From: Mandrakelinux Security Team <security@linux-mandrake.com.>
To: [email protected]Subject: MDKSA-2005:031 - Updated perl packages fix multiple vulnerabilities
Message-Id: <E1CyeyL-0005EG-Hh@updates.mandrakesoft.com.>
Date: Tue, 08 Feb 2005 16:40:45 -0700
X-Virus-Scanned: antivirus-gw at tyumen.ru
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandrakelinux Security Update Advisory
_______________________________________________________________________
Package name: perl
Advisory ID: MDKSA-2005:031
Date: February 8th, 2005
Affected versions: 10.0, 10.1, 9.2, Corporate 3.0,
Corporate Server 2.1
______________________________________________________________________
Problem Description:
Jeroen van Wolffelaar discovered that the rmtree() function in the perl
File::Path module would remove directories in an insecure manner which
could lead to the removal of arbitrary files and directories via a
symlink attack (CAN-2004-0452).
Trustix developers discovered several insecure uses of temporary files
in many modules which could allow a local attacker to overwrite files
via symlink attacks (CAN-2004-0976).
"KF" discovered two vulnerabilities involving setuid-enabled perl
scripts. By setting the PERLIO_DEBUG environment variable and calling
an arbitrary setuid-root perl script, an attacker could overwrite
arbitrary files with perl debug messages (CAN-2005-0155). As well,
calling a setuid-root perl script with a very long path would cause a
buffer overflow if PERLIO_DEBUG was set, which could be exploited to
execute arbitrary files with root privileges (CAN-2005-0156).
The provided packages have been patched to resolve these problems.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0452http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0976http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0155http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0156
______________________________________________________________________
Updated Packages:
Mandrakelinux 10.0:
03ef7fbe398819df299c12b60037452e 10.0/RPMS/perl-5.8.3-5.3.100mdk.i586.rpm
8c660b1461a18ea5d4115ce97d919400 10.0/RPMS/perl-base-5.8.3-5.3.100mdk.i586.rpm
4cea2d8402078460a305a2d5b35ded3f 10.0/RPMS/perl-devel-5.8.3-5.3.100mdk.i586.rpm
521c1c2a42672a5d8f59dd372a274427 10.0/RPMS/perl-doc-5.8.3-5.3.100mdk.i586.rpm
68a64ab9524c8494b9cafe243ca4207a 10.0/SRPMS/perl-5.8.3-5.3.100mdk.src.rpm
Mandrakelinux 10.0/AMD64:
6ef2826a08789b5a5818a87d5964a1a2 amd64/10.0/RPMS/perl-5.8.3-5.3.100mdk.amd64.rpm
c473bbbfec6d07ef351c5d2e755d873f amd64/10.0/RPMS/perl-base-5.8.3-5.3.100mdk.amd64.rpm
736ec557782c41dd5e43a2ff31d0cc3e amd64/10.0/RPMS/perl-devel-5.8.3-5.3.100mdk.amd64.rpm
a9ed51fa1e678f7481c74fc65c886f44 amd64/10.0/RPMS/perl-doc-5.8.3-5.3.100mdk.amd64.rpm
68a64ab9524c8494b9cafe243ca4207a amd64/10.0/SRPMS/perl-5.8.3-5.3.100mdk.src.rpm
Mandrakelinux 10.1:
dc0072b42ada389f8d948435fb44337b 10.1/RPMS/perl-5.8.5-3.3.101mdk.i586.rpm
1e0c9f3256ff487d95011253abcac637 10.1/RPMS/perl-base-5.8.5-3.3.101mdk.i586.rpm
ff2ff682b097c8ce91d989858cfe87fc 10.1/RPMS/perl-devel-5.8.5-3.3.101mdk.i586.rpm
d2a4f038e99b1742b5e427eb508735c6 10.1/RPMS/perl-doc-5.8.5-3.3.101mdk.i586.rpm
6421bbaac9c9260c34f1503699a9c06d 10.1/SRPMS/perl-5.8.5-3.3.101mdk.src.rpm
Mandrakelinux 10.1/X86_64:
48e3ca61e5cdb1fdb6ab167368de39dd x86_64/10.1/RPMS/perl-5.8.5-3.3.101mdk.x86_64.rpm
f105736fca96d67e29fedbed60e493d5 x86_64/10.1/RPMS/perl-base-5.8.5-3.3.101mdk.x86_64.rpm
a4d842d0548a9cd8b37ac95bdc3cf76f x86_64/10.1/RPMS/perl-devel-5.8.5-3.3.101mdk.x86_64.rpm
c994694b34389bbd2f8f31a5a0912abd x86_64/10.1/RPMS/perl-doc-5.8.5-3.3.101mdk.x86_64.rpm
6421bbaac9c9260c34f1503699a9c06d x86_64/10.1/SRPMS/perl-5.8.5-3.3.101mdk.src.rpm
Corporate Server 2.1:
80ab375d58e13144188efb18d823be02 corporate/2.1/RPMS/perl-5.8.0-14.4.C21mdk.i586.rpm
1669ef10de0c263de5bcb1a6291b80e6 corporate/2.1/RPMS/perl-base-5.8.0-14.4.C21mdk.i586.rpm
b670e055bce7ec7c3cf9fed4c0a1b0bb corporate/2.1/RPMS/perl-devel-5.8.0-14.4.C21mdk.i586.rpm
c6d3731abbbab36836a10098eec45632 corporate/2.1/RPMS/perl-doc-5.8.0-14.4.C21mdk.i586.rpm
7320d6f6b55b6072b84adce5e8c24564 corporate/2.1/SRPMS/perl-5.8.0-14.4.C21mdk.src.rpm
Corporate Server 2.1/X86_64:
79543c5e27e4fad31b70c3b1f9f78c3e x86_64/corporate/2.1/RPMS/perl-5.8.0-14.4.C21mdk.x86_64.rpm
df4d687f5974bc8aec71943f916b55e4 x86_64/corporate/2.1/RPMS/perl-base-5.8.0-14.4.C21mdk.x86_64.rpm
6e235994ebfd3d140b0a98a6ced85600 x86_64/corporate/2.1/RPMS/perl-devel-5.8.0-14.4.C21mdk.x86_64.rpm
c3e96a04b20424b4034c38e871110c43 x86_64/corporate/2.1/RPMS/perl-doc-5.8.0-14.4.C21mdk.x86_64.rpm
7320d6f6b55b6072b84adce5e8c24564 x86_64/corporate/2.1/SRPMS/perl-5.8.0-14.4.C21mdk.src.rpm
Corporate 3.0:
3ec85cecac7c9311d84808c4d606fad5 corporate/3.0/RPMS/perl-5.8.3-5.3.C30mdk.i586.rpm
eeb15059224b10ea1e38e7c295238ba2 corporate/3.0/RPMS/perl-base-5.8.3-5.3.C30mdk.i586.rpm
2725bd3ff3a4879e92e2a837d31d371f corporate/3.0/RPMS/perl-devel-5.8.3-5.3.C30mdk.i586.rpm
83800acb6dff62a0283a4f4a63748769 corporate/3.0/RPMS/perl-doc-5.8.3-5.3.C30mdk.i586.rpm
76f2ba5789d07ada7629f3fb4555214c corporate/3.0/SRPMS/perl-5.8.3-5.3.C30mdk.src.rpm
Corporate 3.0/X86_64:
6f9cbbbecbd93e0a69f90b87911b975c x86_64/corporate/3.0/RPMS/perl-5.8.3-5.3.C30mdk.x86_64.rpm
db36c037cd22e733423ee210dae671fe x86_64/corporate/3.0/RPMS/perl-base-5.8.3-5.3.C30mdk.x86_64.rpm
abb4772f920cc0d2776dfda4e61f7f37 x86_64/corporate/3.0/RPMS/perl-devel-5.8.3-5.3.C30mdk.x86_64.rpm
7e2303ef39f8a35616cd3ee646faf224 x86_64/corporate/3.0/RPMS/perl-doc-5.8.3-5.3.C30mdk.x86_64.rpm
76f2ba5789d07ada7629f3fb4555214c x86_64/corporate/3.0/SRPMS/perl-5.8.3-5.3.C30mdk.src.rpm
Mandrakelinux 9.2:
e20db560fd730715e15dfa8b86bdf64e 9.2/RPMS/perl-5.8.1-0.RC4.3.3.92mdk.i586.rpm
8b35db60de2b45267e2e7d6b5c91e9c5 9.2/RPMS/perl-base-5.8.1-0.RC4.3.3.92mdk.i586.rpm
938d58ea9c9a14b4562da53f65e6b98d 9.2/RPMS/perl-devel-5.8.1-0.RC4.3.3.92mdk.i586.rpm
826927185050c8390c260ea68e7c9b28 9.2/RPMS/perl-doc-5.8.1-0.RC4.3.3.92mdk.i586.rpm
42336c6aa22474e11e49da1334c01415 9.2/SRPMS/perl-5.8.1-0.RC4.3.3.92mdk.src.rpm
Mandrakelinux 9.2/AMD64:
7b90163d3bc050172ef2b962367944f7 amd64/9.2/RPMS/perl-5.8.1-0.RC4.3.3.92mdk.amd64.rpm
3c9e8c95c1d3637111f88924798acfb1 amd64/9.2/RPMS/perl-base-5.8.1-0.RC4.3.3.92mdk.amd64.rpm
28644f1effa1ecd3d4e8dcbc28d56e38 amd64/9.2/RPMS/perl-devel-5.8.1-0.RC4.3.3.92mdk.amd64.rpm
89b774253bad6f9513685eab214680aa amd64/9.2/RPMS/perl-doc-5.8.1-0.RC4.3.3.92mdk.amd64.rpm
42336c6aa22474e11e49da1334c01415 amd64/9.2/SRPMS/perl-5.8.1-0.RC4.3.3.92mdk.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrakeUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandrakesoft for security. You can obtain
the GPG public key of the Mandrakelinux Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandrakelinux at:
http://www.mandrakesoft.com/security/advisories
If you want to report vulnerabilities, please contact
security_linux-mandrake.com
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Linux Mandrake Security Team
<security linux-mandrake.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFCCU39mqjQ0CJFipgRAvtbAJ4uFC7w+tZkJWt64S1mQ1dg3SpC6wCg8ff3
hUKmRIv57Eq+S1qE0y6zWyM=
=nw1w
-----END PGP SIGNATURE-----