Skip Menu |

This queue is for tickets about the CPANPLUS CPAN distribution.

Report information
The Basics
Id: 39516
Status: resolved
Priority: 0/
Queue: CPANPLUS

People
Owner: Nobody in particular
Requestors: SHLOMIF [...] cpan.org
Cc:
AdminCc:

Bug Information
Severity: Important
Broken in: 0.84
Fixed in: (no value)



Subject: [Security] CPANPLUS Unpacks and continues to build archives with world-writable files
CPANPLUS will happily unpack and continue to build distributions that contain world-writable files, including program files that are executed by Perl. By writing to these world-writable programs, a malicious user will be able to execute arbitrary code as the user running the CPANPLUS process. After smoking CPANPLUS as user "cpan", I got the following errors from Mandriva's msec process: {{{{{{{{ /home/cpan/.cpanplus/5.10.0/build/Data-Dump-Streamer-2.08-40/Makefile.PL /home/cpan/.cpanplus/5.10.0/build/Digest-JHash-0.05/Makefile.PL /home/cpan/.cpanplus/5.10.0/build/Getopt-ArgvFile-1.11/Makefile.PL /home/cpan/.cpanplus/5.10.0/build/HTML-Scrubber-0.08/Makefile.PL /home/cpan/.cpanplus/5.10.0/build/Kephra-0.3.10.11/Makefile.PL /home/cpan/.cpanplus/5.10.0/build/Readonly-1.03/Makefile.PL /home/cpan/.cpanplus/5.10.0/build/OOTools-2.21/Makefile.PL }}}}}}}} Each of these is a world-writable file, and each of these gets executed after the unpacking stage. A malicious user can append something like qq{system('rm -fr /');} there while the archive is unpacking, and so I'll lose all the files on my system. CPANPLUS should check for any world-writable files, and if they exist - refuse to build the distribution.
Hi all! Why hasn't this bug been dealt with? It's a serious bug, that prevents me from further doing CPAN smoking. Please look into it. Regards, -- Shlomi Fish
On Mon Sep 22 13:32:02 2008, SHLOMIF wrote: Show quoted text
> CPANPLUS will happily unpack and continue to build distributions that > contain world-writable files, including program files that are executed > by Perl. By writing to these world-writable programs, a malicious user > will be able to execute arbitrary code as the user running the CPANPLUS > process. > > After smoking CPANPLUS as user "cpan", I got the following errors from > Mandriva's msec process: > > {{{{{{{{ > /home/cpan/.cpanplus/5.10.0/build/Data-Dump-Streamer-2.08-40/Makefile.PL > /home/cpan/.cpanplus/5.10.0/build/Digest-JHash-0.05/Makefile.PL > /home/cpan/.cpanplus/5.10.0/build/Getopt-ArgvFile-1.11/Makefile.PL > /home/cpan/.cpanplus/5.10.0/build/HTML-Scrubber-0.08/Makefile.PL > /home/cpan/.cpanplus/5.10.0/build/Kephra-0.3.10.11/Makefile.PL > /home/cpan/.cpanplus/5.10.0/build/Readonly-1.03/Makefile.PL > /home/cpan/.cpanplus/5.10.0/build/OOTools-2.21/Makefile.PL > }}}}}}}} > > Each of these is a world-writable file, and each of these gets executed > after the unpacking stage. A malicious user can append something like > qq{system('rm -fr /');} there while the archive is unpacking, and so > I'll lose all the files on my system. > > CPANPLUS should check for any world-writable files, and if they exist - > refuse to build the distribution.
Thanks for this report. Insecure archives are a larger concern than for just CPANPLUS. It's been discussed with the maintainers of PAUSE and agreed that such distributions will no longer be allowed to be uploaded, thus solving the problem at the root. For the small amount of distributions you have found, I suggest contacting the authors and encourage them to upload a new, fixed version of their distribution; they are active, responsible authors after all. If you feel strongly about a fix being necessary for CPANPLUS, I'll consider a patch that implements the needed functionality, but to be honest, I think we'll get more mileage out of contacting the authors. As for the smoking part, of course you are running the smoke code in a jail, since you are running arbitrary code from the internet and could lose all the files the user has access to that way as well, right? Kind regards,