Bug #39516 for CPANPLUS: [Security] CPANPLUS Unpacks and continues to build archives with world-writable files

Mon Sep 22 13:32:02 2008 SHLOMIF [...] cpan.org - Ticket created

Subject:

[Security] CPANPLUS Unpacks and continues to build archives with world-writable files

CPANPLUS will happily unpack and continue to build distributions that contain world-writable files, including program files that are executed by Perl. By writing to these world-writable programs, a malicious user will be able to execute arbitrary code as the user running the CPANPLUS process. After smoking CPANPLUS as user "cpan", I got the following errors from Mandriva's msec process: {{{{{{{{ /home/cpan/.cpanplus/5.10.0/build/Data-Dump-Streamer-2.08-40/Makefile.PL /home/cpan/.cpanplus/5.10.0/build/Digest-JHash-0.05/Makefile.PL /home/cpan/.cpanplus/5.10.0/build/Getopt-ArgvFile-1.11/Makefile.PL /home/cpan/.cpanplus/5.10.0/build/HTML-Scrubber-0.08/Makefile.PL /home/cpan/.cpanplus/5.10.0/build/Kephra-0.3.10.11/Makefile.PL /home/cpan/.cpanplus/5.10.0/build/Readonly-1.03/Makefile.PL /home/cpan/.cpanplus/5.10.0/build/OOTools-2.21/Makefile.PL }}}}}}}} Each of these is a world-writable file, and each of these gets executed after the unpacking stage. A malicious user can append something like qq{system('rm -fr /');} there while the archive is unpacking, and so I'll lose all the files on my system. CPANPLUS should check for any world-writable files, and if they exist - refuse to build the distribution.

Wed Oct 29 08:22:15 2008 SHLOMIF [...] cpan.org - Correspondence added

Hi all! Why hasn't this bug been dealt with? It's a serious bug, that prevents me from further doing CPAN smoking. Please look into it. Regards, -- Shlomi Fish

Wed Oct 29 08:22:18 2008 SHLOMIF [...] cpan.org - Status changed from 'new' to 'open'

Wed Dec 17 09:31:17 2008 kane [...] cpan.org - Correspondence added

On Mon Sep 22 13:32:02 2008, SHLOMIF wrote: Show quoted text

> CPANPLUS will happily unpack and continue to build distributions that > contain world-writable files, including program files that are executed > by Perl. By writing to these world-writable programs, a malicious user > will be able to execute arbitrary code as the user running the CPANPLUS > process. > > After smoking CPANPLUS as user "cpan", I got the following errors from > Mandriva's msec process: > > {{{{{{{{ > /home/cpan/.cpanplus/5.10.0/build/Data-Dump-Streamer-2.08-40/Makefile.PL > /home/cpan/.cpanplus/5.10.0/build/Digest-JHash-0.05/Makefile.PL > /home/cpan/.cpanplus/5.10.0/build/Getopt-ArgvFile-1.11/Makefile.PL > /home/cpan/.cpanplus/5.10.0/build/HTML-Scrubber-0.08/Makefile.PL > /home/cpan/.cpanplus/5.10.0/build/Kephra-0.3.10.11/Makefile.PL > /home/cpan/.cpanplus/5.10.0/build/Readonly-1.03/Makefile.PL > /home/cpan/.cpanplus/5.10.0/build/OOTools-2.21/Makefile.PL > }}}}}}}} > > Each of these is a world-writable file, and each of these gets executed > after the unpacking stage. A malicious user can append something like > qq{system('rm -fr /');} there while the archive is unpacking, and so > I'll lose all the files on my system. > > CPANPLUS should check for any world-writable files, and if they exist - > refuse to build the distribution.

Thanks for this report. Insecure archives are a larger concern than for just CPANPLUS. It's been discussed with the maintainers of PAUSE and agreed that such distributions will no longer be allowed to be uploaded, thus solving the problem at the root. For the small amount of distributions you have found, I suggest contacting the authors and encourage them to upload a new, fixed version of their distribution; they are active, responsible authors after all. If you feel strongly about a fix being necessary for CPANPLUS, I'll consider a patch that implements the needed functionality, but to be honest, I think we'll get more mileage out of contacting the authors. As for the smoking part, of course you are running the smoke code in a jail, since you are running arbitrary code from the internet and could lose all the files the user has access to that way as well, right? Kind regards,

Wed Dec 17 09:31:18 2008 kane [...] cpan.org - Status changed from 'open' to 'resolved'