch copied from Debian, adapted to apply to the copy of File::Path in Perl
+5.24.0.
+
+https://github.com/jkeenan/File-Path/commit/e5ef95276ee8ad471c66ee574a5d42552b3a6af2
+https://anonscm.debian.org/cgit/perl/perl.git/diff/debian/patches/fixes/file_path_chmod_race.diff?id=e7b50f8fb6413f8ddfbbfda2d531615fb029e2d3
+
+From d760748be0efca7c05454440e24f3df77bf7cf5d Mon Sep 17 00:00:00 2001
+From: John Lightsey <john <at> nixnuts.net>
+Date: Tue, 2 May 2017 12:03:52 -0500
+Subject: Prevent directory chmod race attack.
+
+CVE-2017-6512 is a race condition attack where the chmod() of directories
+that cannot be entered is misused to change the permissions on other
+files or directories on the system. This has been corrected by limiting
+the directory-permission loosening logic to systems where fchmod() is
+supported.
+
+[Backported (whitespace adjustments) to File-Path 2.12 / perl 5.24 by
+Dominic Hargreaves for Debian.]
+
+Bug: https://rt.cpan.org/Public/Bug/Display.html?id=121951
+Bug-Debian: https://bugs.debian.org/863870
+Patch-Name: fixes/file_path_chmod_race.diff
+---
+ cpan/File-Path/lib/File/Path.pm | 39 +++++++++++++++++++++++++--------------
+ cpan/File-Path/t/Path.t | 40 ++++++++++++++++++++++++++--------------
+ 2 files changed, 51 insertions(+), 28 deletions(-)
+
+diff --git a/cpan/File-Path/lib/File/Path.pm b/cpan/File-Path/lib/File/Path.pm
+index 034da1e..a824cc8 100644
+--- a/cpan/File-Path/lib/File/Path.pm
++++ b/cpan/File-Path/lib/File/Path.pm
+@@ -354,21 +354,32 @@ sub _rmtree {
+
+ # see if we can escalate privileges to get in
+ # (e.g. funny protection mask such as -w- instead of rwx)
+- $perm &= oct '7777';
+- my $nperm = $perm | oct '700';
+- if (
+- !(
+- $arg->{safe}
+- or $nperm == $perm
+- or chmod( $nperm, $root )
+- )
+- )
+- {
+- _error( $arg,
+- "cannot make child directory read-write-exec", $canon );
+- next ROOT_DIR;
++ # This uses fchmod to avoid traversing outside of the proper
++ # location (CVE-2017-6512)
++ my $root_fh;
++ if (open($root_fh, '<', $root)) {
++ my ($fh_dev, $fh_inode) = (stat $root_fh )[0,1];
++ $perm &= oct '7777';
++ my $nperm = $perm | oct '700';
++ local $@;
++ if (
++ !(
++ $arg->{safe}
++ or $nperm == $perm
++ or !-d _
++ or $fh_dev ne $ldev
++ or $fh_inode ne $lino
++ or eval { chmod( $nperm, $root_fh ) }
++ )
++ )
++ {
++ _error( $arg,
++ "cannot make child directory read-write-exec", $canon );
++ next ROOT_DIR;
++ }
++ close $root_fh;
+ }
+- elsif ( !chdir($root) ) {
++ if ( !chdir($root) ) {
+ _error( $arg, "cannot chdir to child", $canon );
+ next ROOT_DIR;
+ }
+diff --git a/cpan/File-Path/t/Path.t b/cpan/File-Path/t/Path.t
+index ff52fd6..956ca09 100644
+--- a/cpan/File-Path/t/Path.t
++++ b/cpan/File-Path/t/Path.t
+@@ -3,7 +3,7 @@
+
+ use strict;
+
+-use Test::More tests => 127;
++use Test::More tests => 126;
+ use Config;
+ use Fcntl ':mode';
+ use lib 't/';
+@@ -18,6 +18,13 @@ BEGIN {
+
+ my $Is_VMS = $^O eq 'VMS';
+
++my $fchmod_supported = 0;
++if (open my $fh, curdir()) {
++ my ($perm) = (stat($fh))[2];
++ $perm &= 07777;
++ eval { $fchmod_supported = chmod( $perm, $fh); };
++}
++
+ # first check for stupid permissions second for full, so we clean up
+ # behind ourselves
+ for my $perm (0111,0777) {
+@@ -299,16 +306,19 @@ is($created[0], $dir, "created directory (old style 3 mode undef) cross-check");
+
+ is(rmtree($dir, 0, undef), 1, "removed directory 3 verbose undef");
+
+-$dir = catdir($tmp_base,'G');
+-$dir = VMS::Filespec::unixify($dir) if $Is_VMS;
++SKIP: {
++ skip "fchmod of directories not supported on this platform", 3 unless $fchmod_supported;
++ $dir = catdir($tmp_base,'G');
++ $dir = VMS::Filespec::unixify($dir) if $Is_VMS;
+
+-@created = mkpath($dir, undef, 0200);
++ @created = mkpath($dir, undef, 0400);
+
+-is(scalar(@created), 1, "created write-only dir");
++ is(scalar(@created), 1, "created read-only dir");
+
+-is($created[0], $dir, "created write-only directory cross-check");
++ is($created[0], $dir, "created read-only directory cross-check");
+
+-is(rmtree($dir), 1, "removed write-only dir");
++ is(rmtree($dir), 1, "removed read-only dir");
++}
+
+ # borderline new-style heuristics
+ if (chdir $tmp_base) {
+@@ -450,26 +460,28 @@ SKIP: {
+ }
+
+ SKIP : {
+- my $skip_count = 19;
++ my $skip_count = 18;
+ # this test will fail on Windows, as per:
+ # http://perldoc.perl.org/perlport.html#chmod
+
+ skip "Windows chmod test skipped", $skip_count
+ if $^O eq 'MSWin32';
++ skip "fchmod() on directories is not supported on this platform", $skip_count
++ unless $fchmod_supported;
+ my $mode;
+ my $octal_mode;
+ my @inputs = (
+- 0777, 0700, 0070, 0007,
+- 0333, 0300, 0030, 0003,
+- 0111, 0100, 0010, 0001,
+- 0731, 0713, 0317, 0371, 0173, 0137,
+- 00 );
++ 0777, 0700, 0470, 0407,
++ 0433, 0400, 0430, 0403,
++ 0111, 0100, 0110, 0101,
++ 0731, 0713, 0317, 0371,
++ 0173, 0137);
+ my $input;
+ my $octal_input;
+- $dir = catdir($tmp_base, 'chmod_test');
+
+ foreach (@inputs) {
+ $input = $_;
++ $dir = catdir($tmp_base, sprintf("chmod_test%04o", $input));
+ # We can skip from here because 0 is last in the list.
+ skip "Mode of 0 means assume user defaults on VMS", 1
+ if ($input == 0 && $Is_VMS);
diff --git a/gnu/packages/perl.scm b/gnu/packages/perl.scm
index e56c80609..6da4bb13f 100644
--- a/gnu/packages/perl.scm
+++ b/gnu/packages/perl.scm
@@ -51,6 +51,7 @@
;; Yeah, Perl... It is required early in the bootstrap process by Linux.
(package
(name "perl")
+ (replacement perl/fixed)
(version "5.24.0")
(source (origin
(method url-fetch)
@@ -147,6 +148,18 @@
(home-page "http://www.perl.org/")
(license gpl1+))) ; or "Artistic"
+(define perl/fixed
+ (package
+ (inherit perl)
+ (replacement #f)
+ (source
+ (origin
+ (inherit (package-source perl))
+ (patches
+ (append
+ (origin-patches (package-source perl))
+ (search-patches "perl-file-path-CVE-2017-6512.patch")))))))
+
(define-public perl-algorithm-c3
(package
(name "perl-algorithm-c3")
--
2.13.0
Information forwarded
to
guix-patches <at> gnu.org:
bug#27263; Package
guix-patches.
(Tue, 06 Jun 2017 18:55:01 GMT)
Full text and
rfc822 format available.
Message #14 received at 27263 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Leo Famulari <leo <at> famulari.name> writes:
> These patches fix CVE-2017-6512 in perl-file-path and the copy of
> File::Path in perl itself.
LGTM.
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
guix-patches <at> gnu.org:
bug#27263; Package
guix-patches.
(Tue, 06 Jun 2017 23:18:02 GMT)
Full text and
rfc822 format available.
Message #17 received at 27263 <at> debbugs.gnu.org (full text, mbox):
Leo Famulari <leo <at> famulari.name> skribis:
> This fixes CVE-2017-6512.
>
> * gnu/packages/perl.scm (perl-file-path): Update to 2.13.
OK.
Information forwarded
to
guix-patches <at> gnu.org:
bug#27263; Package
guix-patches.
(Tue, 06 Jun 2017 23:19:02 GMT)
Full text and
rfc822 format available.
Message #20 received at 27263 <at> debbugs.gnu.org (full text, mbox):
Leo Famulari <leo <at> famulari.name> skribis:
> * gnu/packages/perl.scm (perl)[replacement]: New field.
> (perl/fixed): New variable.
> * gnu/packages/patches/perl-file-path-CVE-2017-6512.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Add it.
OK too.
I suppose we’ll have to apply it in core-updates too, right?
Thank you!
Ludo’.
Information forwarded
to
guix-patches <at> gnu.org:
bug#27263; Package
guix-patches.
(Wed, 07 Jun 2017 15:42:02 GMT)
Full text and
rfc822 format available.
Message #23 received at 27263 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On Wed, Jun 07, 2017 at 01:18:09AM +0200, Ludovic Courtès wrote:
> Leo Famulari <leo <at> famulari.name> skribis:
>
> > * gnu/packages/perl.scm (perl)[replacement]: New field.
> > (perl/fixed): New variable.
> > * gnu/packages/patches/perl-file-path-CVE-2017-6512.patch: New file.
> > * gnu/local.mk (dist_patch_DATA): Add it.
>
> OK too.
>
> I suppose we’ll have to apply it in core-updates too, right?
Yes, I'm working on this today.
[signature.asc (application/pgp-signature, inline)]
Reply sent
to
Leo Famulari <leo <at> famulari.name>:
You have taken responsibility.
(Wed, 07 Jun 2017 16:18:01 GMT)
Full text and
rfc822 format available.
Notification sent
to
Leo Famulari <leo <at> famulari.name>:
bug acknowledged by developer.
(Wed, 07 Jun 2017 16:18:02 GMT)
Full text and
rfc822 format available.
Message #28 received at 27263-done <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On Wed, Jun 07, 2017 at 01:18:09AM +0200, Ludovic Courtès wrote:
> Leo Famulari <leo <at> famulari.name> skribis:
>
> > * gnu/packages/perl.scm (perl)[replacement]: New field.
> > (perl/fixed): New variable.
> > * gnu/packages/patches/perl-file-path-CVE-2017-6512.patch: New file.
> > * gnu/local.mk (dist_patch_DATA): Add it.
>
> OK too.
>
> I suppose we’ll have to apply it in core-updates too, right?
And, done as c67d587f94173fd42d65097165afc5c512935646.
I tested that this packaging of Perl 5.26.0 builds on master, then I
"ported" the package to core-updates. I don't have the resources to
build the Perl package on core-updates in a timely manner.
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
guix-patches <at> gnu.org:
bug#27263; Package
guix-patches.
(Thu, 08 Jun 2017 12:08:02 GMT)
Full text and
rfc822 format available.
Message #31 received at 27263-done <at> debbugs.gnu.org (full text, mbox):
Leo Famulari <leo <at> famulari.name> skribis:
> On Wed, Jun 07, 2017 at 01:18:09AM +0200, Ludovic Courtès wrote:
>> Leo Famulari <leo <at> famulari.name> skribis:
>>
>> > * gnu/packages/perl.scm (perl)[replacement]: New field.
>> > (perl/fixed): New variable.
>> > * gnu/packages/patches/perl-file-path-CVE-2017-6512.patch: New file.
>> > * gnu/local.mk (dist_patch_DATA): Add it.
>>
>> OK too.
>>
>> I suppose we’ll have to apply it in core-updates too, right?
>
> And, done as c67d587f94173fd42d65097165afc5c512935646.
Great!
> I tested that this packaging of Perl 5.26.0 builds on master, then I
> "ported" the package to core-updates. I don't have the resources to
> build the Perl package on core-updates in a timely manner.
That’s a reasonable approach. We’ll let Hydra build it anyway and
adjust if needed.
Thank you!
Ludo’.
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Fri, 07 Jul 2017 11:24:04 GMT)
Full text and
rfc822 format available.
This bug report was last modified 8 years and 69 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.