From: Mandriva Security Team <security@mandriva.com.>
To: [email protected]Subject: MDKSA-2005:079 - Updated perl packages to fix rmtree vulnerability
Message-Id: <E1DRTRX-0008E7-H5@mercury.mandriva.com.>
Sender: QATeam User <qateam@mercury.mandriva.com.>
Date: Fri, 29 Apr 2005 05:13:59 -0600
X-Virus-Scanned: antivirus-gw at tyumen.ru
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Update Advisory
_______________________________________________________________________
Package name: perl
Advisory ID: MDKSA-2005:079
Date: April 28th, 2005
Affected versions: 10.0, 10.1, 10.2, Corporate 3.0,
Corporate Server 2.1
______________________________________________________________________
Problem Description:
Paul Szabo discovered another vulnerability in the rmtree() function
in File::Path.pm. While a process running as root (or another user)
was busy deleting a directory tree, a different user could exploit a
race condition to create setuid binaries in this directory tree,
provided that he already had write permissions in any subdirectory of
that tree.
The provided packages have been patched to resolve this problem.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0448
______________________________________________________________________
Updated Packages:
Mandrakelinux 10.0:
88055e94b92e108fbc1428fcaf4f265a 10.0/RPMS/perl-5.8.3-5.4.100mdk.i586.rpm
517b94573fc17099711ef317a86710cc 10.0/RPMS/perl-base-5.8.3-5.4.100mdk.i586.rpm
5668ed0c2cd80c190d951db58c6e057a 10.0/RPMS/perl-devel-5.8.3-5.4.100mdk.i586.rpm
d0368301ec94bc79e764f65c19ca052c 10.0/RPMS/perl-doc-5.8.3-5.4.100mdk.i586.rpm
9e45412135477515a4d14ede715f260a 10.0/SRPMS/perl-5.8.3-5.4.100mdk.src.rpm
Mandrakelinux 10.0/AMD64:
083124ec0b033d2712c5305981e6b312 amd64/10.0/RPMS/perl-5.8.3-5.4.100mdk.amd64.rpm
9f0686791ecdbc0ce1068f87ba5fb6ce amd64/10.0/RPMS/perl-base-5.8.3-5.4.100mdk.amd64.rpm
10e735961919dca461355c42a417aed7 amd64/10.0/RPMS/perl-devel-5.8.3-5.4.100mdk.amd64.rpm
9c28ffc8b1858976165f783dce671210 amd64/10.0/RPMS/perl-doc-5.8.3-5.4.100mdk.amd64.rpm
9e45412135477515a4d14ede715f260a amd64/10.0/SRPMS/perl-5.8.3-5.4.100mdk.src.rpm
Mandrakelinux 10.1:
117750db774283de7e3e235bc3c4d42b 10.1/RPMS/perl-5.8.5-3.4.101mdk.i586.rpm
fb69728a57b920468f7bc6cf7ad63b1d 10.1/RPMS/perl-base-5.8.5-3.4.101mdk.i586.rpm
5f259fde80fa6837c2073c85e361c964 10.1/RPMS/perl-devel-5.8.5-3.4.101mdk.i586.rpm
8c0404b48594e4da2450d467e2300463 10.1/RPMS/perl-doc-5.8.5-3.4.101mdk.i586.rpm
730a69a3d1890e642ab5fb9eec3e07f3 10.1/SRPMS/perl-5.8.5-3.4.101mdk.src.rpm
Mandrakelinux 10.1/X86_64:
30d5fbf60a0093f8c45b93800addf55b x86_64/10.1/RPMS/perl-5.8.5-3.4.101mdk.x86_64.rpm
bfada4d0e25c66316873706eb96d0eec x86_64/10.1/RPMS/perl-base-5.8.5-3.4.101mdk.x86_64.rpm
c72897d8d971558166b1b462c29cacf4 x86_64/10.1/RPMS/perl-devel-5.8.5-3.4.101mdk.x86_64.rpm
aaa017675507c9278fb2246c70e9f5cf x86_64/10.1/RPMS/perl-doc-5.8.5-3.4.101mdk.x86_64.rpm
730a69a3d1890e642ab5fb9eec3e07f3 x86_64/10.1/SRPMS/perl-5.8.5-3.4.101mdk.src.rpm
Mandrakelinux 10.2:
f209fd68a68f9f8c569062a5dd35872d 10.2/RPMS/perl-5.8.6-6.1.102mdk.i586.rpm
c03dd6592f264a0c2abaacff459d358c 10.2/RPMS/perl-base-5.8.6-6.1.102mdk.i586.rpm
9620e5a67db3bd79ede05cdea54d7164 10.2/RPMS/perl-devel-5.8.6-6.1.102mdk.i586.rpm
4a48072953415e0c1a8cd0b0cc954989 10.2/RPMS/perl-doc-5.8.6-6.1.102mdk.i586.rpm
90e755194ecaf253657af0e12f6406b2 10.2/SRPMS/perl-5.8.6-6.1.102mdk.src.rpm
Mandrakelinux 10.2/X86_64:
ad2e519fe3110b139fa7f4eca49a67e1 x86_64/10.2/RPMS/perl-5.8.6-6.1.102mdk.x86_64.rpm
5b2bcd20ceedba59940d74365338dea7 x86_64/10.2/RPMS/perl-base-5.8.6-6.1.102mdk.x86_64.rpm
efe35f5b49981659e7697d6380fceb5e x86_64/10.2/RPMS/perl-devel-5.8.6-6.1.102mdk.x86_64.rpm
cb79d5e241acf0551222b20479e5f5ea x86_64/10.2/RPMS/perl-doc-5.8.6-6.1.102mdk.x86_64.rpm
90e755194ecaf253657af0e12f6406b2 x86_64/10.2/SRPMS/perl-5.8.6-6.1.102mdk.src.rpm
Corporate Server 2.1:
f2c5b48a527c1daf7a11792b7cea1e87 corporate/2.1/RPMS/perl-5.8.0-14.5.C21mdk.i586.rpm
2f3ce6e7795a4e3fb2cd15470f1e8eb1 corporate/2.1/RPMS/perl-base-5.8.0-14.5.C21mdk.i586.rpm
7b39b352cbef408c3f3a46e25dc33e6f corporate/2.1/RPMS/perl-devel-5.8.0-14.5.C21mdk.i586.rpm
5596a918ea2e2365d85f20bd7827bc72 corporate/2.1/RPMS/perl-doc-5.8.0-14.5.C21mdk.i586.rpm
9db02ebc2f5c0d481e7d883747abef06 corporate/2.1/SRPMS/perl-5.8.0-14.5.C21mdk.src.rpm
Corporate Server 2.1/X86_64:
07487d9a3d421136586f7f60bc14dfc4 x86_64/corporate/2.1/RPMS/perl-5.8.0-14.5.C21mdk.x86_64.rpm
4f976b010d5fe0c125f5827d85b7fb3d x86_64/corporate/2.1/RPMS/perl-base-5.8.0-14.5.C21mdk.x86_64.rpm
2855e30bc2e36f1c76ba8a3c6ac9fb66 x86_64/corporate/2.1/RPMS/perl-devel-5.8.0-14.5.C21mdk.x86_64.rpm
07f1b2c8ab3f63960ac25f59929c343c x86_64/corporate/2.1/RPMS/perl-doc-5.8.0-14.5.C21mdk.x86_64.rpm
9db02ebc2f5c0d481e7d883747abef06 x86_64/corporate/2.1/SRPMS/perl-5.8.0-14.5.C21mdk.src.rpm
Corporate 3.0:
dde26b606f041ebbdede036037339a41 corporate/3.0/RPMS/perl-5.8.3-5.4.C30mdk.i586.rpm
7736c7a4aa7ce325d092c7e6d0c797b8 corporate/3.0/RPMS/perl-base-5.8.3-5.4.C30mdk.i586.rpm
276b6caf0710b2f5c2b40416431eb234 corporate/3.0/RPMS/perl-devel-5.8.3-5.4.C30mdk.i586.rpm
ad86f2a2618f7af20e6b976b54b08eaa corporate/3.0/RPMS/perl-doc-5.8.3-5.4.C30mdk.i586.rpm
0d824d973f366d61724a94fd1bd47815 corporate/3.0/SRPMS/perl-5.8.3-5.4.C30mdk.src.rpm
Corporate 3.0/X86_64:
59fd92b1575f82715096780c7a57d940 x86_64/corporate/3.0/RPMS/perl-5.8.3-5.4.C30mdk.x86_64.rpm
2cfec19fc0fb4e5d9270ce69fedaa3eb x86_64/corporate/3.0/RPMS/perl-base-5.8.3-5.4.C30mdk.x86_64.rpm
e428e4d841f0c43a950073853004bf00 x86_64/corporate/3.0/RPMS/perl-devel-5.8.3-5.4.C30mdk.x86_64.rpm
96765e19650443e069f1b6e9a4978704 x86_64/corporate/3.0/RPMS/perl-doc-5.8.3-5.4.C30mdk.x86_64.rpm
0d824d973f366d61724a94fd1bd47815 x86_64/corporate/3.0/SRPMS/perl-5.8.3-5.4.C30mdk.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrakeUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFCchb3mqjQ0CJFipgRAuJvAKCPvJ3d5HxCFLg8E93Xjm4cPWgwagCffGdo
SupCPhneAxyFxvWxsV3zsGc=
=z1q6
-----END PGP SIGNATURE-----