Perl Working Directory Race Condition Vulnerability in Threading

A race condition vulnerability has been identified in Perl's handling of directory handles within threads. When a directory handle is open and a new thread is created, Perl temporarily changes the current working directory to clone the handle for the new thread. This change can inadvertently affect other threads, leading to file operations being directed to the wrong locations. As a result, a local attacker could exploit this behavior to manipulate file access or execute unintended code. The vulnerability was introduced in Perl version 5.13.6 and affects all versions through 5.40.1.

Impact

Exploitation of this vulnerability can cause directory handles to be improperly managed across threads, leading to file operations being performed in unintended directories. This behavior can be exploited to execute arbitrary code or disrupt file handling in scripts that rely on accurate directory references.

Reproduction

The vulnerability can be reproduced by running a Perl script that creates a new thread while a directory handle is open. The script should attempt to read files from the directory using the handle, which will result in errors for some files due to the working directory being incorrectly set. This issue can be observed using 'strace' to monitor the system calls made by the Perl process, which will show the 'fchdir' operations that cause the directory handles to be mismanaged.

Remediation

Users can update to Perl version 5.41.13 or later, where this issue has been fixed. Instructions for updating Perl can be found in the Perl documentation or through the package manager on most systems.