__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Updated Perl Packages Fix Security Issues [Red Hat Advisory RHSA-2005:105-11] February 8, 2005 18:00 GMT Number P-122 [REVISED 14 Feb 2005] [REVISED 22 Feb 2005] [REVISED 11 Aug 2006] ______________________________________________________________________________ PROBLEM: There are several security issues with Perl: 1) A stack based buffer overflow flaw in sperl, the Perl setuid wrapper; 2) A flaw in sperl which can cause debugging information to be logged to arbitrary files. PLATFORM: Red Hat Desktop (v. 3) & (v. 4) Red Hat Enterprise Linux AS, ES, WS (v. 3) & (v. 4) SGI ProPack 3 Service Pack 3 DAMAGE: 1) A local user could create a sperl executable script with a carefully created path name, overflowing the buffer and leading to root privilege escalation; 2) By setting an environment variable, a local user could cause sperl to create, as root, files with arbitrary filenames, or append the debugging information to existing files. SOLUTION: Upgrade to the appropriate packages. ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. A local user could gain root access. ASSESSMENT: ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/p-122.shtml ORIGINAL BULLETIN: Red Hat RHSA-2005:105-11 https://rhn.redhat.com/errata/RHSA-2005-105.html ADDITIONAL LINKS: SGI Security Advisory Update #26, 20050202-01-U http://www.sgi.com/support/security/advisories.html Red Hat Security Advisory RHSA-2005:103-04 https://rhn.redhat.com/errata/RHSA-2005-103.html Red Hat Security Advisory RHSA-2006:0605-6 https://rhn.redhat.com/errata/RHSA-2006-0605.html CVE/CAN: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CAN-2005-0155 CAN-2005-0156 ______________________________________________________________________________ REVISION HISTORY: 02/14/2005 - added link to SGI Security Advisory Update #26, 20050202-01-U that provides a patch that includes updated SGI ProPack 3 Service Pack 3 RPMs for the SGI Altix family of systems. 02/22/2005 - revised to add a link to Red Hat Security Advisory RHSA-2005:103-04 for Red Hat Desktop (v. 4) and Red Hat Enterprise Linux AS, ES, WS (v. 4). 08/11/2006 - revised to add a link to Red Hat Security Advisory RHSA-2006:0605-6 for Red Hat Desktop (v. 4) and Red Hat Enterprise Linux AS, ES, WS (v. 4). [***** Start Red Hat Advisory RHSA-2005:105-11 *****] Updated Perl packages fix security issues Advisory: RHSA-2005:105-11 Last updated on: 2005-02-07 Affected Products: Red Hat Desktop (v. 3) Red Hat Enterprise Linux AS (v. 3) Red Hat Enterprise Linux ES (v. 3) Red Hat Enterprise Linux WS (v. 3) CVEs (cve.mitre.org): CAN-2005-0155 CAN-2005-0156 back Security Advisory Details: Updated Perl packages that fix several security issues are now available for Red Hat Enterprise Linux 3. Perl is a high-level programming language commonly used for system administration utilities and Web programming. Kevin Finisterre discovered a stack based buffer overflow flaw in sperl, the Perl setuid wrapper. A local user could create a sperl executable script with a carefully created path name, overflowing the buffer and leading to root privilege escalation. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0156 to this issue. Kevin Finisterre discovered a flaw in sperl which can cause debugging information to be logged to arbitrary files. By setting an environment variable, a local user could cause sperl to create, as root, files with arbitrary filenames, or append the debugging information to existing files. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0155 to this issue. Users of Perl are advised to upgrade to these updated packages, which contain backported patches to correct these issues. Updated packages: Red Hat Desktop (v. 3) -------------------------------------------------------------------------------- SRPMS: perl-5.8.0-89.10.src.rpm a2cd9b5eae8853f8bf336ad63e304d9d IA-32: perl-5.8.0-89.10.i386.rpm f223540941913b1d8b55568626028560 perl-CGI-2.81-89.10.i386.rpm c3edc74d92002a36b1b5148027f55f34 perl-CPAN-1.61-89.10.i386.rpm a3b61ea8cafa5243a8d46e5ab98e73bf perl-DB_File-1.804-89.10.i386.rpm 58b85c5089fd027fb4a8cf905c8ec011 perl-suidperl-5.8.0-89.10.i386.rpm 4f5b8e750cccb89ae45bf4c98bc4cda7 x86_64: perl-5.8.0-89.10.i386.rpm f223540941913b1d8b55568626028560 perl-5.8.0-89.10.x86_64.rpm 8db0f4090e24987d0c8441bc7a51e279 perl-CGI-2.81-89.10.x86_64.rpm df2aa650b197e77760f34f01e6b53531 perl-CPAN-1.61-89.10.x86_64.rpm 123bd96c68b24decf64225873e4d7b27 perl-DB_File-1.804-89.10.x86_64.rpm b8c4afe9bb806c65b9dd38e3ba20c49a perl-suidperl-5.8.0-89.10.x86_64.rpm e1b1a5af0febb77cedcd523f13a8d129 Red Hat Enterprise Linux AS (v. 3) -------------------------------------------------------------------------------- SRPMS: perl-5.8.0-89.10.src.rpm a2cd9b5eae8853f8bf336ad63e304d9d IA-32: perl-5.8.0-89.10.i386.rpm f223540941913b1d8b55568626028560 perl-CGI-2.81-89.10.i386.rpm c3edc74d92002a36b1b5148027f55f34 perl-CPAN-1.61-89.10.i386.rpm a3b61ea8cafa5243a8d46e5ab98e73bf perl-DB_File-1.804-89.10.i386.rpm 58b85c5089fd027fb4a8cf905c8ec011 perl-suidperl-5.8.0-89.10.i386.rpm 4f5b8e750cccb89ae45bf4c98bc4cda7 IA-64: perl-5.8.0-89.10.i386.rpm f223540941913b1d8b55568626028560 perl-5.8.0-89.10.ia64.rpm 5a10e253f3f2157b4368075eccf54175 perl-CGI-2.81-89.10.ia64.rpm 05ea625a88b1e659b5a6880edac843c7 perl-CPAN-1.61-89.10.ia64.rpm 8724618846f36f99812357b454f7c55c perl-DB_File-1.804-89.10.ia64.rpm 825c3f4ef53327a732378c949e1b147c perl-suidperl-5.8.0-89.10.ia64.rpm b324050c23db82bc43bc8a51ac2ac007 PPC: perl-5.8.0-89.10.ppc.rpm 2362025e5f6d031811ee22f74843fb94 perl-5.8.0-89.10.ppc64.rpm 91ba6731fee5562e06ba624d60398a57 perl-CGI-2.81-89.10.ppc.rpm 6e9457f9598a2e4e188533817b23e33a perl-CPAN-1.61-89.10.ppc.rpm ce29cbfa817b49b9a412be3f55615f45 perl-DB_File-1.804-89.10.ppc.rpm 102055d8cf74105148c5daceb28f1910 perl-suidperl-5.8.0-89.10.ppc.rpm e3eba2620074e27bcb5fa946f4fd4777 s390: perl-5.8.0-89.10.s390.rpm 1615bfaeed759172f02469c15c67f699 perl-CGI-2.81-89.10.s390.rpm fa7f3cd690f121378b1672fdf8eef997 perl-CPAN-1.61-89.10.s390.rpm 318cdf1c55f23444c688955717466b74 perl-DB_File-1.804-89.10.s390.rpm 93274d0a1f1fd9b8dc0119d8b9b7b737 perl-suidperl-5.8.0-89.10.s390.rpm 3367fbba7b1e02c2b7d41c0f6fde0f3a s390x: perl-5.8.0-89.10.s390.rpm 1615bfaeed759172f02469c15c67f699 perl-5.8.0-89.10.s390x.rpm f71c7397ad5802d3d13dd6b795f8e150 perl-CGI-2.81-89.10.s390x.rpm a86fa1fa4f7f63ce00e156678f54e479 perl-CPAN-1.61-89.10.s390x.rpm f9957856800d1d8693de6a621c32796c perl-DB_File-1.804-89.10.s390x.rpm c406fb5ed06667f7263e0faaf8cf7276 perl-suidperl-5.8.0-89.10.s390x.rpm 9a94ee60285209ed064915c19f8d59d7 x86_64: perl-5.8.0-89.10.i386.rpm f223540941913b1d8b55568626028560 perl-5.8.0-89.10.x86_64.rpm 8db0f4090e24987d0c8441bc7a51e279 perl-CGI-2.81-89.10.x86_64.rpm df2aa650b197e77760f34f01e6b53531 perl-CPAN-1.61-89.10.x86_64.rpm 123bd96c68b24decf64225873e4d7b27 perl-DB_File-1.804-89.10.x86_64.rpm b8c4afe9bb806c65b9dd38e3ba20c49a perl-suidperl-5.8.0-89.10.x86_64.rpm e1b1a5af0febb77cedcd523f13a8d129 Red Hat Enterprise Linux ES (v. 3) -------------------------------------------------------------------------------- SRPMS: perl-5.8.0-89.10.src.rpm a2cd9b5eae8853f8bf336ad63e304d9d IA-32: perl-5.8.0-89.10.i386.rpm f223540941913b1d8b55568626028560 perl-CGI-2.81-89.10.i386.rpm c3edc74d92002a36b1b5148027f55f34 perl-CPAN-1.61-89.10.i386.rpm a3b61ea8cafa5243a8d46e5ab98e73bf perl-DB_File-1.804-89.10.i386.rpm 58b85c5089fd027fb4a8cf905c8ec011 perl-suidperl-5.8.0-89.10.i386.rpm 4f5b8e750cccb89ae45bf4c98bc4cda7 IA-64: perl-5.8.0-89.10.i386.rpm f223540941913b1d8b55568626028560 perl-5.8.0-89.10.ia64.rpm 5a10e253f3f2157b4368075eccf54175 perl-CGI-2.81-89.10.ia64.rpm 05ea625a88b1e659b5a6880edac843c7 perl-CPAN-1.61-89.10.ia64.rpm 8724618846f36f99812357b454f7c55c perl-DB_File-1.804-89.10.ia64.rpm 825c3f4ef53327a732378c949e1b147c perl-suidperl-5.8.0-89.10.ia64.rpm b324050c23db82bc43bc8a51ac2ac007 x86_64: perl-5.8.0-89.10.i386.rpm f223540941913b1d8b55568626028560 perl-5.8.0-89.10.x86_64.rpm 8db0f4090e24987d0c8441bc7a51e279 perl-CGI-2.81-89.10.x86_64.rpm df2aa650b197e77760f34f01e6b53531 perl-CPAN-1.61-89.10.x86_64.rpm 123bd96c68b24decf64225873e4d7b27 perl-DB_File-1.804-89.10.x86_64.rpm b8c4afe9bb806c65b9dd38e3ba20c49a perl-suidperl-5.8.0-89.10.x86_64.rpm e1b1a5af0febb77cedcd523f13a8d129 Red Hat Enterprise Linux WS (v. 3) -------------------------------------------------------------------------------- SRPMS: perl-5.8.0-89.10.src.rpm a2cd9b5eae8853f8bf336ad63e304d9d IA-32: perl-5.8.0-89.10.i386.rpm f223540941913b1d8b55568626028560 perl-CGI-2.81-89.10.i386.rpm c3edc74d92002a36b1b5148027f55f34 perl-CPAN-1.61-89.10.i386.rpm a3b61ea8cafa5243a8d46e5ab98e73bf perl-DB_File-1.804-89.10.i386.rpm 58b85c5089fd027fb4a8cf905c8ec011 perl-suidperl-5.8.0-89.10.i386.rpm 4f5b8e750cccb89ae45bf4c98bc4cda7 IA-64: perl-5.8.0-89.10.i386.rpm f223540941913b1d8b55568626028560 perl-5.8.0-89.10.ia64.rpm 5a10e253f3f2157b4368075eccf54175 perl-CGI-2.81-89.10.ia64.rpm 05ea625a88b1e659b5a6880edac843c7 perl-CPAN-1.61-89.10.ia64.rpm 8724618846f36f99812357b454f7c55c perl-DB_File-1.804-89.10.ia64.rpm 825c3f4ef53327a732378c949e1b147c perl-suidperl-5.8.0-89.10.ia64.rpm b324050c23db82bc43bc8a51ac2ac007 x86_64: perl-5.8.0-89.10.i386.rpm f223540941913b1d8b55568626028560 perl-5.8.0-89.10.x86_64.rpm 8db0f4090e24987d0c8441bc7a51e279 perl-CGI-2.81-89.10.x86_64.rpm df2aa650b197e77760f34f01e6b53531 perl-CPAN-1.61-89.10.x86_64.rpm 123bd96c68b24decf64225873e4d7b27 perl-DB_File-1.804-89.10.x86_64.rpm b8c4afe9bb806c65b9dd38e3ba20c49a perl-suidperl-5.8.0-89.10.x86_64.rpm e1b1a5af0febb77cedcd523f13a8d129 (The unlinked packages above are only available from the Red Hat Network) Solution Before applying this update, make sure that all previously-released errata relevant to your system have been applied. Use Red Hat Network to download and update your packages. To launch the Red Hat Update Agent, use the following command: up2date For information on how to install packages manually, refer to the following Web page for the System Administration or Customization guide specific to your system: http://www.redhat.com/docs/manuals/enterprise/ Bugs fixed: (see bugzilla for more information) 140227 - Potential insecurity in CGI.pm 146737 - CAN-2005-0155 multiple setuid perl issues (CAN-2005-0156) References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0155 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0156 -------------------------------------------------------------------------------- These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from: https://www.redhat.com/security/team/key/#package The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/ [***** End Red Hat Advisory RHSA-2005:105-11 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Red Hat for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) P-112: Updated less Package Fixes Security Issue P-113: BIND Vulnerabilities P-114: BIND: Self Check Failing P-115: libpam-radius-auth P-116: Apple Security Update for Mac OS X P-117: UW-imapd Fails to Properly Authenticate Users When Using CRAM-MD5 P-118: IBM AIX 5.3 NIS Client Vulnerability P-119: Cisco IP/VC Products Hard-Coded Community Strings P-120: Eudora Email Vulnerability P-121: Python XML-RPC Server Vulnerability