Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <87y0uaeeod.fsf@oldenburg.str.redhat.com>
Date: Mon, 02 Jun 2025 10:22:10 +0200
From: Florian Weimer <fweimer@...hat.com>
To: Stig Palmquist <stig@...g.io>
Cc: perl5-porters@...l.org, oss-security@...ts.openwall.com
Subject: Re: CVE-2025-40909: Perl threads have a working directory race
 condition where file operations may target unintended paths

* Stig Palmquist:

> References
> ----------
> https://github.com/Perl/perl5/commit/918bfff86ca8d6d4e4ec5b30994451e0bd74aba9.patch

Is this fix really correct?

+    ret = fdopendir(dup(my_dirfd(dp)));

This does not create a separate open file description, only a second
descriptor that shares the read position of the directory stream with
the original directory stream.  I think you have to use something like
this:

     ret = fdopendir(openat(my_dirfd(dp), ".", O_DIRECTORY | O_CLOEXEC));

(The original dup approach failed to set the O_CLOEXEC flag, potentially
causing the descriptor to leak to subprocesses.)

Futhermore, if there is error reporting using errno in the Perl code (I
haven't checked), it makes sense not to pass a -1 failure indicator from
openat to fdopendir because that unconditionally results in EBADF
instead of more precise error codes such as ENFILE or EMFILE.

Thanks,
Florian

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.