[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20090115224903.GZ8516@outflux.net>
Date: Thu, 15 Jan 2009 14:49:03 -0800
From: Kees Cook <kees@...ntu.com>
To: ubuntu-security-announce@...ts.ubuntu.com
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: [USN-700-2] Perl regression
===========================================================
Ubuntu Security Notice USN-700-2 January 15, 2009
perl regression
https://launchpad.net/bugs/315991
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 8.04 LTS
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 8.04 LTS:
perl 5.8.8-12ubuntu0.4
In general, a standard system upgrade is sufficient to effect the
necessary changes.
Details follow:
USN-700-1 fixed vulnerabilities in Perl. Due to problems with the Ubuntu
8.04 build, some Perl .ph files were missing from the resulting update.
This update fixes the problem. We apologize for the inconvenience.
Original advisory details:
Jonathan Smith discovered that the Archive::Tar Perl module did not
correctly handle symlinks when extracting archives. If a user or
automated system were tricked into opening a specially crafted tar file,
a remote attacker could over-write arbitrary files. (CVE-2007-4829)
Tavis Ormandy and Will Drewry discovered that Perl did not correctly
handle certain utf8 characters in regular expressions. If a user or
automated system were tricked into using a specially crafted expression,
a remote attacker could crash the application, leading to a denial
of service. Ubuntu 8.10 was not affected by this issue. (CVE-2008-1927)
A race condition was discovered in the File::Path Perl module's rmtree
function. If a local attacker successfully raced another user's call
of rmtree, they could create arbitrary setuid binaries. Ubuntu 6.06
and 8.10 were not affected by this issue. (CVE-2008-5302)
A race condition was discovered in the File::Path Perl module's rmtree
function. If a local attacker successfully raced another user's call of
rmtree, they could delete arbitrary files. Ubuntu 6.06 was not affected
by this issue. (CVE-2008-5303)
Updated packages for Ubuntu 8.04 LTS:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl_5.8.8-12ubuntu0.4.diff.gz
Size/MD5: 119117 3c04ef48711eb339dc153195ffbe1899
http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl_5.8.8-12ubuntu0.4.dsc
Size/MD5: 882 558664714fe76eceaf8274a9c2244aea
http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl_5.8.8.orig.tar.gz
Size/MD5: 12829188 b8c118d4360846829beb30b02a6b91a7
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl-doc_5.8.8-12ubuntu0.4_all.deb
Size/MD5: 7356276 e5bb6b2b0dd489f546f21c4156f44096
http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl-modules_5.8.8-12ubuntu0.4_all.deb
Size/MD5: 2299814 adac1e9fb1add2fe5fee788a7ddcde21
http://security.ubuntu.com/ubuntu/pool/universe/p/perl/libcgi-fast-perl_5.8.8-12ubuntu0.4_all.deb
Size/MD5: 42058 fb1651f5051f20bee455b793277d2221
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/p/perl/libperl-dev_5.8.8-12ubuntu0.4_amd64.deb
Size/MD5: 635714 dc6220080c5aa5440bc1c5fc851a75d8
http://security.ubuntu.com/ubuntu/pool/main/p/perl/libperl5.8_5.8.8-12ubuntu0.4_amd64.deb
Size/MD5: 1060 d8cac882d00389b0c77c092edff4fe53
http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl-base_5.8.8-12ubuntu0.4_amd64.deb
Size/MD5: 840544 2270bb27d9fcffd70ff1272cf5dc1600
http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl-debug_5.8.8-12ubuntu0.4_amd64.deb
Size/MD5: 2915934 1331659e29a29f4bb7f442c094cdd757
http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl-suid_5.8.8-12ubuntu0.4_amd64.deb
Size/MD5: 33772 3e3c7e74e397e3891fca14e704f0dee2
http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl_5.8.8-12ubuntu0.4_amd64.deb
Size/MD5: 4050076 ab5f7beb11e1fc5f3ae32de33e6f674a
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/p/perl/libperl-dev_5.8.8-12ubuntu0.4_i386.deb
Size/MD5: 577084 73eaeef8bc622b7f43f2979e82b1ca34
http://security.ubuntu.com/ubuntu/pool/main/p/perl/libperl5.8_5.8.8-12ubuntu0.4_i386.deb
Size/MD5: 534952 19ea6fa66b5e2871790b5282af8ebd0d
http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl-base_5.8.8-12ubuntu0.4_i386.deb
Size/MD5: 778508 2c656143bbd2b623722cdf1c019593b6
http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl-debug_5.8.8-12ubuntu0.4_i386.deb
Size/MD5: 2727530 1183721e44078c7bd599ea39d5f69342
http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl-suid_5.8.8-12ubuntu0.4_i386.deb
Size/MD5: 31736 9633785c18e45f63596b78aa1fcd78c6
http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl_5.8.8-12ubuntu0.4_i386.deb
Size/MD5: 3378692 52428aa23de842bdfb74c3343640ca09
lpia architecture (Low Power Intel Architecture):
http://ports.ubuntu.com/pool/main/p/perl/libperl-dev_5.8.8-12ubuntu0.4_lpia.deb
Size/MD5: 580018 2d2aed254844454c0f48227300768a1b
http://ports.ubuntu.com/pool/main/p/perl/libperl5.8_5.8.8-12ubuntu0.4_lpia.deb
Size/MD5: 1062 89d3130c61783ed62f12f004b8d559a2
http://ports.ubuntu.com/pool/main/p/perl/perl-base_5.8.8-12ubuntu0.4_lpia.deb
Size/MD5: 812092 f97dc4ce5e270ee070bfbfe27ec7a70a
http://ports.ubuntu.com/pool/main/p/perl/perl-debug_5.8.8-12ubuntu0.4_lpia.deb
Size/MD5: 2704722 4f78a56363442bcfacdf58d3bd045e9a
http://ports.ubuntu.com/pool/main/p/perl/perl-suid_5.8.8-12ubuntu0.4_lpia.deb
Size/MD5: 32178 bb6b07dbfb9106e05dab1fbdf11ca944
http://ports.ubuntu.com/pool/main/p/perl/perl_5.8.8-12ubuntu0.4_lpia.deb
Size/MD5: 3384200 27f56ec04f41180f61a934111fbc304f
powerpc architecture (Apple Macintosh G3/G4/G5):
http://ports.ubuntu.com/pool/main/p/perl/libperl-dev_5.8.8-12ubuntu0.4_powerpc.deb
Size/MD5: 656128 da32563656e3772e3d276b3224bc0cc7
http://ports.ubuntu.com/pool/main/p/perl/libperl5.8_5.8.8-12ubuntu0.4_powerpc.deb
Size/MD5: 1062 f094786f906673bf12ae6167012cc9a3
http://ports.ubuntu.com/pool/main/p/perl/perl-base_5.8.8-12ubuntu0.4_powerpc.deb
Size/MD5: 866722 8e2a00885b78d200ca38f6fabc6e78a2
http://ports.ubuntu.com/pool/main/p/perl/perl-debug_5.8.8-12ubuntu0.4_powerpc.deb
Size/MD5: 2904232 ae737ff09c537d35482129e51f798e7f
http://ports.ubuntu.com/pool/main/p/perl/perl-suid_5.8.8-12ubuntu0.4_powerpc.deb
Size/MD5: 37196 56f19062c86cab968075b6975ffee841
http://ports.ubuntu.com/pool/main/p/perl/perl_5.8.8-12ubuntu0.4_powerpc.deb
Size/MD5: 3774406 2f3d4a074be234ba0e585c232f6237cb
sparc architecture (Sun SPARC/UltraSPARC):
http://ports.ubuntu.com/pool/main/p/perl/libperl-dev_5.8.8-12ubuntu0.4_sparc.deb
Size/MD5: 595878 c1c459e217eec1f63afce7a233d9b8e6
http://ports.ubuntu.com/pool/main/p/perl/libperl5.8_5.8.8-12ubuntu0.4_sparc.deb
Size/MD5: 1060 6b0d718a2869fd0558e34c76c07d19b3
http://ports.ubuntu.com/pool/main/p/perl/perl-base_5.8.8-12ubuntu0.4_sparc.deb
Size/MD5: 809210 b4b80f00828ceb4ca9d6bda4d08f58d5
http://ports.ubuntu.com/pool/main/p/perl/perl-debug_5.8.8-12ubuntu0.4_sparc.deb
Size/MD5: 2768090 a64ec353db0dfaacd92cff2b013f8604
http://ports.ubuntu.com/pool/main/p/perl/perl-suid_5.8.8-12ubuntu0.4_sparc.deb
Size/MD5: 32942 83cbf2d6c1805208e252cdfa34e29f5f
http://ports.ubuntu.com/pool/main/p/perl/perl_5.8.8-12ubuntu0.4_sparc.deb
Size/MD5: 3683884 98f6e1a797e6414e0fffc5b7627219d8
Download attachment "signature.asc" of type "application/pgp-signature" (236 bytes)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists