Plug the security hole described in the Aug 05 2000 bugtraq message
Jarkko Hietaniemi [Mon, 7 Aug 2000 15:05:29 +0000 (15:05 +0000)]
"sperl 5.00503 (and newer ;) exploit" by Michal Zalewski.
The security hole exists only in suidperls, which isn't
installed or even built by default.

p4raw-id: //depot/perl@6536

perl.c

diff --git a/perl.c b/perl.c
index 969d783..ed8befa 100644 (file)
--- a/perl.c
+++ b/perl.c
@@ -2851,6 +2851,7 @@ S_validate_suid(pTHX_ char *validarg, char *scriptname, int fdscript)
            if (tmpstatbuf.st_dev != PL_statbuf.st_dev ||
                tmpstatbuf.st_ino != PL_statbuf.st_ino) {
                (void)PerlIO_close(PL_rsfp);
+#ifdef MAIL_CAN_BE_USED_SAFELY /* No, it can't.  As of Aug 05 200, there's bugtraq exploit.  */
                if (PL_rsfp = PerlProc_popen("/bin/mail root","w")) {   /* heh, heh */
                    PerlIO_printf(PL_rsfp,
 "User %"Uid_t_f" tried to run dev %ld ino %ld in place of dev %ld ino %ld!\n\
@@ -2861,6 +2862,7 @@ S_validate_suid(pTHX_ char *validarg, char *scriptname, int fdscript)
                        PL_statbuf.st_uid, PL_statbuf.st_gid);
                    (void)PerlProc_pclose(PL_rsfp);
                }
+#endif
                Perl_croak(aTHX_ "Permission denied\n");
            }
            if (