Perl File::Path::rmtree Symlink Arbitrary File/Directory Manipulation

2004-12-26T05:51:26
ID OSVDB:12588
Type osvdb
Reporter Paul Szabo(psz@maths.usyd.edu.au)
Modified 2004-12-26T05:51:26

Description

Vulnerability Description

File::Path::rmtree contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered when a malicious user creates symbolic links to arbitrary files and File::Path::rmtree attempts to delete the arbitrary file. This flaw may lead to a loss of integrity, possibly allowing the attacker change permissions and/or delete the file.

Solution Description

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Short Description

File::Path::rmtree contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered when a malicious user creates symbolic links to arbitrary files and File::Path::rmtree attempts to delete the arbitrary file. This flaw may lead to a loss of integrity, possibly allowing the attacker change permissions and/or delete the file.

References:

Vendor URL: http://www.perl.org/ Vendor Specific News/Changelog Entry: http://www.archivum.info/debian-bugs-dist.lists.debian.org/2004-12/msg08050.html Vendor Specific Advisory URL Vendor Specific Advisory URL Vendor Specific Advisory URL Security Tracker: 1012659 Secunia Advisory ID:13643 Secunia Advisory ID:14044 Secunia Advisory ID:14252 Secunia Advisory ID:17645 Secunia Advisory ID:13702 Secunia Advisory ID:15191 Other Advisory URL: http://www.debian.org/security/2004/dsa-620 Other Advisory URL: http://security.gentoo.org/glsa/glsa-200501-38.xml Other Advisory URL: http://www.novell.com/linux/security/advisories/2005_04_sr.html Keyword: SCOSA-2005.49 CVE-2004-0452