[Security-team] Fwd: [USN-222-2] Perl vulnerability
Michael Shigorin
=?iso-8859-1?q?mike_=CE=C1_osdn=2Eorg=2Eua?=
Вт Дек 13 11:18:02 MSK 2005
Здравствуйте.
Граждане, ни у кого теста на дополнительно открывшееся
не завалялось?
----- Forwarded message from Martin Pitt <martin.pitt/canonical.com> -----
Date: Mon, 12 Dec 2005 16:17:49 +0100
From: Martin Pitt <martin.pitt/canonical.com>
To: ubuntu-security-announce/lists.ubuntu.com
Subject: [USN-222-2] Perl vulnerability
Cc: full-disclosure/lists.grok.org.uk, bugtraq на securityfocus.com
===========================================================
Ubuntu Security Notice USN-222-2 December 12, 2005
perl vulnerability
CVE-2005-3962
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 4.10 (Warty Warthog)
Ubuntu 5.04 (Hoary Hedgehog)
Ubuntu 5.10 (Breezy Badger)
The following packages are affected:
libperl5.8
perl-base
The problem can be corrected by upgrading the affected package to
version 5.8.4-2ubuntu0.6 (for Ubuntu 4.10), 5.8.4-6ubuntu1.2 (for
Ubuntu 5.04), or 5.8.7-5ubuntu1.2 (for Ubuntu 5.10). In general, a
standard system upgrade is sufficient to effect the necessary changes.
Details follow:
USN-222-1 fixed a vulnerability in the Perl interpreter. It was
discovered that the version of USN-222-1 was not sufficient to handle
all possible cases of malformed input that could lead to arbitrary
code execution, so another update is necessary.
Original advisory:
Jack Louis of Dyad Security discovered that Perl did not
sufficiently check the explicit length argument in format strings.
Specially crafted format strings with overly large length arguments
led to a crash of the Perl interpreter or even to execution of
arbitrary attacker-defined code with the privileges of the user
running the Perl program.
However, this attack was only possible in insecure Perl programs
which use variables with user-defined values in string
interpolations without checking their validity.
Updated packages for Ubuntu 5.04:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl_5.8.4-6ubuntu1.2.diff.gz
Size/MD5: 89318 a3a73738a8b8efd75aa182cd13fb1860
http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl_5.8.4-6ubuntu1.2.dsc
Size/MD5: 744 1e017e411a53677367e87b8c3a4046d3
http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl_5.8.4.orig.tar.gz
Size/MD5: 12094233 912050a9cb6b0f415b76ba56052fb4cf
----- End forwarded message -----
--
---- WBR, Michael Shigorin <mike на altlinux.ru>
------ Linux.Kiev http://www.linux.kiev.ua/
Подробная информация о списке рассылки Security-team