Does this affect us? (1) HIGH: Perl Format String Vulnerability Affected: Perl versions 5.9.2 and 5.8.6 confirmed; potentially all Perl versions Webmin version 1.23 and prior Description: Perl is widely used as a scripting language for a variety of applications including web-based software. Perl contains a vulnerability that can be triggered by passing a format specifier of the form "%INT_MAXn". The vulnerability causes an integer variable in a Perl function to wrap around (change its parity) that can be exploited to execute arbitrary code. For instance, "%2147483647n" format specifier will trigger the flaw in Perl running on 32-bit Operating Systems. Note that the flaw can be exploited only via Perl-based applications that contain a format string vulnerability. The discoverers have reportedly found several applications that are vulnerable. One of the affected applications is Webmin, a web interface to perform administrative tasks like server and user configuration. Webmin's web server miniserv.pl, which runs on port 10000/tcp by default, contains a format string vulnerability. By passing a username containing a format specifier, an attacker can exploit the flaw to execute arbitrary code with possibly root privileges. Immunity, Inc. has made an exploit available to some of its customers. Status: Some Linux vendors have released patches. The discoverers have also released an unofficial patch for version 5.9.2 that is available at: http://www.dyadsecurity.com/advisory/perl/perl-5.9.2-exp_parameter_intwrap_vulnerability. A workaround for the Webmin flaw is to block the traffic to port 10000/tcp at the network perimeter. Council Site Actions: Most of the council sites are responding to this item on some level and plan to install patches as they are made available. Several sites have notified their web developers. One site requested updates from the 3rd party providers that bundle Perl with applications in use at their site. Another site said that they have several Mandriva Linux systems running Webmin and plan to recommend that the affected system administrators apply the MDKSA-2005:223 update. These systems are used by a few dozen users. The remaining council sites commented they do not use Perl on and of their web servers. References: DyadSecurity Advisory http://www.dyadsecurity.com/perl-0002.html http://www.dyadsecurity.com/webmin-0001.html Posting by giarc http://archives.neohapsis.com/archives/fulldisclosure/2005-12/0001.html Posting by Dave Aitel http://archives.neohapsis.com/archives/fulldisclosure/2005-12/0015.html Webmin miniserv.pl Documentation http://www.dyadsecurity.com/webmin-0001.html Webmin Homepage http://www.webmin.com SecurityFocus BID http://www.securityfocus.com/bid/15629 -- fedora-legacy-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-legacy-list
