Re: Bug#220486: Acknowledgement (perl-suid: suidperl security)
Dear all,
http://www.debian.org/security/2004/dsa-431 says:
> ... an attacker could abuse suidperl to discover information about files
> (such as testing for their existence and some of their permissions) that
> should not be accessible to unprivileged users.
>
> For the current stable distribution (woody) this problem has been fixed
> in version 5.6.1-8.6.
Sorry, it is not fixed. As noted in http://bugs.debian.org/203426 :
psz@pisa:~$ dpkg -l perl-suid
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Installed/Config-files/Unpacked/Failed-config/Half-installed
|/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err: uppercase=bad)
||/ Name Version Description
+++-==============-==============-============================================
ii perl-suid 5.6.1-8.6 Runs setuid Perl scripts.
psz@pisa:~$ for file in nosuch file sfile; do
> echo "[$file]"
> /usr/bin/time -v suidperl /tmp/test/$file 2>&1 | grep Major
> done
[nosuch]
Major (requiring I/O) page faults: 189
[file]
Major (requiring I/O) page faults: 191
[sfile]
Major (requiring I/O) page faults: 191
psz@pisa:~$
As noted in that discussion, you cannot allow suidperl to open anything as
root. Kindly use the patch I provided to swap UIDs before open; or better,
the patch to open in perl then pass /dev/fd/XXX to suidperl; see also the
patches I am "pushing" (and discussion) on perl5-porters@perl.org .
Cheers,
Paul Szabo - psz@maths.usyd.edu.au http://www.maths.usyd.edu.au:8000/u/psz/
School of Mathematics and Statistics University of Sydney 2006 Australia
Reply to: