--tKW2IUtsqtDRztdT Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D Ubuntu Security Notice USN-72-1 February 02, 2005 perl vulnerabilities CAN-2005-0155, CAN-2005-0156 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D A security issue affects the following Ubuntu releases: Ubuntu 4.10 (Warty Warthog) The following packages are affected: perl The problem can be corrected by upgrading the affected package to version 5.8.4-2ubuntu0.3. In general, a standard system upgrade is sufficient to effect the necessary changes.=20 Details follow: Two exploitable vulnerabilities involving setuid-enabled perl scripts have been discovered. The package "perl-suid" provides a wrapper around perl which allows to use setuid-root perl scripts, i.e. user-callable Perl scripts which have full root privileges. Previous versions allowed users to overwrite arbitrary files by setting the PERLIO_DEBUG environment variable and calling an arbitrary setuid-root perl script. The file that PERLIO_DEBUG points to was then overwritten by Perl debug messages. This did not allow precise control over the file content, but could destroy important data. PERLIO_DEBUG is now ignored for setuid scripts. (CAN-2005-0155) In addition, calling a setuid-root perl script with a very long path caused a buffer overflow if PERLIO_DEBUG was set. This buffer overflow could be exploited to execute arbitrary files with full root privileges. (CAN-2005-0156) Source archives: http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl_5.8.4-2ubuntu0.= 3.diff.gz Size/MD5: 57791 6838d5eb8b01a50895f60f899b7f9970 http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl_5.8.4-2ubuntu0.= 3.dsc Size/MD5: 727 424d777c7a4f7e01e142bd907ec49134 http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl_5.8.4.orig.tar.= gz Size/MD5: 12094233 912050a9cb6b0f415b76ba56052fb4cf Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/universe/p/perl/libcgi-fast-perl= _5.8.4-2ubuntu0.3_all.deb Size/MD5: 36762 3187be1f92d688e34fca60c46f688ca9 http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl-doc_5.8.4-2ubun= tu0.3_all.deb Size/MD5: 7049796 f64050a4658b325918e1d853d0f2cbc0 http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl-modules_5.8.4-2= ubuntu0.3_all.deb Size/MD5: 2181384 b2a50b4f2dde034430bc84bbabc791cc amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/p/perl/libperl-dev_5.8.4-2u= buntu0.3_amd64.deb Size/MD5: 605434 2ca037b813fe14be47cafa2f27acd77b http://security.ubuntu.com/ubuntu/pool/main/p/perl/libperl5.8_5.8.4-2ub= untu0.3_amd64.deb Size/MD5: 1032 2bb8737a384a3786171d2ae2a3ed4a7a http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl-base_5.8.4-2ubu= ntu0.3_amd64.deb Size/MD5: 787086 e5bb5502b6e90a29c74acc032b9e55c5 http://security.ubuntu.com/ubuntu/pool/universe/p/perl/perl-debug_5.8.4= -2ubuntu0.3_amd64.deb Size/MD5: 3819860 1daaaa3016ad679e80199e19c5b901ef http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl-suid_5.8.4-2ubu= ntu0.3_amd64.deb Size/MD5: 32832 0cb6d5e891a5524a8d88a2c42c866e57 http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl_5.8.4-2ubuntu0.= 3_amd64.deb Size/MD5: 3834226 442c1ace9f9ea25dc24075c37ee2365b i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/p/perl/libperl-dev_5.8.4-2u= buntu0.3_i386.deb Size/MD5: 546882 60034b55abcae07a3d6c6052a3213463 http://security.ubuntu.com/ubuntu/pool/main/p/perl/libperl5.8_5.8.4-2ub= untu0.3_i386.deb Size/MD5: 494062 6588b891ea5946652fbfa57529ab63c7 http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl-base_5.8.4-2ubu= ntu0.3_i386.deb Size/MD5: 727402 9f372c22dbe904e4986c20db27ca4eab http://security.ubuntu.com/ubuntu/pool/universe/p/perl/perl-debug_5.8.4= -2ubuntu0.3_i386.deb Size/MD5: 3631146 a4e235f9ee4b5b4c00af9681c462f9cb http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl-suid_5.8.4-2ubu= ntu0.3_i386.deb Size/MD5: 30812 70923ad1d98c214f7d74b3fcd33fd8a3 http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl_5.8.4-2ubuntu0.= 3_i386.deb Size/MD5: 3229674 c1eefcf39facb03157c59a0f87ff7471 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/p/perl/libperl-dev_5.8.4-2u= buntu0.3_powerpc.deb Size/MD5: 560992 17dd72a903ea7cb68dde0b937c18dbbd http://security.ubuntu.com/ubuntu/pool/main/p/perl/libperl5.8_5.8.4-2ub= untu0.3_powerpc.deb Size/MD5: 1032 b30fdccfa2463633641622427cbcaa73 http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl-base_5.8.4-2ubu= ntu0.3_powerpc.deb Size/MD5: 718224 c200522dfa69b9810d66dd94a5102f6f http://security.ubuntu.com/ubuntu/pool/universe/p/perl/perl-debug_5.8.4= -2ubuntu0.3_powerpc.deb Size/MD5: 3817106 3fbeaca89ae2b2a54adb0b01b282f8bd http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl-suid_5.8.4-2ubu= ntu0.3_powerpc.deb Size/MD5: 30558 606caf5631780c2941118a5bbd6b2fd4 http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl_5.8.4-2ubuntu0.= 3_powerpc.deb Size/MD5: 3477176 d1e921f275e597dc1b59d6ca5680c07e --tKW2IUtsqtDRztdT Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFCANxdDecnbV4Fd/IRAk1NAJ0dF0KzafnKs3XSLAdaEb4UV7+cxwCgxaE5 bcXrm1Q9jVV4EVNE/RHpKQc= =RqPI -----END PGP SIGNATURE----- --tKW2IUtsqtDRztdT--