Executive Summary
Summary | |
---|---|
Title | New perl packages fix privilege escalation |
Informations | |||
---|---|---|---|
Name | DSA-696 | First vendor Publication | 2005-03-22 |
Vendor | Debian | Last vendor Modification | 2005-03-22 |
Severity (Vendor) | N/A | Revision | 1 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:L/AC:H/Au:N/C:N/I:P/A:N) | |||
---|---|---|---|
Cvss Base Score | 1.2 | Attack Range | Local |
Cvss Impact Score | 2.9 | Attack Complexity | High |
Cvss Expoit Score | 1.9 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Paul Szabo discovered another vulnerability in the File::Path::rmtree function of perl, the popular scripting language. When a process is deleting a directory tree, a different user could exploit a race condition to create setuid binaries in this directory tree, provided that he already had write permissions in any subdirectory of that tree. For the stable distribution (woody) this problem has been fixed in version 5.6.1-8.9. For the unstable distribution (sid) this problem has been fixed in version 5.8.4-8. We recommend that you upgrade your perl packages. |
Original Source
Url : http://www.debian.org/security/2005/dsa-696 |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:10475 | |||
Oval ID: | oval:org.mitre.oval:def:10475 | ||
Title: | Race condition in the rmtree function in File::Path.pm in Perl before 5.8.4 allows local users to create arbitrary setuid binaries in the tree being deleted, a different vulnerability than CVE-2004-0452. | ||
Description: | Race condition in the rmtree function in File::Path.pm in Perl before 5.8.4 allows local users to create arbitrary setuid binaries in the tree being deleted, a different vulnerability than CVE-2004-0452. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2005-0448 | Version: | 5 |
Platform(s): | Red Hat Enterprise Linux 3 CentOS Linux 3 Red Hat Enterprise Linux 4 CentOS Linux 4 Oracle Linux 4 | Product(s): | |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:728 | |||
Oval ID: | oval:org.mitre.oval:def:728 | ||
Title: | HP-UX 11 Perl rmtree Race Condition | ||
Description: | Race condition in the rmtree function in File::Path.pm in Perl before 5.8.4 allows local users to create arbitrary setuid binaries in the tree being deleted, a different vulnerability than CVE-2004-0452. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2005-0448 | Version: | 7 |
Platform(s): | HP-UX 11 | Product(s): | Perl |
Definition Synopsis: | |||
|
CPE : Common Platform Enumeration
Type | Description | Count |
---|---|---|
Application | 4 |
OpenVAS Exploits
Date | Description |
---|---|
2011-08-09 | Name : CentOS Update for perl CESA-2010:0458 centos5 i386 File : nvt/gb_CESA-2010_0458_perl_centos5_i386.nasl |
2010-06-11 | Name : RedHat Update for perl RHSA-2010:0458-02 File : nvt/gb_RHSA-2010_0458-02_perl.nasl |
2009-02-13 | Name : FreeBSD Ports: perl File : nvt/freebsd_perl3.nasl |
2009-01-07 | Name : FreeBSD Ports: p5-File-Path File : nvt/freebsd_p5-File-Path.nasl |
2008-12-10 | Name : Debian Security Advisory DSA 1678-1 (perl) File : nvt/deb_1678_1.nasl |
2008-09-24 | Name : Gentoo Security Advisory GLSA 200501-38 (Perl) File : nvt/glsa_200501_38.nasl |
2008-01-17 | Name : Debian Security Advisory DSA 696-1 (perl) File : nvt/deb_696_1.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
14619 | Perl File::Path::rmtree Function Race Condition Privilege Escalation The Perl File::Path:rmtree function contains a flaw that may allow a malicious local user to change permissions of arbitrary files on system. The issue is due to the way the File::Path::rmtree function handles directory permissions when cleaning up directories. It is possible for a user to use a symlink style attack to manipulate arbitrary files, resulting in a loss of integrity. |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2015-01-19 | Name : The remote Solaris system is missing a security patch for third-party software. File : solaris11_perl-58_20131015.nasl - Type : ACT_GATHER_INFO |
2013-06-29 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2005-674.nasl - Type : ACT_GATHER_INFO |
2009-02-04 | Name : The remote FreeBSD host is missing a security-related update. File : freebsd_pkg_4a99d61cf23a11dd9f550030843d3802.nasl - Type : ACT_GATHER_INFO |
2009-01-05 | Name : The remote FreeBSD host is missing a security-related update. File : freebsd_pkg_13b0c8c8bee011dda708001fc66e7203.nasl - Type : ACT_GATHER_INFO |
2008-12-04 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-1678.nasl - Type : ACT_GATHER_INFO |
2006-07-03 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2005-881.nasl - Type : ACT_GATHER_INFO |
2006-01-15 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-94-1.nasl - Type : ACT_GATHER_INFO |
2005-12-30 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2005-881.nasl - Type : ACT_GATHER_INFO |
2005-10-11 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2005-674.nasl - Type : ACT_GATHER_INFO |
2005-05-02 | Name : The remote Mandrake Linux host is missing one or more security updates. File : mandrake_MDKSA-2005-079.nasl - Type : ACT_GATHER_INFO |
2005-03-23 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-696.nasl - Type : ACT_GATHER_INFO |
2005-02-14 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-200501-38.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 11:33:57 |
|