On Fri, 9 Dec 2005, John Dalbec wrote: > Does this affect us? > > (1) HIGH: Perl Format String Vulnerability > Affected: > Perl versions 5.9.2 and 5.8.6 confirmed; potentially all Perl versions > Webmin version 1.23 and prior > > Description: Perl is widely used as a scripting language for a variety > of applications including web-based software. Perl contains a > vulnerability that can be triggered by passing a format specifier of the > form "%INT_MAXn". The vulnerability causes an integer variable in a Perl > function to wrap around (change its parity) that can be exploited to > execute arbitrary code. For instance, "%2147483647n" format specifier > will trigger the flaw in Perl running on 32-bit Operating Systems. Note > that the flaw can be exploited only via Perl-based applications that > contain a format string vulnerability. The discoverers have reportedly > found several applications that are vulnerable. > <<snip>> We are indeed vulnerable to this. As Pavel Kankovsky pointed out, RHL 7.3 is not likely vulnerable. But RHL 9, FC1 & FC2 appear to be vulnerable to this. This affects webmin as well, but we do not support webmin. Red Hat has issued updated packages for FC3, FC4, RHEL 3, and RHEL 4. >From RHEL-3's announcement: "An integer overflow bug was found in Perl's format string processor. It is possible for an attacker to cause perl to crash or execute arbitrary code if the attacker is able to process a malicious format string. This issue is only exploitable through a script wich passes arbitrary untrusted strings to the format string processor. The Common Vulnerabilities and Exposures project assigned the name CVE-2005-3962 to this issue." References: * CVE-2005-3962 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3962 * FEDORA-2005-1145 (FC3) http://www.redhat.com/archives/fedora-announce-list/2005-December/msg00043.html (which is updated by FEDORA-2005-1149 @ http://www.redhat.com/archives/fedora-announce-list/2005-December/msg00050.html). * FEDORA-2005-1144 (FC4) http://www.redhat.com/archives/fedora-announce-list/2005-December/msg00042.html * RHSA-2005:881 (RHEL3) http://rhn.redhat.com/errata/RHSA-2005-881.html * RHSA-2005:880 (RHEL4) http://rhn.redhat.com/errata/RHSA-2005-880.html > References: > DyadSecurity Advisory > http://www.dyadsecurity.com/perl-0002.html > http://www.dyadsecurity.com/webmin-0001.html > Posting by giarc > http://archives.neohapsis.com/archives/fulldisclosure/2005-12/0001.html > Posting by Dave Aitel > http://archives.neohapsis.com/archives/fulldisclosure/2005-12/0015.html > Webmin miniserv.pl Documentation > http://www.dyadsecurity.com/webmin-0001.html > Webmin Homepage > http://www.webmin.com > SecurityFocus BID > http://www.securityfocus.com/bid/15629 -- fedora-legacy-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-legacy-list