September 11 2017 File::Path Security Back

File::Path::rmtree(): Multiple CVEs

        Race condition in the recursive (1) directory deletion and (2) directory move
        in GNU File Utilities (fileutils) 4.1 and earlier allows local users to delete
        directories as the user running fileutils by moving a low-level directory to a
        higher level as it is being deleted, which causes fileutils to chdir to a ".."
        directory that is higher than expected, possibly up to the root file system.
        Race condition in the rmtree function in the File::Path module in Perl
        5.6.1 and 5.8.4 sets read/write permissions for the world, which allows local
        users to delete arbitrary files and directories, and possibly read files and
        directories, via a symlink attack.
        Race condition in the rmtree function in File::Path.pm in Perl before 5.8.4
        allows local users to create arbitrary setuid binaries in the tree being
        deleted, a different vulnerability than CVE-2004-0452.


Home Last TOC Copyright © 2017 James E Keenan Back Next