ID CVE-2005-0448
Summary Race condition in the rmtree function in File::Path.pm in Perl before 5.8.4 allows local users to create arbitrary setuid binaries in the tree being deleted, a different vulnerability than CVE-2004-0452.
References
Vulnerable Configurations
  • cpe:2.3:a:larry_wall:perl:5.8.0
    cpe:2.3:a:larry_wall:perl:5.8.0
  • cpe:2.3:a:larry_wall:perl:5.8.1
    cpe:2.3:a:larry_wall:perl:5.8.1
  • cpe:2.3:a:larry_wall:perl:5.8.3
    cpe:2.3:a:larry_wall:perl:5.8.3
  • cpe:2.3:a:larry_wall:perl:5.8.4
    cpe:2.3:a:larry_wall:perl:5.8.4
CVSS
Base: 1.2 (as of 07-06-2005 - 14:03)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
LOCAL HIGH NONE
Impact
ConfidentialityIntegrityAvailability
NONE PARTIAL NONE
nessus via4
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2005-881.NASL
    description Updated Perl packages that fix security issues and bugs are now available for Red Hat Enterprise Linux 3. This update has been rated as having moderate security impact by the Red Hat Security Response Team. Perl is a high-level programming language commonly used for system administration utilities and Web programming. An integer overflow bug was found in Perl's format string processor. It is possible for an attacker to cause perl to crash or execute arbitrary code if the attacker is able to process a malicious format string. This issue is only exploitable through a script wich passes arbitrary untrusted strings to the format string processor. The Common Vulnerabilities and Exposures project assigned the name CVE-2005-3962 to this issue. Paul Szabo discovered a bug in the way Perl's File::Path::rmtree module removed directory trees. If a local user has write permissions to a subdirectory within the tree being removed by File::Path::rmtree, it is possible for them to create setuid binary files. (CVE-2005-0448) Solar Designer discovered several temporary file bugs in various Perl modules. A local attacker could overwrite or create files as the user running a Perl script that uses a vulnerable module. (CVE-2004-0976) Users of Perl are advised to upgrade to these updated packages, which contain backported patches to correct these issues as well as fixes for several bugs.
    last seen 2017-10-29
    modified 2017-08-15
    plugin id 20367
    published 2005-12-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=20367
    title RHEL 3 : perl (RHSA-2005:881)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-696.NASL
    description Paul Szabo discovered another vulnerability in the File::Path::rmtree function of perl, the popular scripting language. When a process is deleting a directory tree, a different user could exploit a race condition to create setuid binaries in this directory tree, provided that he already had write permissions in any subdirectory of that tree.
    last seen 2017-10-29
    modified 2017-08-14
    plugin id 17600
    published 2005-03-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=17600
    title Debian DSA-696-1 : perl - design flaw
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_13B0C8C8BEE011DDA708001FC66E7203.NASL
    description Jan Lieskovsky reports : perl-File-Path rmtree race condition (CVE-2005-0448 was assigned to address this) This vulnerability was fixed in 5.8.4-7 but re-introduced in 5.8.8-1. It's also present in File::Path 2.xx, up to and including 2.07 which has only a partial fix.
    last seen 2017-10-29
    modified 2013-06-21
    plugin id 35289
    published 2009-01-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=35289
    title FreeBSD : p5-File-Path -- rmtree allows creation of setuid files (13b0c8c8-bee0-11dd-a708-001fc66e7203)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRAKE_MDKSA-2005-079.NASL
    description Paul Szabo discovered another vulnerability in the rmtree() function in File::Path.pm. While a process running as root (or another user) was busy deleting a directory tree, a different user could exploit a race condition to create setuid binaries in this directory tree, provided that he already had write permissions in any subdirectory of that tree. The provided packages have been patched to resolve this problem.
    last seen 2017-10-29
    modified 2013-05-31
    plugin id 18172
    published 2005-05-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=18172
    title Mandrake Linux Security Advisory : perl (MDKSA-2005:079)
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_4A99D61CF23A11DD9F550030843D3802.NASL
    description Secunia reports : Paul Szabo has reported a vulnerability in Perl File::Path::rmtree, which potentially can be exploited by malicious, local users to gain escalated privileges. The vulnerability is caused due to a race condition in the way File::Path::rmtree handles directory permissions when cleaning up directories. This can be exploited by replacing an existing sub directory in the directory tree with a symbolic link to an arbitrary file. Successful exploitation may allow changing permissions of arbitrary files, if root uses an application using the vulnerable code to delete files in a directory having a world-writable sub directory.
    last seen 2017-10-29
    modified 2013-06-21
    plugin id 35582
    published 2009-02-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=35582
    title FreeBSD : perl -- Directory Permissions Race Condition (4a99d61c-f23a-11dd-9f55-0030843d3802)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2005-881.NASL
    description Updated Perl packages that fix security issues and bugs are now available for Red Hat Enterprise Linux 3. This update has been rated as having moderate security impact by the Red Hat Security Response Team. Perl is a high-level programming language commonly used for system administration utilities and Web programming. An integer overflow bug was found in Perl's format string processor. It is possible for an attacker to cause perl to crash or execute arbitrary code if the attacker is able to process a malicious format string. This issue is only exploitable through a script wich passes arbitrary untrusted strings to the format string processor. The Common Vulnerabilities and Exposures project assigned the name CVE-2005-3962 to this issue. Paul Szabo discovered a bug in the way Perl's File::Path::rmtree module removed directory trees. If a local user has write permissions to a subdirectory within the tree being removed by File::Path::rmtree, it is possible for them to create setuid binary files. (CVE-2005-0448) Solar Designer discovered several temporary file bugs in various Perl modules. A local attacker could overwrite or create files as the user running a Perl script that uses a vulnerable module. (CVE-2004-0976) Users of Perl are advised to upgrade to these updated packages, which contain backported patches to correct these issues as well as fixes for several bugs.
    last seen 2017-10-29
    modified 2017-08-14
    plugin id 21877
    published 2006-07-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=21877
    title CentOS 3 : perl (CESA-2005:881)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2005-674.NASL
    description Updated Perl packages that fix security issues and contain several bug fixes are now available for Red Hat Enterprise Linux 4. This update has been rated as having low security impact by the Red Hat Security Response Team. Perl is a high-level programming language commonly used for system administration utilities and Web programming. Paul Szabo discovered a bug in the way Perl's File::Path::rmtree module removed directory trees. If a local user has write permissions to a subdirectory within the tree being removed by File::Path::rmtree, it is possible for them to create setuid binary files. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0448 to this issue. This update also addresses the following issues : -- Perl interpreter caused a segmentation fault when environment changes occurred during runtime. -- Code in lib/FindBin contained a regression that caused problems with MRTG software package. -- Perl incorrectly declared it provides an FCGI interface where it in fact did not. Users of Perl are advised to upgrade to these updated packages, which contain backported patches to correct these issues.
    last seen 2017-10-29
    modified 2017-08-15
    plugin id 19992
    published 2005-10-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=19992
    title RHEL 4 : perl (RHSA-2005:674)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-200501-38.NASL
    description The remote host is affected by the vulnerability described in GLSA-200501-38 (Perl: rmtree and DBI tmpfile vulnerabilities) Javier Fernandez-Sanguino Pena discovered that the DBI library creates temporary files in an insecure, predictable way (CAN-2005-0077). Paul Szabo found out that 'File::Path::rmtree' is vulnerable to various race conditions (CAN-2004-0452, CAN-2005-0448). Impact : A local attacker could create symbolic links in the temporary files directory that point to a valid file somewhere on the filesystem. When the DBI library or File::Path::rmtree is executed, this could be used to overwrite or remove files with the rights of the user calling these functions. Workaround : There are no known workarounds at this time.
    last seen 2017-10-29
    modified 2017-08-14
    plugin id 16429
    published 2005-02-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=16429
    title GLSA-200501-38 : Perl: rmtree and DBI tmpfile vulnerabilities
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-94-1.NASL
    description Paul Szabo discovered another vulnerability in the rmtree() function in File::Path.pm. While a process running as root (or another user) was busy deleting a directory tree, a different user could exploit a race condition to create setuid binaries in this directory tree, provided that he already had write permissions in any subdirectory of that tree. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2016-05-25
    plugin id 20720
    published 2006-01-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=20720
    title Ubuntu 4.10 : perl vulnerability (USN-94-1)
  • NASL family Solaris Local Security Checks
    NASL id SOLARIS11_PERL-58_20131015.NASL
    description The remote Solaris system is missing necessary patches to address security updates : - Race condition in the rmtree function in the File::Path module in Perl 5.6.1 and 5.8.4 sets read/write permissions for the world, which allows local users to delete arbitrary files and directories, and possibly read files and directories, via a symlink attack. (CVE-2004-0452) - Buffer overflow in the PerlIO implementation in Perl 5.8.0, when installed with setuid support (sperl), allows local users to execute arbitrary code by setting the PERLIO_DEBUG variable and executing a Perl script whose full pathname contains a long directory tree. (CVE-2005-0156) - Race condition in the rmtree function in File::Path.pm in Perl before 5.8.4 allows local users to create arbitrary setuid binaries in the tree being deleted, a different vulnerability than CVE-2004-0452. (CVE-2005-0448) - Untrusted search path vulnerability in Perl before 5.8.7-r1 on Gentoo Linux allows local users in the portage group to gain privileges via a malicious shared object in the Portage temporary build directory, which is part of the RUNPATH. (CVE-2005-4278) - Integer overflow in the regular expression engine in Perl 5.8.x allows context-dependent attackers to cause a denial of service (stack consumption and application crash) by matching a crafted regular expression against a long string. (CVE-2010-1158) - Off-by-one error in the decode_xs function in Unicode/Unicode.xs in the Encode module before 2.44, as used in Perl before 5.15.6, might allow context-dependent attackers to cause a denial of service (memory corruption) via a crafted Unicode string, which triggers a heap-based buffer overflow. (CVE-2011-2939) - CGI.pm module before 3.63 for Perl does not properly escape newlines in (1) Set-Cookie or (2) P3P headers, which might allow remote attackers to inject arbitrary headers into responses from applications that use CGI.pm. (CVE-2012-5526)
    last seen 2017-10-29
    modified 2016-08-17
    plugin id 80731
    published 2015-01-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=80731
    title Oracle Solaris Third-Party Patch Update : perl-58 (cve_2012_5526_configuration_vulnerability1)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2005-674.NASL
    description Updated Perl packages that fix security issues and contain several bug fixes are now available for Red Hat Enterprise Linux 4. This update has been rated as having low security impact by the Red Hat Security Response Team. Perl is a high-level programming language commonly used for system administration utilities and Web programming. Paul Szabo discovered a bug in the way Perl's File::Path::rmtree module removed directory trees. If a local user has write permissions to a subdirectory within the tree being removed by File::Path::rmtree, it is possible for them to create setuid binary files. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0448 to this issue. This update also addresses the following issues : -- Perl interpreter caused a segmentation fault when environment changes occurred during runtime. -- Code in lib/FindBin contained a regression that caused problems with MRTG software package. -- Perl incorrectly declared it provides an FCGI interface where it in fact did not. Users of Perl are advised to upgrade to these updated packages, which contain backported patches to correct these issues.
    last seen 2017-10-29
    modified 2017-08-14
    plugin id 67031
    published 2013-06-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=67031
    title CentOS 4 : perl (CESA-2005:674)
oval via4
  • accepted 2013-04-29T04:05:58.777-04:00
    class vulnerability
    contributors
    • name Aharon Chernin
      organization SCAP.com, LLC
    • name Dragos Prisaca
      organization G2, Inc.
    definition_extensions
    • comment The operating system installed on the system is Red Hat Enterprise Linux 3
      oval oval:org.mitre.oval:def:11782
    • comment CentOS Linux 3.x
      oval oval:org.mitre.oval:def:16651
    • comment The operating system installed on the system is Red Hat Enterprise Linux 4
      oval oval:org.mitre.oval:def:11831
    • comment CentOS Linux 4.x
      oval oval:org.mitre.oval:def:16636
    • comment Oracle Linux 4.x
      oval oval:org.mitre.oval:def:15990
    description Race condition in the rmtree function in File::Path.pm in Perl before 5.8.4 allows local users to create arbitrary setuid binaries in the tree being deleted, a different vulnerability than CVE-2004-0452.
    family unix
    id oval:org.mitre.oval:def:10475
    status accepted
    submitted 2010-07-09T03:56:16-04:00
    title Race condition in the rmtree function in File::Path.pm in Perl before 5.8.4 allows local users to create arbitrary setuid binaries in the tree being deleted, a different vulnerability than CVE-2004-0452.
    version 16
  • accepted 2014-03-24T04:01:54.839-04:00
    class vulnerability
    contributors
    • name Robert L. Hollis
      organization ThreatGuard, Inc.
    • name Matthew Wojcik
      organization The MITRE Corporation
    • name Jonathan Baker
      organization The MITRE Corporation
    • name Sushant Kumar Singh
      organization Hewlett-Packard
    • name Sushant Kumar Singh
      organization Hewlett-Packard
    description Race condition in the rmtree function in File::Path.pm in Perl before 5.8.4 allows local users to create arbitrary setuid binaries in the tree being deleted, a different vulnerability than CVE-2004-0452.
    family unix
    id oval:org.mitre.oval:def:728
    status accepted
    submitted 2006-09-22T05:48:00.000-04:00
    title HP-UX 11 Perl rmtree Race Condition
    version 32
redhat via4
advisories
  • bugzilla
    id 157694
    title CAN-2005-0448 perl File::Path.pm rmtree race condition
    oval
    AND
    • comment Red Hat Enterprise Linux 4 is installed
      oval oval:com.redhat.rhsa:tst:20050025001
    • OR
      • AND
        • comment perl-suidperl is earlier than 3:5.8.5-16.RHEL4
          oval oval:com.redhat.rhsa:tst:20050674004
        • comment perl-suidperl is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20050103005
      • AND
        • comment perl is earlier than 3:5.8.5-16.RHEL4
          oval oval:com.redhat.rhsa:tst:20050674002
        • comment perl is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20050103003
    rhsa
    id RHSA-2005:674
    released 2005-10-05
    severity Low
    title RHSA-2005:674: perl security update (Low)
  • rhsa
    id RHSA-2005:881
rpms
  • perl-suidperl-3:5.8.5-16.RHEL4
  • perl-3:5.8.5-16.RHEL4
  • perl-CGI-2:2.89-90.4
  • perl-DB_File-2:1.806-90.4
  • perl-suidperl-2:5.8.0-90.4
  • perl-CPAN-2:1.61-90.4
  • perl-2:5.8.0-90.4
refmap via4
bid 12767
conectiva CLSA-2006:1056
debian DSA-696
fedora FLSA-2006:152845
gentoo GLSA-200501-38
hp
  • HPSBUX01208
  • SSRT5938
mandriva MDKSA-2005:079
secunia
  • 14531
  • 17079
  • 18075
  • 18517
  • 55314
sgi 20060101-01-U
ubuntu USN-94-1
Last major update 23-10-2013 - 21:44
Published 02-05-2005 - 00:00
Last modified 10-10-2017 - 21:29
Back to Top