--------------------------------------------------------------------- Fedora Legacy Update Advisory Synopsis: Updated perl packages fix security issues Advisory ID: FLSA:152845 Issue date: 2006-01-24 Product: Red Hat Linux, Fedora Core Keywords: Bugfix CVE Names: CVE-2004-0452 CVE-2004-0976 CVE-2005-0155 CVE-2005-0156 CVE-2005-0448 --------------------------------------------------------------------- --------------------------------------------------------------------- 1. Topic: Updated perl packages that fix several security flaws are now available. Perl is a high-level programming language commonly used for system administration utilities and Web programming. 2. Relevant releases/architectures: Red Hat Linux 7.3 - i386 Red Hat Linux 9 - i386 Fedora Core 1 - i386 Fedora Core 2 - i386 3. Problem description: An unsafe file permission bug was discovered in the rmtree() function in the File::Path module. The rmtree() function removes files and directories in an insecure manner, which could allow a local user to read or delete arbitrary files. The Common Vulnerabilities and Exposures project has assigned the name CVE-2004-0452 to this issue. Solar Designer discovered several temporary file bugs in various Perl modules. A local attacker could overwrite or create files as the user running a Perl script that uses a vulnerable module. The Common Vulner- abilities and Exposures project has assigned the name CVE-2004-0976 to this issue. Kevin Finisterre discovered a stack based buffer overflow flaw in sperl, the Perl setuid wrapper. A local user could create a sperl executable script with a carefully created path name, overflowing the buffer and leading to root privilege escalation. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0156 to this issue. Kevin Finisterre discovered a flaw in sperl which can cause debugging information to be logged to arbitrary files. By setting an environment variable, a local user could cause sperl to create, as root, files with arbitrary filenames, or append the debugging information to existing files. The Common Vulnerabilities and Exposures project has assigned the name CVE-2005-0155 to this issue. Paul Szabo discovered a bug in the way Perl's File::Path::rmtree module removed directory trees. If a local user has write permissions to a subdirectory within the tree being removed by File::Path::rmtree, it is possible for them to create setuid binary files. The Common Vulner- abilities and Exposures project has assigned the name CVE-2005-0448 to this issue. (This issue updates CVE-2004-0452). Users of perl are advised to upgrade to these packages which contain backported patches and are not vulnerable to these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=152845 6. RPMs required: Red Hat Linux 7.3: SRPM: http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/perl-5.6.1-38.0.7.3.3.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/7.3/updates/i386/perl-5.6.1-38.0.7.3.3.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/perl-CGI-2.752-38.0.7.3.3.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/perl-CPAN-1.59_54-38.0.7.3.3.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/perl-DB_File-1.75-38.0.7.3.3.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/perl-NDBM_File-1.75-38.0.7.3.3.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/perl-suidperl-5.6.1-38.0.7.3.3.legacy.i386.rpm Red Hat Linux 9: SRPM: http://download.fedoralegacy.org/redhat/9/updates/SRPMS/perl-5.8.0-90.0.12.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/9/updates/i386/perl-5.8.0-90.0.12.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/perl-CGI-2.81-90.0.12.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/perl-CPAN-1.61-90.0.12.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/perl-DB_File-1.804-90.0.12.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/perl-suidperl-5.8.0-90.0.12.legacy.i386.rpm Fedora Core 1: SRPM: http://download.fedoralegacy.org/fedora/1/updates/SRPMS/perl-5.8.3-17.4.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/1/updates/i386/perl-5.8.3-17.4.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/perl-suidperl-5.8.3-17.4.legacy.i386.rpm Fedora Core 2: SRPM: http://download.fedoralegacy.org/fedora/2/updates/SRPMS/perl-5.8.3-19.3.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/2/updates/i386/perl-5.8.3-19.3.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/perl-suidperl-5.8.3-19.3.legacy.i386.rpm 7. Verification: SHA1 sum Package Name --------------------------------------------------------------------- ac3b7161e09878545dc1e499ad4d1c1de5cf8a42 redhat/7.3/updates/i386/perl-5.6.1-38.0.7.3.3.legacy.i386.rpm d5d8c6c4b2b77fc14b0720dcad3c799f3dfdf759 redhat/7.3/updates/i386/perl-CGI-2.752-38.0.7.3.3.legacy.i386.rpm c0a405c744e2b047fefd9e189da08f84433538d4 redhat/7.3/updates/i386/perl-CPAN-1.59_54-38.0.7.3.3.legacy.i386.rpm 9380974623d1c7e9283823cc6a300c1486cb1052 redhat/7.3/updates/i386/perl-DB_File-1.75-38.0.7.3.3.legacy.i386.rpm 0b1c087c7aa5d97118e84e471fe154599104260f redhat/7.3/updates/i386/perl-NDBM_File-1.75-38.0.7.3.3.legacy.i386.rpm 28c36210be8c7207264fc2b55cdcedf7d1e4bb80 redhat/7.3/updates/i386/perl-suidperl-5.6.1-38.0.7.3.3.legacy.i386.rpm 41fe2199272ab4d601634650be781753d391d750 redhat/7.3/updates/SRPMS/perl-5.6.1-38.0.7.3.3.legacy.src.rpm d889ae85e1585e93aa76cd67edab80a2c1f0e076 redhat/9/updates/i386/perl-5.8.0-90.0.12.legacy.i386.rpm 0615bbecd89001917ef70e0a60f20d5c5c50a732 redhat/9/updates/i386/perl-CGI-2.81-90.0.12.legacy.i386.rpm 9b06404d6d324b322fc5f959d78d678e3dc823e9 redhat/9/updates/i386/perl-CPAN-1.61-90.0.12.legacy.i386.rpm 05234d09cec06556e3208efe95363bf3b07100d1 redhat/9/updates/i386/perl-DB_File-1.804-90.0.12.legacy.i386.rpm bfa538993bf4554703fd25dcb44e06a8aeb75484 redhat/9/updates/i386/perl-suidperl-5.8.0-90.0.12.legacy.i386.rpm d73eb66c03bf06bea9fb861c33de5bc0484e2b9f redhat/9/updates/SRPMS/perl-5.8.0-90.0.12.legacy.src.rpm 3211332bad74a6965dac37a726d46dba88adc226 fedora/1/updates/i386/perl-5.8.3-17.4.legacy.i386.rpm 156099d6f6f56bd1c8a0db137e2ee3c66104771e fedora/1/updates/i386/perl-suidperl-5.8.3-17.4.legacy.i386.rpm 3f5ffa320347a2cc9e98219a57a637da5e2b08f8 fedora/1/updates/SRPMS/perl-5.8.3-17.4.legacy.src.rpm 6c43d3e838f4edb74a120134455990725b589b89 fedora/2/updates/i386/perl-5.8.3-19.3.legacy.i386.rpm 561aa026e227438489430b8c245439fada4cc23f fedora/2/updates/i386/perl-suidperl-5.8.3-19.3.legacy.i386.rpm 56cd349370c7c83e9c25b8207dd114b5169898a9 fedora/2/updates/SRPMS/perl-5.8.3-19.3.legacy.src.rpm These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy.org/about/security.php You can verify each package with the following command: rpm --checksig -v <filename> If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command: sha1sum <filename> 8. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0452 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0976 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0155 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0156 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0448 9. Contact: The Fedora Legacy security contact is <secnotice@xxxxxxxxxxxxxxxx>. More project details at http://www.fedoralegacy.org ---------------------------------------------------------------------
Attachment:
signature.asc
Description: OpenPGP digital signature