Gentoo Archives: gentoo-announce

From: Sune Kloppenborg Jeppesen <jaervosz@g.o>
To: gentoo-announce@l.g.o
Cc: bugtraq@×××××××××××××.com, full-disclosure@××××××××××××××.uk, security-alerts@×××××××××××××.com
Subject: [gentoo-announce] [ GLSA 200512-01 ] Perl: Format string errors can lead to code execution
Date: Wed, 07 Dec 2005 20:38:43
Message-Id: 200512072114.19294.jaervosz@gentoo.org
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory GLSA 200512-01
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 http://security.gentoo.org/
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 Severity: High
8 Title: Perl: Format string errors can lead to code execution
9 Date: December 07, 2005
10 Bugs: #114113
11 ID: 200512-01
12
13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15 Synopsis
16 ========
17
18 A fix is available for Perl to mitigate the effects of format string
19 programming errors, that could otherwise be exploited to execute
20 arbitrary code.
21
22 Background
23 ==========
24
25 Perl is a stable, cross-platform programming language created by Larry
26 Wall. It contains printf functions that allows construction of strings
27 from format specifiers and parameters, like the C printf functions. A
28 well-known class of vulnerabilities, called format string errors,
29 result of the improper use of the printf functions in C. Perl in itself
30 is vulnerable to a limited form of format string errors through its own
31 sprintf function, especially through wrapper functions that call
32 sprintf (for example the syslog function) and by taking advantage of
33 Perl powerful string expansion features rather than using format string
34 specifiers.
35
36 Affected packages
37 =================
38
39 -------------------------------------------------------------------
40 Package / Vulnerable / Unaffected
41 -------------------------------------------------------------------
42 1 dev-lang/perl < 5.8.7-r3 >= 5.8.7-r3
43 *>= 5.8.6-r8
44
45 Description
46 ===========
47
48 Jack Louis discovered a new way to exploit format string errors in Perl
49 that could lead to the execution of arbitrary code. This is perfomed by
50 causing an integer wrap overflow in the efix variable inside the
51 function Perl_sv_vcatpvfn. The proposed fix closes that specific
52 exploitation vector to mitigate the risk of format string programming
53 errors in Perl. This fix does not remove the need to fix such errors in
54 Perl code.
55
56 Impact
57 ======
58
59 Perl applications making improper use of printf functions (or derived
60 functions) using untrusted data may be vulnerable to the already-known
61 forms of Perl format string exploits and also to the execution of
62 arbitrary code.
63
64 Workaround
65 ==========
66
67 Fix all misbehaving Perl applications so that they make proper use of
68 the printf and derived Perl functions.
69
70 Resolution
71 ==========
72
73 All Perl users should upgrade to the latest version:
74
75 # emerge --sync
76 # emerge --ask --oneshot --verbose dev-lang/perl
77
78 References
79 ==========
80
81 [ 1 ] CVE-2005-3962
82 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3962
83 [ 2 ] Dyad Security Advisory
84 http://www.dyadsecurity.com/perl-0002.html
85 [ 3 ] Research on format string errors in Perl
86 http://www.securityfocus.com/archive/1/418460/30/30
87
88 Availability
89 ============
90
91 This GLSA and any updates to it are available for viewing at
92 the Gentoo Security Website:
93
94 http://security.gentoo.org/glsa/glsa-200512-01.xml
95
96 Concerns?
97 =========
98
99 Security is a primary focus of Gentoo Linux and ensuring the
100 confidentiality and security of our users machines is of utmost
101 importance to us. Any security concerns should be addressed to
102 security@g.o or alternatively, you may file a bug at
103 http://bugs.gentoo.org.
104
105 License
106 =======
107
108 Copyright 2005 Gentoo Foundation, Inc; referenced text
109 belongs to its owner(s).
110
111 The contents of this document are licensed under the
112 Creative Commons - Attribution / Share Alike license.
113
114 http://creativecommons.org/licenses/by-sa/2.0