Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[ GLSA 200502-13 ] Perl: Vulnerabilities in perl-suid wrapper
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index News & Announcements
View previous topic :: View next topic  
Author Message
GLSA
Bodhisattva
Bodhisattva


Joined: 17 Apr 2002
Posts: 2602
Location: Raleigh, NC

PostPosted: Fri Feb 11, 2005 9:17 pm    Post subject: [ GLSA 200502-13 ] Perl: Vulnerabilities in perl-suid wrappe Reply with quote

Gentoo Linux Security Advisory

Title: Perl: Vulnerabilities in perl-suid wrapper (GLSA 200502-13)
Severity: high
Exploitable: local
Date: February 11, 2005
Bug(s): #80460
ID: 200502-13

Synopsis

Vulnerabilities leading to file overwriting and code execution with elevated privileges have been discovered in the perl-suid wrapper.

Background

Perl is a stable, cross-platform programming language created by Larry Wall. The perl-suid wrapper allows the use of setuid perl scripts, i.e. user-callable Perl scripts which have elevated privileges. This function is enabled only if you have the perlsuid USE flag set.

Affected Packages

Package: dev-lang/perl
Vulnerable: < 5.8.6-r3
Unaffected: >= 5.8.6-r3
Unaffected: >= 5.8.5-r4 < 5.8.6
Unaffected: >= 5.8.4-r3 < 5.8.5
Unaffected: >= 5.8.2-r3 < 5.8.3
Architectures: All supported architectures


Description

perl-suid scripts honor the PERLIO_DEBUG environment variable and write to that file with elevated privileges (CAN-2005-0155). Furthermore, calling a perl-suid script with a very long path while PERLIO_DEBUG is set could trigger a buffer overflow (CAN-2005-0156).

Impact

A local attacker could set the PERLIO_DEBUG environment variable and call existing perl-suid scripts, resulting in file overwriting and potentially the execution of arbitrary code with root privileges.

Workaround

You are not vulnerable if you do not have the perlsuid USE flag set or do not use perl-suid scripts.

Resolution

All Perl users should upgrade to the latest version:
Code:
# emerge --sync
# emerge --ask --oneshot --verbose dev-lang/perl


References

CAN-2005-0155
CAN-2005-0156


Last edited by GLSA on Wed Jul 15, 2009 4:16 am; edited 3 times in total
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index News & Announcements All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum