advisory

ActivePerl CVE-2012-5377 Insecure File Permissions Vulnerability

Question: 

We have read the Security alert for CVE-2012-5377, and would like more information.

Answer: 

This is not a new issue, and it's not really an ActivePerl issue. This vulnerability is a member of a class of vulnerabilities that apply to any software which needs to have a user-writable directory on $PATH. It has been a security concern on Windows for as long as software has been avoiding dll conflicts by using custom library paths.

It is already possible to mitigate the vulnerability by choosing to override the default install path and install to one of the various protected program files silos that newer versions of Windows offer. We don't do this as the default because ActivePerl has a long legacy of scripts and modules which do not handle spaces in the pathname.

It is also possible to migate the vulnerability on an inplace install. This powershell script will copy the permissions to the Perl directory (replace with your directory name, as installed):

powershell -command "(Get-Item 'C:\Program Files').GetAccessControl('Access') | set-acl 'C:\Perl'"

Be advised that protecting Perl from this vulnerability *will* result in reduced functionality. (Edited)
- Installing to a protected program files silo will mean you must have elevated privileges to use PPM or "CPAN" to install or update modules, and will mean that you will need to deal with any white space issues on your own. Use of modules will only be affected if the module design requires write access for the user.
- If you mitigate by using altered acls, you must have elevated privileges to use PPM or "CPAN" to install or update modules. Use of modules will only be affected if the module design requires write access for the user.

Powershell is included in Windows 7. With older versions, you may be able to download.

ActiveTcl CVE-2012-5378 Insecure File Permissions Vulnerability

Question: 

We have read the Security alert for CVE-2012-5378, and would like more information.

Answer: 

This is not a new issue, and it's not really an ActiveTcl issue. This vulnerability is a member of a class of vulnerabilities that apply to any software which needs to have a user-writable directory on $PATH. It has been a security concern on Windows for as long as software has been avoiding dll conflicts by using custom library paths.

It is already possible to mitigate the vulnerability by choosing to override the default install path and install to one of the various protected program files silos that newer versions of Windows offer. We don't do this as the default because ActiveTcl has a long legacy of scripts and modules which do not handle spaces in the pathname.

It is also possible to migate the vulnerability on an inplace install. This powershell script will copy the permissions to the Tcl directory (replace with your directory name, as installed):

powershell -command "(Get-Item 'C:\Program Files').GetAccessControl('Access') | set-acl 'C:\Tcl'"

Be advised that protecting Tcl from this vulnerability *will* result in reduced functionality. With altered acls, teacup will be unable to manage modules unless it is run with elevated priviledges.

Powershell is included in Windows 7. With older versions, you may be able to download.

ActivePython CVE-2012-5379 Insecure File Permissions Vulnerability

Question: 

We have read the Security alert for CVE-2012-5379, and would like more information.

Answer: 

This is not a new issue, and it's not really an ActivePython issue. This vulnerability is a member of a class of vulnerabilities that apply to any software which needs to have a user-writable directory on $PATH. It has been a security concern on Windows for as long as software has been avoiding dll conflicts by using custom library paths.

It is already possible to mitigate the vulnerability by choosing to override the default install path and install to one of the various protected program files silos that newer versions of Windows offer. We don't do this as the default because ActivePython has a long legacy of scripts and modules which do not handle spaces in the pathname.

It is also possible to migate the vulnerability on an inplace install. This powershell script will copy the permissions to the Python directory (replace with your directory name, as installed):

powershell -command "(Get-Item 'C:\Program Files').GetAccessControl('Access') | set-acl 'C:\Python'"

Be advised that protecting Python from this vulnerability *will* result in reduced functionality. With altered acls, PyPM will be unable to manage modules unless it is run with elevated priviledges. If you are using virtualenv, you will not be fully protected from this vulnerability unless you protect your virtualenv directory as well.

Powershell is included in Windows 7. With older versions, you may be able to download.