CLD-153 Details

Other IDs this deficiency may be known by:

Basic Information:

Version Specific Information:

Details:

CVE-2017-6512 (A.K.A CLD-153) is a race condition in the File-Path CPAN module
that allowed attackers to set the mode (permission bits) on arbitrary files.
For more information see:
	https://nvd.nist.gov/vuln/detail/CVE-2017-6512
	https://rt.cpan.org/Public/Bug/Display.html?id=121951

Fixed by applying modified versions of the patch from here:
https://rt.cpan.org/Public/Bug/Display.html?id=121951

This patch has not been applied in the official versions of Perl 5.22.4 or
Perl 5.26.1, meaning Cucumber Linux 1.0 and 1.1 were both vulnerable to this
vulnerability. We have now manually applied modified versions this patch to
Cucumber Linux 1.0 and 1.1 (as of Sat Nov 25 12:28:05 EST 2017).

Here are the patches we applied:
	Cucumber Linux 1.0:
	http://mirror.cucumberlinux.com/cucumber/cucumber-1.0/source/lang-base/perl/patches/0003_CVE-2017-6512_Prevent-directory-chmod-race-attack.patch
	Cucumber Linux 1.1:
	http://mirror.cucumberlinux.com/cucumber/cucumber-1.1/source/lang-base/perl/patches/0001_CVE-2017-6512_Prevent-directory-chmod-race-attack.patch

Note that the Perl 5.22.4 (Cucumber Linux 1.0) patch causes the File-Path test
suite to report a failure. However; it fails because it expected 128 tests, but
ran 129 (the patch increases the test count, in line with how it was done in the
upstream patch). All of the 128 tests it does run pass though; it fails only
because of the additional test (which didn't survive the backporting process
entirely intact). Therefore, all the tests that actually apply to this version
of Perl pass. This reported "failure" is not actually a cause for concern and
can be safely ignored.

The original commit fixing this vulnerability can be found here:
https://github.com/jkeenan/File-Path/commit/e5ef95276ee8ad471c66ee574a5d42552b3a6af2