Home page logo
/

bugtraq logo Bugtraq mailing list archives

[USN-222-1] Perl vulnerability
From: Martin Pitt <martin.pitt () canonical com>
Date: Fri, 2 Dec 2005 14:23:20 +0100

===========================================================
Ubuntu Security Notice USN-222-1          December 02, 2005
perl vulnerability
CVE-2005-3962
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 4.10 (Warty Warthog)
Ubuntu 5.04 (Hoary Hedgehog)
Ubuntu 5.10 (Breezy Badger)

The following packages are affected:

perl-base

The problem can be corrected by upgrading the affected package to
version 5.8.4-2ubuntu0.5 (for Ubuntu 4.10), 5.8.4-6ubuntu1.1 (for
Ubuntu 5.04), or 5.8.7-5ubuntu1.1 (for Ubuntu 5.10).  In general, a
standard system upgrade is sufficient to effect the necessary changes.

Details follow:

Jack Louis of Dyad Security discovered that Perl did not sufficiently
check the explicit length argument in format strings. Specially
crafted format strings with overly large length arguments led to a
crash of the Perl interpreter or even to execution of arbitrary
attacker-defined code with the privileges of the user running the Perl
program.

However, this attack was only possible in insecure Perl programs which
use variables with user-defined values in string interpolations
without checking their validity.


Updated packages for Ubuntu 4.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl_5.8.4-2ubuntu0.5.diff.gz
      Size/MD5:    60449 138a02883a2dbe7a64ab04afdd66e9d9
    http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl_5.8.4-2ubuntu0.5.dsc
      Size/MD5:      727 703d3ffd2a87bde7c541c6e8e837aadb
    http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl_5.8.4.orig.tar.gz
      Size/MD5: 12094233 912050a9cb6b0f415b76ba56052fb4cf

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/universe/p/perl/libcgi-fast-perl_5.8.4-2ubuntu0.5_all.deb
      Size/MD5:    37058 bd3315452eecd9d428dabe16e53f2ded
    http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl-doc_5.8.4-2ubuntu0.5_all.deb
      Size/MD5:  7049780 5786917c60337ce874fe75bd3356ca12
    http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl-modules_5.8.4-2ubuntu0.5_all.deb
      Size/MD5:  2181250 7c97e5758dfff350f684ba84aab0a2dc

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/p/perl/libperl-dev_5.8.4-2ubuntu0.5_amd64.deb
      Size/MD5:   605446 b75c1a5bf7e1663f74c99fe3b42ceab7
    http://security.ubuntu.com/ubuntu/pool/main/p/perl/libperl5.8_5.8.4-2ubuntu0.5_amd64.deb
      Size/MD5:     1030 010890e33535d7a9b5f3c29fb18c2278
    http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl-base_5.8.4-2ubuntu0.5_amd64.deb
      Size/MD5:   787320 7028286655aa8f1583cbc33de1769810
    http://security.ubuntu.com/ubuntu/pool/universe/p/perl/perl-debug_5.8.4-2ubuntu0.5_amd64.deb
      Size/MD5:  3819880 c0234ca782a1821ceb46a6e3f31c5040
    http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl-suid_5.8.4-2ubuntu0.5_amd64.deb
      Size/MD5:    32838 298ae33f6e488bb5676358862672bf7d
    http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl_5.8.4-2ubuntu0.5_amd64.deb
      Size/MD5:  3834290 ea9cb2fe0d5da2cf9f41280d82af236f

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/p/perl/libperl-dev_5.8.4-2ubuntu0.5_i386.deb
      Size/MD5:   546916 c1696ad6b6cc8b135ef8b9b3c4d641dc
    http://security.ubuntu.com/ubuntu/pool/main/p/perl/libperl5.8_5.8.4-2ubuntu0.5_i386.deb
      Size/MD5:   494116 6969f99be7a08e72397f88141cf792fa
    http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl-base_5.8.4-2ubuntu0.5_i386.deb
      Size/MD5:   727682 8df403b46255458380f8f1cc470695cf
    http://security.ubuntu.com/ubuntu/pool/universe/p/perl/perl-debug_5.8.4-2ubuntu0.5_i386.deb
      Size/MD5:  3631196 8b2c590421d6fb1990c10cbbd082127e
    http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl-suid_5.8.4-2ubuntu0.5_i386.deb
      Size/MD5:    30812 e59daea11508610cce6fbfe1d1d27352
    http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl_5.8.4-2ubuntu0.5_i386.deb
      Size/MD5:  3229772 b29f36a2a1d486b13b021785ae7416e4

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/p/perl/libperl-dev_5.8.4-2ubuntu0.5_powerpc.deb
      Size/MD5:   561030 3d81dd76a5b743776b4c8b9596199075
    http://security.ubuntu.com/ubuntu/pool/main/p/perl/libperl5.8_5.8.4-2ubuntu0.5_powerpc.deb
      Size/MD5:     1036 febc4be8e86ba57988038b2245098602
    http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl-base_5.8.4-2ubuntu0.5_powerpc.deb
      Size/MD5:   718498 5e1d9871793e853806968c95d065da8c
    http://security.ubuntu.com/ubuntu/pool/universe/p/perl/perl-debug_5.8.4-2ubuntu0.5_powerpc.deb
      Size/MD5:  3817110 71b313d4d4e8fbaf159c570ca8a67ccc
    http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl-suid_5.8.4-2ubuntu0.5_powerpc.deb
      Size/MD5:    30564 869d07e824d69d9eb729ffac2ee3e307
    http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl_5.8.4-2ubuntu0.5_powerpc.deb
      Size/MD5:  3477134 5bc641ebc225d4df2d758a27bc4b076d

Updated packages for Ubuntu 5.04:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl_5.8.4-6ubuntu1.1.diff.gz
      Size/MD5:    85222 f860ad98b388fe9b8bb86cc7e35345c7
    http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl_5.8.4-6ubuntu1.1.dsc
      Size/MD5:      744 a7ed7714ee125e9ef47ad3815ef631d9
    http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl_5.8.4.orig.tar.gz
      Size/MD5: 12094233 912050a9cb6b0f415b76ba56052fb4cf

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/universe/p/perl/libcgi-fast-perl_5.8.4-6ubuntu1.1_all.deb
      Size/MD5:    37848 e127ed7dfc844352edc5decfce571304
    http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl-doc_5.8.4-6ubuntu1.1_all.deb
      Size/MD5:  7050018 04f464518415aba917f23fb92aa2c692
    http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl-modules_5.8.4-6ubuntu1.1_all.deb
      Size/MD5:  2178096 dd899c9f55a68afd7b9fbfd20be24e6d

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/p/perl/libperl-dev_5.8.4-6ubuntu1.1_amd64.deb
      Size/MD5:   605492 e7ced10f4d56325865215644ca3cf206
    http://security.ubuntu.com/ubuntu/pool/main/p/perl/libperl5.8_5.8.4-6ubuntu1.1_amd64.deb
      Size/MD5:     1032 0de0991b480a41be576e0eb314cf9076
    http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl-base_5.8.4-6ubuntu1.1_amd64.deb
      Size/MD5:   791098 48622e7501239e1bf514a478958e641f
    http://security.ubuntu.com/ubuntu/pool/universe/p/perl/perl-debug_5.8.4-6ubuntu1.1_amd64.deb
      Size/MD5:  3825826 86680f4b3ec293e8ff7d6766aa8e34fc
    http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl-suid_5.8.4-6ubuntu1.1_amd64.deb
      Size/MD5:    32840 9087597015a77995be3fae92dc8875dd
    http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl_5.8.4-6ubuntu1.1_amd64.deb
      Size/MD5:  3833986 0e950b7f25c2c2d133cdc5deeed083bc

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/p/perl/libperl-dev_5.8.4-6ubuntu1.1_i386.deb
      Size/MD5:   547172 be2b0d1b086af1fe4de25456d8db0a32
    http://security.ubuntu.com/ubuntu/pool/main/p/perl/libperl5.8_5.8.4-6ubuntu1.1_i386.deb
      Size/MD5:   494206 a23e58dc0ed626af909d7b5d6992665c
    http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl-base_5.8.4-6ubuntu1.1_i386.deb
      Size/MD5:   731022 5cbdd58be91bec1b8bda5b9e0ce5041c
    http://security.ubuntu.com/ubuntu/pool/universe/p/perl/perl-debug_5.8.4-6ubuntu1.1_i386.deb
      Size/MD5:  3630452 340473c47f02b82e3ab58ebce8a2cb4c
    http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl-suid_5.8.4-6ubuntu1.1_i386.deb
      Size/MD5:    30464 5c493e827dcd495f0a74be1cb7d76d26
    http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl_5.8.4-6ubuntu1.1_i386.deb
      Size/MD5:  3230234 6dfd8e1ffc89ab95f380093ae676829a

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/p/perl/libperl-dev_5.8.4-6ubuntu1.1_powerpc.deb
      Size/MD5:   625218 71310d2d768fe03cf6a9a23a4d43298a
    http://security.ubuntu.com/ubuntu/pool/main/p/perl/libperl5.8_5.8.4-6ubuntu1.1_powerpc.deb
      Size/MD5:     1044 45d4349e536701ce7ed8032056da3ba0
    http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl-base_5.8.4-6ubuntu1.1_powerpc.deb
      Size/MD5:   789578 1ff2f2abd2469dc46cb7cbda0d9be51d
    http://security.ubuntu.com/ubuntu/pool/universe/p/perl/perl-debug_5.8.4-6ubuntu1.1_powerpc.deb
      Size/MD5:  3588104 2fbb1cb36d1f38af8a165397bbe08695
    http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl-suid_5.8.4-6ubuntu1.1_powerpc.deb
      Size/MD5:    33578 9b2011b06bf9837f88d24cbc4051067c
    http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl_5.8.4-6ubuntu1.1_powerpc.deb
      Size/MD5:  3509086 5029a74793ea9a46ddf8053a94193d21

Updated packages for Ubuntu 5.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl_5.8.7-5ubuntu1.1.diff.gz
      Size/MD5:   134597 d5eb14b2a7b72b5fef014284cb989404
    http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl_5.8.7-5ubuntu1.1.dsc
      Size/MD5:      724 cc3cd8ed85ab22c3dc5bcc28e4dfa166
    http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl_5.8.7.orig.tar.gz
      Size/MD5: 12512211 dacefa1fe3c5b6d7bbc334ad94826131

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/universe/p/perl/libcgi-fast-perl_5.8.7-5ubuntu1.1_all.deb
      Size/MD5:    39132 1698e69173383d40dbf7265ea9c31c75
    http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl-doc_5.8.7-5ubuntu1.1_all.deb
      Size/MD5:  7206644 da242594035cf2bf1e7f7e73e67c2562
    http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl-modules_5.8.7-5ubuntu1.1_all.deb
      Size/MD5:  2325766 7f69e0426eca9092f4e0da8c12be7cb5

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/p/perl/libperl-dev_5.8.7-5ubuntu1.1_amd64.deb
      Size/MD5:   641136 5f3b2d6818b93ce69f45c2225475f994
    http://security.ubuntu.com/ubuntu/pool/main/p/perl/libperl5.8_5.8.7-5ubuntu1.1_amd64.deb
      Size/MD5:     1008 909ca536921167aa03a9bcfe17504ecc
    http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl-base_5.8.7-5ubuntu1.1_amd64.deb
      Size/MD5:   819570 323c17484cbcdd2325016faa41954d9d
    http://security.ubuntu.com/ubuntu/pool/universe/p/perl/perl-debug_5.8.7-5ubuntu1.1_amd64.deb
      Size/MD5:  2689162 81924c3f4ea92a95efe6ca26a9e93d35
    http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl-suid_5.8.7-5ubuntu1.1_amd64.deb
      Size/MD5:    31392 7b62c900f9d4226baf46536f33aa43cb
    http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl_5.8.7-5ubuntu1.1_amd64.deb
      Size/MD5:  3974714 ec727b329279874b06c3a1ff4eaf013d

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/p/perl/libperl-dev_5.8.7-5ubuntu1.1_i386.deb
      Size/MD5:   560106 4a7bfbf041785c53c17549b9fe8b5651
    http://security.ubuntu.com/ubuntu/pool/main/p/perl/libperl5.8_5.8.7-5ubuntu1.1_i386.deb
      Size/MD5:   505946 8b87d461dd40e550869ab377449cd07b
    http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl-base_5.8.7-5ubuntu1.1_i386.deb
      Size/MD5:   737400 49b7d3f90c86c53c75dddaf1c7451b01
    http://security.ubuntu.com/ubuntu/pool/universe/p/perl/perl-debug_5.8.7-5ubuntu1.1_i386.deb
      Size/MD5:  2453904 932044f5e5b32e7cbe7ebe7ba1787806
    http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl-suid_5.8.7-5ubuntu1.1_i386.deb
      Size/MD5:    28828 1824f7c1147d4039b5ad8e0880329fc2
    http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl_5.8.7-5ubuntu1.1_i386.deb
      Size/MD5:  3297136 39cdfaba9743158eb0f770e2caec2adc

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/p/perl/libperl-dev_5.8.7-5ubuntu1.1_powerpc.deb
      Size/MD5:   656086 7fbb2c2885063467fb63ceadf83856e0
    http://security.ubuntu.com/ubuntu/pool/main/p/perl/libperl5.8_5.8.7-5ubuntu1.1_powerpc.deb
      Size/MD5:     1008 c463dda6c6b94f4a279d8180924c1fa3
    http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl-base_5.8.7-5ubuntu1.1_powerpc.deb
      Size/MD5:   814770 ba1a2147b2717afdeb6bc6c603748684
    http://security.ubuntu.com/ubuntu/pool/universe/p/perl/perl-debug_5.8.7-5ubuntu1.1_powerpc.deb
      Size/MD5:  2646280 c7debfc211977a5587eeb353dcf9ac09
    http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl-suid_5.8.7-5ubuntu1.1_powerpc.deb
      Size/MD5:    31994 635f808e87308177acc302816f65a566
    http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl_5.8.7-5ubuntu1.1_powerpc.deb
      Size/MD5:  3657374 cbe8f520cc8e821b288c06af052822f6

Attachment: signature.asc
Description: Digital signature


  By Date           By Thread  

Current thread:
  • [USN-222-1] Perl vulnerability Martin Pitt (Dec 03)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]