__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN perl Security Update for Red Hat (v.3) [RHSA-2005:881-8] December 20, 2005 23:00 GMT Number Q-083 [REVISED 17 Jan 2006] [REVISED 19 Jan 2006] [REVISED 29 Jun 2006] ______________________________________________________________________________ PROBLEM: An integer overflow bug was found in Perl's format string processor, a bug was discovered in the way Perl's File::Path::rmtree module removed directory trees, and several temporary file bugs were discovered in various Perl modules. PLATFORM: Red Hat Desktop (v. 3) Red Hat Enterprise Linux AS, ES, WS (v. 3) Debian GNU/Linux 3.1 alias sarge SGI ProPack 3 Service Pack 6 for SGI Altix family of systems Perl 5.8.2 and earlier provided with: * HP Tru64 UNIX 5.1.B-3, 5.1B-2/PK4, 5.1A PK6 * HP Internet Express 6.3 & 6.4 for HP TRU64 UNIX * Tru64 UNIX Associated Products CD (APCD) for HP Tru64 UNIX v 5.1B-3 (BL25) and earlier. DAMAGE: It is possible for an attacker to cause perl to crash or execute arbitrary code if the attacker is able to process a malicious format string. SOLUTION: Apply security patch. ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. A local user must have write permissions to ASSESSMENT: any subdirectory of the tree to exploit this vulnerability. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/q-083.shtml ORIGINAL BULLETIN: https://rhn.redhat.com/errata/RHSA-2005-881.html ADDITIONAL LINK: Debian Security Advisory DSA-943-1 http://www.debian.org/security/2006/dsa-943 SGI Security Update #53, Number 20060101-01-U http://www.sgi.com/support/security/advisories.html Visit Hewlett-Packard Subscription Service for: HPSBTU02125 SSRT061105 rev. 1 CVE: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2004-0976 CVE-2005-0448 CVE-2005-3962 ______________________________________________________________________________ REVISION HISTORY: 01/17/2006 - added link to Debian Security Advisory DSA-943-1 that provides patches addressing this vulnerability. 01/19/2006 - added link to SGI Security Update #53, Patch 10258 for SGI ProPack 3 Service Pack 6. 06/29/2006 - revised to add a link to Hewlett-Packard HPSBTU02125 SSRT061105 rev. 1 for Perl 5.8.2 and earlier provided with: HP Tru64 UNIX 5.1.B-3, 5.1B-2/PK4, 5.1A PK6, HP Internet Express 6.3 & 6.4 for HP TRU64 UNIX, and Tru64 UNIX Associated Products CD (APCD) for HP Tru64 UNIX v 5.1B-3 (BL25) and earlier. [***** Start RHSA-2005:881-8 *****] perl security update Advisory: RHSA-2005:881-8 Type: Security Advisory Issued on: 2005-12-20 Last updated on: 2005-12-20 Affected Products: Red Hat Desktop (v. 3) Red Hat Enterprise Linux AS (v. 3) Red Hat Enterprise Linux ES (v. 3) Red Hat Enterprise Linux WS (v. 3) CVEs (cve.mitre.org): CVE-2004-0976 CVE-2005-0448 CVE-2005-3962 Details Updated Perl packages that fix security issues and bugs are now available for Red Hat Enterprise Linux 3. This update has been rated as having moderate security impact by the Red Hat Security Response Team. Perl is a high-level programming language commonly used for system administration utilities and Web programming. An integer overflow bug was found in Perl's format string processor. It is possible for an attacker to cause perl to crash or execute arbitrary code if the attacker is able to process a malicious format string. This issue is only exploitable through a script wich passes arbitrary untrusted strings to the format string processor. The Common Vulnerabilities and Exposures project assigned the name CVE-2005-3962 to this issue. Paul Szabo discovered a bug in the way Perl's File::Path::rmtree module removed directory trees. If a local user has write permissions to a subdirectory within the tree being removed by File::Path::rmtree, it is possible for them to create setuid binary files. (CVE-2005-0448) Solar Designer discovered several temporary file bugs in various Perl modules. A local attacker could overwrite or create files as the user running a Perl script that uses a vulnerable module. (CVE-2004-0976) Users of Perl are advised to upgrade to these updated packages, which contain backported patches to correct these issues as well as fixes for several bugs. Solution Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via Red Hat Network. To use Red Hat Network, launch the Red Hat Update Agent with the following command: up2date This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. Updated packages Red Hat Desktop (v. 3) SRPMS: perl-5.8.0-90.4.src.rpm     732162aa9a88b4779706cc1cc06344f9   IA-32: perl-5.8.0-90.4.i386.rpm     78177ebde77064068ebf925cc15b1d67 perl-CGI-2.89-90.4.i386.rpm     69441cfee13c7e04766f9e714b051a4b perl-CPAN-1.61-90.4.i386.rpm     92ac8571485d4e56c12b835483728737 perl-DB_File-1.806-90.4.i386.rpm     e629b861b7fcd2f917c421c79706682d perl-suidperl-5.8.0-90.4.i386.rpm     b113523d560d3c27923a09994c5b54e2   x86_64: perl-5.8.0-90.4.x86_64.rpm     e39a68b1ba815a6bb23c5bcb879c225e perl-CGI-2.89-90.4.x86_64.rpm     b1bf852ffa7a2957f6c11da02cc64952 perl-CPAN-1.61-90.4.x86_64.rpm     328cd2fe7d8280c2dea5fbccdcfb3686 perl-DB_File-1.806-90.4.x86_64.rpm     8ece4d9db534e25c98afdaa02b73aa1c perl-suidperl-5.8.0-90.4.x86_64.rpm     dabc256c1e23aeb09d88b74b90150f98   Red Hat Enterprise Linux AS (v. 3) SRPMS: perl-5.8.0-90.4.src.rpm     732162aa9a88b4779706cc1cc06344f9   IA-32: perl-5.8.0-90.4.i386.rpm     78177ebde77064068ebf925cc15b1d67 perl-CGI-2.89-90.4.i386.rpm     69441cfee13c7e04766f9e714b051a4b perl-CPAN-1.61-90.4.i386.rpm     92ac8571485d4e56c12b835483728737 perl-DB_File-1.806-90.4.i386.rpm     e629b861b7fcd2f917c421c79706682d perl-suidperl-5.8.0-90.4.i386.rpm     b113523d560d3c27923a09994c5b54e2   IA-64: perl-5.8.0-90.4.ia64.rpm     f3493073826f80edbfee6d980af7cc6a perl-CGI-2.89-90.4.ia64.rpm     c6dd319875d4b081955919c9f8b3eeba perl-CPAN-1.61-90.4.ia64.rpm     69b76323d8bc7f3f5b40763d4260c476 perl-DB_File-1.806-90.4.ia64.rpm     4031db198bf03d9410400124ef185dff perl-suidperl-5.8.0-90.4.ia64.rpm     7d14344fa92c85506b713c4b3551f19f   PPC: perl-5.8.0-90.4.ppc.rpm     20663b13234fad4e533a042c2ea2e078 perl-CGI-2.89-90.4.ppc.rpm     2a16d5691e90218ac70a810a436274e1 perl-CPAN-1.61-90.4.ppc.rpm     61992925635d3b993bd303076b692e0e perl-DB_File-1.806-90.4.ppc.rpm     4c8895c132b00d975df57ae618a8fd4a perl-suidperl-5.8.0-90.4.ppc.rpm     12c9bb78fa07b099d0bfc20900479c0a   s390: perl-5.8.0-90.4.s390.rpm     b59b220721d5a0824d67b4e7647ea735 perl-CGI-2.89-90.4.s390.rpm     6b6d19548c4c078dc64cf5060421109e perl-CPAN-1.61-90.4.s390.rpm     b51489ce07d5061c77f4ff14e872062b perl-DB_File-1.806-90.4.s390.rpm     185358bca8789230b8ab17cb2f591092 perl-suidperl-5.8.0-90.4.s390.rpm     c733e89e94050bd25aef942c388ecfab   s390x: perl-5.8.0-90.4.s390x.rpm     22004167b7eb049df997b40db9d0166a perl-CGI-2.89-90.4.s390x.rpm     bbc8d4d03248abb40557624e43ed3d3a perl-CPAN-1.61-90.4.s390x.rpm     99bdc9bbeb27e4c346afd02302723164 perl-DB_File-1.806-90.4.s390x.rpm     a9a0b5d9ff574a410c02caeac367df2c perl-suidperl-5.8.0-90.4.s390x.rpm     70b6d64902faeec8f6c14ecb50acc2e7   x86_64: perl-5.8.0-90.4.x86_64.rpm     e39a68b1ba815a6bb23c5bcb879c225e perl-CGI-2.89-90.4.x86_64.rpm     b1bf852ffa7a2957f6c11da02cc64952 perl-CPAN-1.61-90.4.x86_64.rpm     328cd2fe7d8280c2dea5fbccdcfb3686 perl-DB_File-1.806-90.4.x86_64.rpm     8ece4d9db534e25c98afdaa02b73aa1c perl-suidperl-5.8.0-90.4.x86_64.rpm     dabc256c1e23aeb09d88b74b90150f98   Red Hat Enterprise Linux ES (v. 3) SRPMS: perl-5.8.0-90.4.src.rpm     732162aa9a88b4779706cc1cc06344f9   IA-32: perl-5.8.0-90.4.i386.rpm     78177ebde77064068ebf925cc15b1d67 perl-CGI-2.89-90.4.i386.rpm     69441cfee13c7e04766f9e714b051a4b perl-CPAN-1.61-90.4.i386.rpm     92ac8571485d4e56c12b835483728737 perl-DB_File-1.806-90.4.i386.rpm     e629b861b7fcd2f917c421c79706682d perl-suidperl-5.8.0-90.4.i386.rpm     b113523d560d3c27923a09994c5b54e2   IA-64: perl-5.8.0-90.4.ia64.rpm     f3493073826f80edbfee6d980af7cc6a perl-CGI-2.89-90.4.ia64.rpm     c6dd319875d4b081955919c9f8b3eeba perl-CPAN-1.61-90.4.ia64.rpm     69b76323d8bc7f3f5b40763d4260c476 perl-DB_File-1.806-90.4.ia64.rpm     4031db198bf03d9410400124ef185dff perl-suidperl-5.8.0-90.4.ia64.rpm     7d14344fa92c85506b713c4b3551f19f   x86_64: perl-5.8.0-90.4.x86_64.rpm     e39a68b1ba815a6bb23c5bcb879c225e perl-CGI-2.89-90.4.x86_64.rpm     b1bf852ffa7a2957f6c11da02cc64952 perl-CPAN-1.61-90.4.x86_64.rpm     328cd2fe7d8280c2dea5fbccdcfb3686 perl-DB_File-1.806-90.4.x86_64.rpm     8ece4d9db534e25c98afdaa02b73aa1c perl-suidperl-5.8.0-90.4.x86_64.rpm     dabc256c1e23aeb09d88b74b90150f98   Red Hat Enterprise Linux WS (v. 3) SRPMS: perl-5.8.0-90.4.src.rpm     732162aa9a88b4779706cc1cc06344f9   IA-32: perl-5.8.0-90.4.i386.rpm     78177ebde77064068ebf925cc15b1d67 perl-CGI-2.89-90.4.i386.rpm     69441cfee13c7e04766f9e714b051a4b perl-CPAN-1.61-90.4.i386.rpm     92ac8571485d4e56c12b835483728737 perl-DB_File-1.806-90.4.i386.rpm     e629b861b7fcd2f917c421c79706682d perl-suidperl-5.8.0-90.4.i386.rpm     b113523d560d3c27923a09994c5b54e2   IA-64: perl-5.8.0-90.4.ia64.rpm     f3493073826f80edbfee6d980af7cc6a perl-CGI-2.89-90.4.ia64.rpm     c6dd319875d4b081955919c9f8b3eeba perl-CPAN-1.61-90.4.ia64.rpm     69b76323d8bc7f3f5b40763d4260c476 perl-DB_File-1.806-90.4.ia64.rpm     4031db198bf03d9410400124ef185dff perl-suidperl-5.8.0-90.4.ia64.rpm     7d14344fa92c85506b713c4b3551f19f   x86_64: perl-5.8.0-90.4.x86_64.rpm     e39a68b1ba815a6bb23c5bcb879c225e perl-CGI-2.89-90.4.x86_64.rpm     b1bf852ffa7a2957f6c11da02cc64952 perl-CPAN-1.61-90.4.x86_64.rpm     328cd2fe7d8280c2dea5fbccdcfb3686 perl-DB_File-1.806-90.4.x86_64.rpm     8ece4d9db534e25c98afdaa02b73aa1c perl-suidperl-5.8.0-90.4.x86_64.rpm     dabc256c1e23aeb09d88b74b90150f98   (The unlinked packages above are only available from the Red Hat Network) Bugs fixed (see bugzilla for more information) 123176 - [RFE] Need new perl rpm release that fixes threaded memory leak 135975 - Perl's 'study' function breaks regexp matching 136325 - CVE-2004-0976 temporary file vulnerabilities in Perl 137075 - Apparent utf8 bug in Perl's join() 145215 - garbage after split() 147946 - Man::Pod does not return true 161053 - CVE-2005-0448 perl File::Path.pm rmtree race condition 165078 - Broken POSIX in perl-5.8.0 166732 - 'split'/'index' problem for utf8 172160 - perl bug # 22372: SIGSEGV in sv_chop() 172256 - bits/resource.ph has syntax errors 172317 - (libperl) could not run system-config-printer 174717 - CVE-2005-3962 Perl integer overflow issue 175135 - Cannot set undef timeout in perl 5.8.0 IO::Socket References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0976 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0448 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3962 These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from: https://www.redhat.com/security/team/key/#package The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/ Copyright © 2002-05 Red Hat, Inc. All rights reserved. Legal statement : Privacy statement : redhat.com Red Hat Network release 4.0.1 [***** End RHSA-2005:881-8 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Red Hat for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) Q-073: IBM Tivoli Directory Server Vulnerability Q-074: Cumulative Security Update for Internet Explorer Q-075: Vulnerability in Windows Kernel Q-076: Sober.X (Y) To Download New Code On or After Jan. 6 Q-077: Citrix Vulnerability in Program Neighborhood Client Q-078: cURL Security Update Q-079: HP-UX Running Software Distributor Remote Unauthorized Access Q-081: netpbm Security Update Q-082: perl Security Update