Launchpad.net

CVE 2004-0452

Race condition in the rmtree function in the File::Path module in Perl 5.6.1 and 5.8.4 sets read/write permissions for the world, which allows local users to delete arbitrary files and directories, and possibly read files and directories, via a symlink attack.

Related bugs and status

CVE-2004-0452 (Candidate) is related to these bugs:

Bug #10187: debconf fails to install

Summary				In	Importance	Status
	10187	debconf fails to install		debconf (Ubuntu)	High	Fix Released
	10187	debconf fails to install		debconf (Debian)	Unknown	Fix Released

Bug #11407: perl-modules: File::Path::rmtree makes setuid

Summary				In	Importance	Status
	11407	perl-modules: File::Path::rmtree makes setuid		perl (Ubuntu)	High	Fix Released
	11407	perl-modules: File::Path::rmtree makes setuid		perl (Debian)	Unknown	Fix Released

Bug #11409: perl-modules: File::Path::rmtree removes arbitrary

Summary				In	Importance	Status
	11409	perl-modules: File::Path::rmtree removes arbitrary		perl (Ubuntu)	High	Invalid
	11409	perl-modules: File::Path::rmtree removes arbitrary		perl (Debian)	Unknown	Fix Released

See the

CVE page on Mitre.org for more details.

References

DEBIAN: DSA-620
GENTOO: GLSA-200501-38
REDHAT: RHSA-2005:103
SGI: 20060101-01-U
BID: 12072
SECUNIA: 12991
SECUNIA: 18517
FEDORA: FLSA-2006:152845
REDHAT: RHSA-2005:105
SECUNIA: 55314
UBUNTU: USN-44-1
BUGTRAQ: 20050111 [OpenPKG-SA-2...
XF: perl-filepathrmtree-in...
OVAL: oval:org.mitre.oval:de...