SuSE alert: suidperl (perl)

Posted by dave on Aug 10, 2000 2:36 AM EDT
Mailing list
Mail this story
Print this story

suidperl is the perl interpreter for suid perl scripts, a part of the perl package. A maliciously implemented feature causes the interpreter to spawn the /bin/mail program to inform the superuser of its usage, thereby passing on untrusted environment that causes /bin/mail to execute arbitrary commands as user root.



                        SuSE Security Announcement

        Package: perl, all versions
        Date: Thursday, August 10th, 2000
        Affected SuSE versions: 6.0-6.4, 7.0
        Vulnerability Type: local root compromise
        Severity (1-10): 5
        SuSE default package: yes, but not configured exploitable.
        Other affected systems: all linux systems using this package

    Content of this advisory:
        1) security vulnerability resolved: suidperl (local root compromise)
           problem description, discussion, solution and upgrade information
        2) pending vulnerabilities, temporary workarounds
        3) standard appendix (further information)


1) problem description, brief discussion, solution, upgrade information

    suidperl is the perl interpreter for suid perl scripts, a part of the
    perl package. A maliciously implemented feature causes the interpreter
    to spawn the /bin/mail program to inform the superuser of its usage,
    thereby passing on untrusted environment that causes /bin/mail to
    execute arbitrary commands as user root.

    SuSE distributions are not susceptible to this problem because
    /usr/bin/suidperl is mode 755 (not suid) by default. Administrators
    must explicitly have enabled suidperl by changing the permission modes
    of the interpreter to 4755 root.root (suid root) for the exploit
    mechanism to work.
    In SuSE-Linux, activating suidperl is done by changing one of the
    files /etc/permissions.(easy|secure) and running SuSEconfig or
    `chkstat -set /etc/permissions.(easy|secure)', alternatively,
    depending on the setting of PERMISSION_SECURITY in /etc/rc.config.
    If SuSEconfig is turned off completely, the administrator of the
    system is obliged to change the permission modes by hand.
    The decision to not activate suidperl has been made because
    security problems were expected in the wild.
    O/S vendors have provided updated packages for both suidperl and
    mailx, the package containing /bin/mail. Basically, /bin/mail's
    fetures are not the origin of the security hole because the
    hostile environment is passed on by the suidperl interpreter,
    despite the fact that the interpreter runs suid root.

    Note: The upcoming SuSE-7.0 distribution _is_ vulnerable to the
          problem of this advisory if /usr/bin/suidperl is setuid root.
          However, suidperl is installed with mode 755 after the
          installation like in older SuSE Linux distributions and
          therefore can't be exploited without prior manual activation
          of suidperl by the system administrator.

    SuSE provides an updated package for the vulnerable software. It is
    strongly recommended to upgrade to the latest version found on our
    ftp server as described below. The package removes the mail
    notification and uses the syslog facility (priority warning) instead.

    Chose one of the following paths to download the package from our
    ftp server and install the package with the command `rpm -Fhv file.rpm'.
    The md5sum for each file is in the line below.
    You can verify the integrity of the rpm files using the command
        `rpm --checksig --nogpg file.rpm', independently from the md5
    signatures below.

    i386 Intel Platform:

      source rpm:

      source rpm:

      source rpm:

      source rpm:

      source rpm:

    AXP Alpha Platform:
      source rpm:
      source rpm:
      source rpm:

    PPC Power PC Platform:
      source rpm:


2) Pending vulnerabilities in SuSE Distributions and Workarounds

    This section addresses currently known vulnerabilities in Linux/Unix
    systems that have not been resolved up to the release date of this

    - Netscape, versions from 3.0 to 4.73:

        The latest version of Netscape is currently being tested. SuSE
        Netscape rpms contain efficient workarounds against some "morbid"
        properties of Netscape in order to provide stable packages.
        These additions are being reworked right now.
        Also, cryprographical software export regulations require us to
        wait for the permission to redistribute the netscape package from
        our US-American ftp server.
        There are currently two known vulnerabilities in Netscape versions
        from 3.0 to 4.73:
            a) a buffer overflow in the jpeg image handling code
            b) a security flaw in Netscape's Java implementation
        a) has been fixed in Netscape version 4.74. Updated packages
        from SuSE will follow very soon.
        Temporary fix/workaround:
            problem a) Turn off automatic image loading and do not
                       click on images to trigger the download. This may
                       be a fairly unsatisfying solution.
            problem b) Turn off Java and JavaScript.

    - ntop

        ntop is a network statistics visualization utility which offers
        graphical analysis of network traffic and other statistics with
        a web browser. By default, ntop listens on port 3000 and requires
        no or a commonly known authentication password to view the data.
        ntop is only installed in network server selections and is not
        activated by default in SuSE Linux installations.
        The ntop packages shipped with SuSE Linux did not exhibit the
        unsafe behaviour when a file like /../../etc/passwd is referenced.

3) standard appendix:

    SuSE runs two security mailing lists to which any interested party may
        - general/linux/SuSE security discussion.
            All SuSE security announcements are sent to this list.
            To subscribe, send an email to
        - SuSE's announce-only mailing list.
            Only SuSE's security annoucements are sent to this list.
            To subscribe, send an email to

    For general information or the frequently asked questions (faq)
    send mail to:
        <> or
        <> respectively.

    SuSE's security contact is <>.

Roman Drahtmüller.
- --
 - -
| Roman Drahtmüller <> // "Caution: Cape does |
  SuSE GmbH - Security Phone: // not enable user to fly."
| Nürnberg, Germany +49-911-740530 // (Batman Costume warning label) |
 - -

    The information in this advisory may be distributed or reproduced,
    provided that the advisory is not modified in any way.
    SuSE GmbH makes no warranties of any kind whatsoever with respect
    to the information contained in this security advisory.

Type Bits/KeyID Date User ID
pub 2048/3D25D3D9 1999/03/06 SuSE Security Team <>

Version: 2.6.3i


Version: 2.6.3i
Charset: noconv


This archive was generated by hypermail 2.1.0 : Mon Jun 04 2001 - 18:25:14 PDT

» Read more about: Story Type: Security; Groups: SUSE

« Return to the newswire homepage

This topic does not have any threads posted yet!

You cannot post until you login.