[security] Incorrect file permissions due to (now fixed) perl 5.10 issue

Likely affected: any unstable/testing system that has 'debsums' installed
Possibly affected: any unstable/testing system

Today a Debian Testing Security Announcement [1] was published describing
an issue where files may have gotten world readable/writable/executable
permissions due to a bug in perl 5.10. As not everybody reads DTSAs, it
seems proper to give this issue a bit wider publication.

The issue was first spotted by Joey Hess and myself for terminfo files
from the ncurses-base package [2] and traced to debsums being run by APT
during post-install. From there, Ben Hutchings traced it to a bug in the
function File::Path::rmtree in perl 5.10.

So far the issue has only been confirmed for the use of File::Path::rmtree
in debsums, but in theory any program using that function can result in
files with incorrect permissions.

Although the cause of the bug has now been fixed, many systems may still
have files with incorrect permissions around and thus be vulnerable to
attack. Checking if your systems are affected is strongly recommended.

Please see the DTSA [1] for further details.

Just to be clear: systems running stable (etch) are NOT affected.

[1]http://lists.debian.org/debian-testing-security-announce/2008/06/msg00016.html
[2]http://lists.debian.org/debian-devel/2008/06/msg00543.html
   http://bugs.debian.org/487319