COMMAND

    Perl 5.0004_4

SYSTEMS AFFECTED

    Linux

PROBLEM

    Brian McCauley found following.  The suid script emulation in Perl
    5.0004_4 (as  found in  SuSE Linux  5.3 and  doubtless other Linux
    distributions) fails to take account of the nosuid mount option on
    filesystems.  This means that it is trivial for a resourceful user
    to hide a setuid perl script on a CD or floppy and then use it  to
    become root.   Many systems  are (even  by default)  configured to
    allow users mount floppys and CDs nosuid.

    This vulerability will exist in all Unicies that use a  user-space
    implementation of suid-scripts and impelment a nosuid mount option
    in such  a way  that it  does not  modify the  values returned  by
    fstat().   It   is  worth  noting   that  that  other   suid-aware
    script-interpreters will probalby also display this  vulnerability
    on Linux because of the absense of fstatvfs().

SOLUTION

    The most obvious fix to  Perl for this would be  (where available)
    to use fstatvfs() (as defined in SUSv2) to determine if the script
    is  on  a  filesystem  that  is  mounted  with  the nosuid option.
    Unfortunately  fstatvfs()  is  not  implemented  in  Linux  (as of
    2.2pre1).  It would not be  difficult to add the new system  call.
    Indeed  the  existing  fstatfs()  implementation  could  simply be
    modified to implement fstatvfs() semantics and both syscalls could
    then point to the same code.  The fix to this bug/feature has been
    incorporated   in    FreeBSD's    perl5   port    and    in    the
    /usr/src/contrib-uted  version  of  Perl  since  before  2.2.7  so
    FreeBSD users neeed not to worry about that.