Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

[USN-44-1] perl information leak
From: Martin Pitt <martin.pitt () canonical com>
Date: Tue, 21 Dec 2004 11:27:13 +0100

===========================================================
Ubuntu Security Notice USN-44-1           December 21, 2004
perl vulnerabilities
CAN-2004-0452
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 4.10 (Warty Warthog)

The following packages are affected:

perl-modules

The problem can be corrected by upgrading the affected package to
version 5.8.4-2ubuntu0.2. In general, a standard system upgrade is
sufficient to effect the necessary changes.

Details follow:

A race condition and possible information leak has been discovered in
Perl's File::Path::rmtree(). This function changes the permission of
files and directories before removing them to avoid problems with
wrong permissions. However, they were made readable and writable not
only for the owner, but for the entire world, which opened a race
condition and a possible information leak (if the actual removal of a
file/directory failed for some reason).

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl_5.8.4-2ubuntu0.2.diff.gz
      Size/MD5:    57275 7c5bfeaebe727e706b2f5187a83ca30d
    http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl_5.8.4-2ubuntu0.2.dsc
      Size/MD5:      727 f9f33d4fff77573d6dcf4b06bc360837
    http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl_5.8.4.orig.tar.gz
      Size/MD5: 12094233 912050a9cb6b0f415b76ba56052fb4cf

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/universe/p/perl/libcgi-fast-perl_5.8.4-2ubuntu0.2_all.deb
      Size/MD5:    36536 a00d1cd79825a29cb0711563b9c3e090
    http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl-doc_5.8.4-2ubuntu0.2_all.deb
      Size/MD5:  7049930 0a95b9e57ea618a92c1d7dcf5f2acf68
    http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl-modules_5.8.4-2ubuntu0.2_all.deb
      Size/MD5:  2181378 13957c0f2d39068891ec94c2b6ca8e21

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/p/perl/libperl-dev_5.8.4-2ubuntu0.2_amd64.deb
      Size/MD5:   605384 cf119880fc05c4f39b88020906853153
    http://security.ubuntu.com/ubuntu/pool/main/p/perl/libperl5.8_5.8.4-2ubuntu0.2_amd64.deb
      Size/MD5:     1030 f945f03d278b406e7002d7ca2a9daa7d
    http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl-base_5.8.4-2ubuntu0.2_amd64.deb
      Size/MD5:   786796 04cec9bde93828ae970a50f0c17d742c
    http://security.ubuntu.com/ubuntu/pool/universe/p/perl/perl-debug_5.8.4-2ubuntu0.2_amd64.deb
      Size/MD5:  3819858 e399fb65322565bea74b1c368376e0a9
    http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl-suid_5.8.4-2ubuntu0.2_amd64.deb
      Size/MD5:    32834 2fdd6630ed9734ecf52175317abd73bb
    http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl_5.8.4-2ubuntu0.2_amd64.deb
      Size/MD5:  3834294 8c2bc2159adf44eaa11c00ed822dcbe2

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/p/perl/libperl-dev_5.8.4-2ubuntu0.2_i386.deb
      Size/MD5:   546846 c280e92bca69e4d35afec165f269548c
    http://security.ubuntu.com/ubuntu/pool/main/p/perl/libperl5.8_5.8.4-2ubuntu0.2_i386.deb
      Size/MD5:   494038 3bef54ba7fd432eaa2eb8f457bd76c16
    http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl-base_5.8.4-2ubuntu0.2_i386.deb
      Size/MD5:   727156 7db0cb83924058566c96008473c62e48
    http://security.ubuntu.com/ubuntu/pool/universe/p/perl/perl-debug_5.8.4-2ubuntu0.2_i386.deb
      Size/MD5:  3631004 fe315ecd0b69a9b36bc06b8fd4ce696a
    http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl-suid_5.8.4-2ubuntu0.2_i386.deb
      Size/MD5:    30814 2c399de025ab3beda085d2a1ccb53450
    http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl_5.8.4-2ubuntu0.2_i386.deb
      Size/MD5:  3229768 4bb3ed09adcd85a543472aab7ca9225a

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/p/perl/libperl-dev_5.8.4-2ubuntu0.2_powerpc.deb
      Size/MD5:   560978 bf01c6b3573261f5b44aa20b75ac0747
    http://security.ubuntu.com/ubuntu/pool/main/p/perl/libperl5.8_5.8.4-2ubuntu0.2_powerpc.deb
      Size/MD5:     1032 c6b483f4ec3021bb9d198a566d017e86
    http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl-base_5.8.4-2ubuntu0.2_powerpc.deb
      Size/MD5:   718122 f4b86a11865691a5aa54329530bac295
    http://security.ubuntu.com/ubuntu/pool/universe/p/perl/perl-debug_5.8.4-2ubuntu0.2_powerpc.deb
      Size/MD5:  3817060 904ec3058d81e037e086c3eeb9a1cc39
    http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl-suid_5.8.4-2ubuntu0.2_powerpc.deb
      Size/MD5:    30560 47a80c652b51ce2042eeaa4ae5919346
    http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl_5.8.4-2ubuntu0.2_powerpc.deb
      Size/MD5:  3477172 6412491bf1c5aad614efdf142daaf667

Attachment: signature.asc
Description: Digital signature

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
  • [USN-44-1] perl information leak Martin Pitt (Dec 21)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]