[Security-team] Fwd: [USN-222-2] Perl vulnerability

Вт Дек 13 11:18:02 MSK 2005

	Здравствуйте.
Граждане, ни у кого теста на дополнительно открывшееся 
не завалялось?

----- Forwarded message from Martin Pitt <martin.pitt/canonical.com> -----

Date: Mon, 12 Dec 2005 16:17:49 +0100
From: Martin Pitt <martin.pitt/canonical.com>
To: ubuntu-security-announce/lists.ubuntu.com
Subject: [USN-222-2] Perl vulnerability
Cc: full-disclosure/lists.grok.org.uk, bugtraq на securityfocus.com

===========================================================
Ubuntu Security Notice USN-222-2	  December 12, 2005
perl vulnerability
CVE-2005-3962
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 4.10 (Warty Warthog)
Ubuntu 5.04 (Hoary Hedgehog)
Ubuntu 5.10 (Breezy Badger)

The following packages are affected:

libperl5.8
perl-base

The problem can be corrected by upgrading the affected package to
version 5.8.4-2ubuntu0.6 (for Ubuntu 4.10), 5.8.4-6ubuntu1.2 (for
Ubuntu 5.04), or 5.8.7-5ubuntu1.2 (for Ubuntu 5.10).  In general, a
standard system upgrade is sufficient to effect the necessary changes.

Details follow:

USN-222-1 fixed a vulnerability in the Perl interpreter. It was
discovered that the version of USN-222-1 was not sufficient to handle
all possible cases of malformed input that could lead to arbitrary
code execution, so another update is necessary.

Original advisory:

  Jack Louis of Dyad Security discovered that Perl did not
  sufficiently check the explicit length argument in format strings.
  Specially crafted format strings with overly large length arguments
  led to a crash of the Perl interpreter or even to execution of
  arbitrary attacker-defined code with the privileges of the user
  running the Perl program.

  However, this attack was only possible in insecure Perl programs
  which use variables with user-defined values in string
  interpolations without checking their validity.

Updated packages for Ubuntu 5.04:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl_5.8.4-6ubuntu1.2.diff.gz
      Size/MD5:    89318 a3a73738a8b8efd75aa182cd13fb1860
    http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl_5.8.4-6ubuntu1.2.dsc
      Size/MD5:      744 1e017e411a53677367e87b8c3a4046d3
    http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl_5.8.4.orig.tar.gz
      Size/MD5: 12094233 912050a9cb6b0f415b76ba56052fb4cf

----- End forwarded message -----

-- 
 ---- WBR, Michael Shigorin <mike на altlinux.ru>
  ------ Linux.Kiev http://www.linux.kiev.ua/