Debian alert: New perl packages fix information leak in suidperl

Posted by dave on Feb 1, 2004 5:07 AM EDT
Mailing list
Mail this story
Print this story

"Paul Szabo discovered a number of similar bugs in suidperl, a helper program to run perl scripts with setuid privileges. By exploiting these bugs, an attacker could abuse suidperl to discover information about files (such as testing for their existence and some of their permissions) that should not be accessible to unprivileged users."



-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

- -------------------------------------------------------------------------- Debian Security Advisory DSA 431-1 [E-mail:security@debian.org] http://www.debian.org/security/ Matt Zimmerman February 1st, 2004 http://www.debian.org/security/faq - --------------------------------------------------------------------------

Package : perl Vulnerability : information leak Problem-Type : local Debian-specific: no CVE Ids : CAN-2003-0618

Paul Szabo discovered a number of similar bugs in suidperl, a helper program to run perl scripts with setuid privileges. By exploiting these bugs, an attacker could abuse suidperl to discover information about files (such as testing for their existence and some of their permissions) that should not be accessible to unprivileged users.

For the current stable distribution (woody) this problem has been fixed in version 5.6.1-8.6.

For the unstable distribution, this problem will be fixed soon. Refer to Debian bug #220486.

We recommend that you update your perl package if you have the "perl-suid" package installed.

Upgrade Instructions - --------------------

wget url will fetch the file for you dpkg -i file.deb will install the referenced file.

If you are using the apt-get package manager, use the line for sources.list as given below:

apt-get update will update the internal database apt-get upgrade will install corrected packages

You may use an automated update by adding the resources from the footer to the proper configuration.

Debian GNU/Linux 3.0 alias woody - --------------------------------

Source archives:

http://security.debian.org/pool/updates/main/p/perl/perl_5.6.1-8.6.dsc Size/MD5 checksum: 687 bd35315af2ee330a38878fc2def3944f http://security.debian.org/pool/updates/main/p/perl/perl_5.6.1-8.6.diff.gz Size/MD5 checksum: 139694 0533eac1df4898c6279faa28e480bb12 http://security.debian.org/pool/updates/main/p/perl/perl_5.6.1.orig.tar.gz Size/MD5 checksum: 5983695 ec1ff15464809b562aecfaa2e65edba6

Architecture independent components:

http://security.debian.org/pool/updates/main/p/perl/libcgi-fast-perl_5.6.1-8.6_all.deb Size/MD5 checksum: 30928 b5b74268eb7f4b6dd727f3eacff8640d http://security.debian.org/pool/updates/main/p/perl/perl-doc_5.6.1-8.6_all.deb Size/MD5 checksum: 3885968 7016b67f69129086332af3b64c396dd4 http://security.debian.org/pool/updates/main/p/perl/perl-modules_5.6.1-8.6_all.deb Size/MD5 checksum: 1278620 7b18677dd04c0c7cde961071847ac291

Alpha architecture:

http://security.debian.org/pool/updates/main/p/perl/libperl-dev_5.6.1-8.6_alpha.deb Size/MD5 checksum: 619274 64c7916a7d2ba38090c46c7d4ee10822 http://security.debian.org/pool/updates/main/p/perl/libperl5.6_5.6.1-8.6_alpha.deb Size/MD5 checksum: 435172 281bf36b67c5df4c63e6f6976d70b8ff http://security.debian.org/pool/updates/main/p/perl/perl_5.6.1-8.6_alpha.deb Size/MD5 checksum: 1217510 68c2cb3bbe1c165d3ee95527518224db http://security.debian.org/pool/updates/main/p/perl/perl-base_5.6.1-8.6_alpha.deb Size/MD5 checksum: 208642 fd10a9f87fe3a45a47949af80d949555 http://security.debian.org/pool/updates/main/p/perl/perl-debug_5.6.1-8.6_alpha.deb Size/MD5 checksum: 2827198 e556feac99eab3d85e4c50c533289100 http://security.debian.org/pool/updates/main/p/perl/perl-suid_5.6.1-8.6_alpha.deb Size/MD5 checksum: 34788 51e75610d765d63e9cb1d1fe5249aa21

ARM architecture:

http://security.debian.org/pool/updates/main/p/perl/libperl-dev_5.6.1-8.6_arm.deb Size/MD5 checksum: 516188 eb9451faccbae1460280421ae992cbd1 http://security.debian.org/pool/updates/main/p/perl/libperl5.6_5.6.1-8.6_arm.deb Size/MD5 checksum: 362586 617431f74e9743d095639384414972b9 http://security.debian.org/pool/updates/main/p/perl/perl_5.6.1-8.6_arm.deb Size/MD5 checksum: 1164116 98cee566975f346bac927407fe4201db http://security.debian.org/pool/updates/main/p/perl/perl-base_5.6.1-8.6_arm.deb Size/MD5 checksum: 545052 b2539e3721d4c96dca0c2716e37e56a1 http://security.debian.org/pool/updates/main/p/perl/perl-debug_5.6.1-8.6_arm.deb Size/MD5 checksum: 2306932 8978bbaf710e764e0c6b8f960f1e4ea9 http://security.debian.org/pool/updates/main/p/perl/perl-suid_5.6.1-8.6_arm.deb Size/MD5 checksum: 29366 68e93e86c809d2c10761bf2f91f36cf2

Intel IA-32 architecture:

http://security.debian.org/pool/updates/main/p/perl/libperl-dev_5.6.1-8.6_i386.deb Size/MD5 checksum: 424278 1444bf03767d0f9c10807177a93370f9 http://security.debian.org/pool/updates/main/p/perl/libperl5.6_5.6.1-8.6_i386.deb Size/MD5 checksum: 347600 425b862961b08e332bbccbcfb6536a9e http://security.debian.org/pool/updates/main/p/perl/perl_5.6.1-8.6_i386.deb Size/MD5 checksum: 1150162 82b0d936fee5e593e3f6980a3286135a http://security.debian.org/pool/updates/main/p/perl/perl-base_5.6.1-8.6_i386.deb Size/MD5 checksum: 496154 f151d8b68838e9187f6a46dda180365a http://security.debian.org/pool/updates/main/p/perl/perl-debug_5.6.1-8.6_i386.deb Size/MD5 checksum



  Nav
» Read more about: Story Type: Security; Groups: Debian, GNU, Intel

« Return to the newswire homepage

This topic does not have any threads posted yet!

You cannot post until you login.