lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <A98F2178A21F024E8DD16A39BD782D0B026975BC@DOITTMAIL01.doitt.nycnet>
Date: Thu, 10 Mar 2005 02:05:39 -0500
From: "secalert" <secalert@...tt.nyc.gov>
To: "Martin Pitt" <martin.pitt@...onical.com>,
	<ubuntu-security-announce@...ts.ubuntu.com>
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: RE: [USN-94-1] Perl vulnerability


Dear Martin Pitt:
 
My boss wanted to know if this vulnerability might affect perl packages from other OS or does it only affect the Ubuntu releases?
 
I appreciate your help.
 
Best regards,
 
Lex Remo
NYC DoITT

________________________________

From: Martin Pitt [mailto:martin.pitt@...onical.com]
Sent: Wed 3/9/2005 7:31 AM
To: ubuntu-security-announce@...ts.ubuntu.com
Cc: full-disclosure@...ts.grok.org.uk; bugtraq@...urityfocus.com
Subject: [USN-94-1] Perl vulnerability



===========================================================
Ubuntu Security Notice USN-94-1              March 09, 2005
perl vulnerability
CAN-2005-0448
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 4.10 (Warty Warthog)

The following packages are affected:

perl-modules

The problem can be corrected by upgrading the affected package to
version 5.8.4-2ubuntu0.4.  In general, a standard system upgrade is
sufficient to effect the necessary changes.

Details follow:

Paul Szabo discovered another vulnerability in the rmtree() function
in File::Path.pm. While a process running as root (or another user)
was busy deleting a directory tree, a different user could exploit a
race condition to create setuid binaries in this directory tree,
provided that he already had write permissions in any subdirectory of
that tree.

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl_5.8.4-2ubuntu0.4.diff.gz
      Size/MD5:    60188 30785d1dafe5a3370b6426dabd3496c7
    http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl_5.8.4-2ubuntu0.4.dsc
      Size/MD5:      727 9099db2a88c436237baf52e48088f732
    http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl_5.8.4.orig.tar.gz
      Size/MD5: 12094233 912050a9cb6b0f415b76ba56052fb4cf

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/universe/p/perl/libcgi-fast-perl_5.8.4-2ubuntu0.4_all.deb
      Size/MD5:    36912 d5f0870d91cc2b0b66a6a03910b22dfe
    http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl-doc_5.8.4-2ubuntu0.4_all.deb
      Size/MD5:  7049774 8d1513fea3153f18c5d7350e84852b64
    http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl-modules_5.8.4-2ubuntu0.4_all.deb
      Size/MD5:  2181324 e33fed3f59d2a22f9379d5db42d90d7b

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/p/perl/libperl-dev_5.8.4-2ubuntu0.4_amd64.deb
      Size/MD5:   605416 740d538f44a97ba88b729763cacd7fee
    http://security.ubuntu.com/ubuntu/pool/main/p/perl/libperl5.8_5.8.4-2ubuntu0.4_amd64.deb
      Size/MD5:     1034 4ed5f62b1a26a8cb4cbc74cdc439c0c3
    http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl-base_5.8.4-2ubuntu0.4_amd64.deb
      Size/MD5:   787144 71155b4d2b2f1e12883648842f7dc9d8
    http://security.ubuntu.com/ubuntu/pool/universe/p/perl/perl-debug_5.8.4-2ubuntu0.4_amd64.deb
      Size/MD5:  3819890 5ffa3928854c94f9cdbf49a7a792e626
    http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl-suid_5.8.4-2ubuntu0.4_amd64.deb
      Size/MD5:    32834 87f2e690aeb1c557ad91c33e6ebd0f3e
    http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl_5.8.4-2ubuntu0.4_amd64.deb
      Size/MD5:  3834234 9787bfabcd2ab93bfd11b5109284ea5d

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/p/perl/libperl-dev_5.8.4-2ubuntu0.4_i386.deb
      Size/MD5:   546898 38bbe978e981caf41c251ff68d96e817
    http://security.ubuntu.com/ubuntu/pool/main/p/perl/libperl5.8_5.8.4-2ubuntu0.4_i386.deb
      Size/MD5:   494066 862aae6405d50449abfa7908ca006466
    http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl-base_5.8.4-2ubuntu0.4_i386.deb
      Size/MD5:   727586 6a6253b935ce0f62c818c84137cdffa9
    http://security.ubuntu.com/ubuntu/pool/universe/p/perl/perl-debug_5.8.4-2ubuntu0.4_i386.deb
      Size/MD5:  3631128 a98a367bc60c66212b66f3089d32ffc4
    http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl-suid_5.8.4-2ubuntu0.4_i386.deb
      Size/MD5:    30818 5dd4bddd3ebc8e6d659d4be8f34253d1
    http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl_5.8.4-2ubuntu0.4_i386.deb
      Size/MD5:  3229880 3bd6faba3e9cd8f578f410ad477ea14f

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/p/perl/libperl-dev_5.8.4-2ubuntu0.4_powerpc.deb
      Size/MD5:   561010 ac9cdca909113bd487d97dcbed888bdb
    http://security.ubuntu.com/ubuntu/pool/main/p/perl/libperl5.8_5.8.4-2ubuntu0.4_powerpc.deb
      Size/MD5:     1034 b373f005aa3003c56ead6e9ed4f1036a
    http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl-base_5.8.4-2ubuntu0.4_powerpc.deb
      Size/MD5:   718372 7053b926f46dc6b03ea4c14b3a81488b
    http://security.ubuntu.com/ubuntu/pool/universe/p/perl/perl-debug_5.8.4-2ubuntu0.4_powerpc.deb
      Size/MD5:  3817108 c00240239a190b98aa6b5ff0c2565d91
    http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl-suid_5.8.4-2ubuntu0.4_powerpc.deb
      Size/MD5:    30556 f177fd548a28e1914ff267da4d59707d
    http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl_5.8.4-2ubuntu0.4_powerpc.deb
      Size/MD5:  3477220 60b40c390a37e0e989d9b8e6406ed709


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://www.secunia.com/


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ