SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Perl Vendors:   Wall, Larry
(HP Issues Fix) Perl File::Path.pm rmtree() Race Condition May Let Local Users Create Privileged Binaries
SecurityTracker Alert ID:  1014213
SecurityTracker URL:  http://securitytracker.com/id/1014213
CVE Reference:   CVE-2005-0448   (Links to External Site)
Updated:  Dec 20 2005
Original Entry Date:  Jun 16 2005
Impact:   Modification of system information, Root access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 5.8.4
Description:   In March 2005, a vulnerability was reported in the rmtree() function in File::Path.pm. A local user may be able to create set user id (setuid) binaries in certain cases.

A local user can exploit a race condition to create setuid binaries in a directory tree while the directory tree is being deleted by a root level user. The user must have write permissions in that directory tree to exploit this flaw.

Paul Szabo discovered this vulnerability.

Impact:   A local user can create setuid binaries in certain cases.
Solution:   HP has issued a fix, available at:

http://software.hp.com/

PERL version 5.8.0:

HP-UX 11.00 PA-RISC version 5.8.0
perl_D.5.8.0.G_HP-UX_B.11.00_32+64.depot or subsequent

HP-UX 11i v1.0 PA-RISC version 5.8.0
perl_D.5.8.0.G_HP-UX_B.11.11_32+64.depot or subsequent

HP-UX 11i v1.0409 version 5.8.0 (IA and PA)
perl_D.5.8.0.G_HP-UX_B.11.23_IA+PA.depot or subsequent

PERL version 5.8.2:

HP-UX 11.00 PA-RISC version 5.8.2
perl_D.5.8.2.D_HP-UX_B.11.00_32+64.depot or subsequent

HP-UX 11i v1.0 PA-RISC version 5.8.2
perl_D.5.8.2.D_HP-UX_B.11.11_32+64.depot or subsequent

HP-UX 11i v1.0409 version 5.8.2 (IA and PA)
perl_D.5.8.2.F_HP-UX_B.11.23_IA+PA.depot or subsequent

PERL version 5.8.3:

HP-UX 11.00 PA-RISC version 5.8.3
perl_D.5.8.3.B_HP-UX_B.11.00_32+64.depot or subsequent

HP-UX 11i v1.0 PA-RISC version 5.8.3
perl_D.5.8.3.B_HP-UX_B.11.11_32+64.depot or subsequent

HP-UX 11i v1.0409 version 5.8.3 (IA and PA)
perl_D.5.8.3.B_HP-UX_B.11.23_IA+PA.depot or subsequent

Vendor URL:  www2.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX01208 (Links to External Site)
Cause:   Access control error, State error
Underlying OS:  UNIX (HP/UX)
Underlying OS Comments:  HP-UX B.11.00, B.11.11, and B.11.23

Message History:   This archive entry is a follow-up to the message listed below.
Jun 16 2005 Perl File::Path.pm rmtree() Race Condition May Let Local Users Create Privileged Binaries



 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC