Re: sperl 5.00503 (and newer ;) exploit

[Simon Cozens <simon () OTHERSIDEOFTHE EARTH LI>]

Michal Zalewski (lists.security):
> Requires: +s perl; bash, gcc, make, usleep (yup, usleep; it's not
> available on every system, but I have no time to rewrite everything in C;
> you can grab this code from RedHat distro or so) will be good... Don't
> mail me if you can't use it - it works.

Michal reported this to the perl5-porters last night, and I mailed him back
after a few minutes with a fix. (+10 points for contacting vendors in advance
of contacting Bugtraq, -5 points for not pointing out a fix is available. :)

That fix, which just crudely dykes out the /bin/mail code is available at
http://www.xray.mpe.mpg.de/mailing-lists/perl5-porters/2000-08/msg00347.html
or, if you're desperate, here:

--- perl.c~     Sun Aug  6 22:08:32 2000
+++ perl.c      Sun Aug  6 22:10:13 2000
@@ -2851,6 +2851,7 @@
            if (tmpstatbuf.st_dev != PL_statbuf.st_dev ||
                tmpstatbuf.st_ino != PL_statbuf.st_ino) {
                (void)PerlIO_close(PL_rsfp);
+#ifdef DISGUSTINGLY_INSECURE
                if (PL_rsfp = PerlProc_popen("/bin/mail root","w")) {   /* heh, heh */
                    PerlIO_printf(PL_rsfp,
 "User %"Uid_t_f" tried to run dev %ld ino %ld in place of dev %ld ino %ld!\n\
@@ -2860,7 +2861,8 @@
                        CopFILE(PL_curcop),
                        PL_statbuf.st_uid, PL_statbuf.st_gid);
                    (void)PerlProc_pclose(PL_rsfp);
-               }
+               }
+#endif
                Perl_croak(aTHX_ "Permission denied\n");
            }
            if (

Allow for a bit of fuzz if you're patching pre-5.6.0, and have a nice
day.

--
If I ever manage to lose the weight I put on in 18 months of be $PHB and
having no life, I am *really* going to have to go shopping for some
PVC. - Skud, the other place.