Subject: | [Security] CPANPLUS Unpacks and continues to build archives with world-writable files |
CPANPLUS will happily unpack and continue to build distributions that
contain world-writable files, including program files that are executed
by Perl. By writing to these world-writable programs, a malicious user
will be able to execute arbitrary code as the user running the CPANPLUS
process.
After smoking CPANPLUS as user "cpan", I got the following errors from
Mandriva's msec process:
{{{{{{{{
/home/cpan/.cpanplus/5.10.0/build/Data-Dump-Streamer-2.08-40/Makefile.PL
/home/cpan/.cpanplus/5.10.0/build/Digest-JHash-0.05/Makefile.PL
/home/cpan/.cpanplus/5.10.0/build/Getopt-ArgvFile-1.11/Makefile.PL
/home/cpan/.cpanplus/5.10.0/build/HTML-Scrubber-0.08/Makefile.PL
/home/cpan/.cpanplus/5.10.0/build/Kephra-0.3.10.11/Makefile.PL
/home/cpan/.cpanplus/5.10.0/build/Readonly-1.03/Makefile.PL
/home/cpan/.cpanplus/5.10.0/build/OOTools-2.21/Makefile.PL
}}}}}}}}
Each of these is a world-writable file, and each of these gets executed
after the unpacking stage. A malicious user can append something like
qq{system('rm -fr /');} there while the archive is unpacking, and so
I'll lose all the files on my system.
CPANPLUS should check for any world-writable files, and if they exist -
refuse to build the distribution.