Fwd: [security] Incorrect file permissions due to (now fixed) perl 5.10 issue

For your information a copy of a message just also sent to the debian-devel-announce mailing list.

• Forwarded Message ---------- Likely affected: any unstable/testing system that has 'debsums' installed Possibly affected: any unstable/testing system

Today a Debian Testing Security Announcement [1] was published describing an issue where files may have gotten world readable/writable/executable permissions due to a bug in perl 5.10. As not everybody reads DTSAs, it seems proper to give this issue a bit wider publication.

The issue was first spotted by Joey Hess and myself for terminfo files from the ncurses-base package [2] and traced to debsums being run by APT during post-install. From there, Ben Hutchings traced it to a bug in the function File::Path::rmtree in perl 5.10.

So far the issue has only been confirmed for the use of File::Path::rmtree in debsums, but in theory any program using that function can result in files with incorrect permissions.

Although the cause of the bug has now been fixed, many systems may still have files with incorrect permissions around and thus be vulnerable to attack. Checking if your systems are affected is strongly recommended.

Please see the DTSA [1] for further details.

Just to be clear: systems running stable (etch) are NOT affected.

[1]http://lists.debian.org/debian-testing-security-announce/2008/06/msg00016.html
[2]http://lists.debian.org/debian-devel/2008/06/msg00543.html

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related lists.debian.org Links debian-announce debian-apache debian-arm-changes debian-beowulf debian-boot debian-cd debian-cd-vendors debian-changes debian-changes-digest debian-isp debian-kde debian-laptop debian-mirrors-announce debian-news debian-security debian-security-announce debian-testing debian-user debian-user-digest Request more information about Pantek

   http://bugs.debian.org/487319

-- 
To UNSUBSCRIBE, email to debian-testing-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org


application/pgp-signature attachment: This is a digitally signed message part.