lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20090115224903.GZ8516@outflux.net>
Date: Thu, 15 Jan 2009 14:49:03 -0800
From: Kees Cook <kees@...ntu.com>
To: ubuntu-security-announce@...ts.ubuntu.com
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: [USN-700-2] Perl regression

===========================================================
Ubuntu Security Notice USN-700-2           January 15, 2009
perl regression
https://launchpad.net/bugs/315991
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 8.04 LTS

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 8.04 LTS:
  perl                            5.8.8-12ubuntu0.4

In general, a standard system upgrade is sufficient to effect the
necessary changes.

Details follow:

USN-700-1 fixed vulnerabilities in Perl.  Due to problems with the Ubuntu
8.04 build, some Perl .ph files were missing from the resulting update.
This update fixes the problem.  We apologize for the inconvenience.

Original advisory details:

 Jonathan Smith discovered that the Archive::Tar Perl module did not
 correctly handle symlinks when extracting archives.  If a user or
 automated system were tricked into opening a specially crafted tar file,
 a remote attacker could over-write arbitrary files.  (CVE-2007-4829)
 
 Tavis Ormandy and Will Drewry discovered that Perl did not correctly
 handle certain utf8 characters in regular expressions.  If a user or
 automated system were tricked into using a specially crafted expression,
 a remote attacker could crash the application, leading to a denial
 of service.  Ubuntu 8.10 was not affected by this issue.  (CVE-2008-1927)
 
 A race condition was discovered in the File::Path Perl module's rmtree
 function.  If a local attacker successfully raced another user's call
 of rmtree, they could create arbitrary setuid binaries.  Ubuntu 6.06
 and 8.10 were not affected by this issue.  (CVE-2008-5302)
 
 A race condition was discovered in the File::Path Perl module's rmtree
 function.  If a local attacker successfully raced another user's call of
 rmtree, they could delete arbitrary files.  Ubuntu 6.06 was not affected
 by this issue.  (CVE-2008-5303)


Updated packages for Ubuntu 8.04 LTS:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl_5.8.8-12ubuntu0.4.diff.gz
      Size/MD5:   119117 3c04ef48711eb339dc153195ffbe1899
    http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl_5.8.8-12ubuntu0.4.dsc
      Size/MD5:      882 558664714fe76eceaf8274a9c2244aea
    http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl_5.8.8.orig.tar.gz
      Size/MD5: 12829188 b8c118d4360846829beb30b02a6b91a7

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl-doc_5.8.8-12ubuntu0.4_all.deb
      Size/MD5:  7356276 e5bb6b2b0dd489f546f21c4156f44096
    http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl-modules_5.8.8-12ubuntu0.4_all.deb
      Size/MD5:  2299814 adac1e9fb1add2fe5fee788a7ddcde21
    http://security.ubuntu.com/ubuntu/pool/universe/p/perl/libcgi-fast-perl_5.8.8-12ubuntu0.4_all.deb
      Size/MD5:    42058 fb1651f5051f20bee455b793277d2221

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/p/perl/libperl-dev_5.8.8-12ubuntu0.4_amd64.deb
      Size/MD5:   635714 dc6220080c5aa5440bc1c5fc851a75d8
    http://security.ubuntu.com/ubuntu/pool/main/p/perl/libperl5.8_5.8.8-12ubuntu0.4_amd64.deb
      Size/MD5:     1060 d8cac882d00389b0c77c092edff4fe53
    http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl-base_5.8.8-12ubuntu0.4_amd64.deb
      Size/MD5:   840544 2270bb27d9fcffd70ff1272cf5dc1600
    http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl-debug_5.8.8-12ubuntu0.4_amd64.deb
      Size/MD5:  2915934 1331659e29a29f4bb7f442c094cdd757
    http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl-suid_5.8.8-12ubuntu0.4_amd64.deb
      Size/MD5:    33772 3e3c7e74e397e3891fca14e704f0dee2
    http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl_5.8.8-12ubuntu0.4_amd64.deb
      Size/MD5:  4050076 ab5f7beb11e1fc5f3ae32de33e6f674a

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/p/perl/libperl-dev_5.8.8-12ubuntu0.4_i386.deb
      Size/MD5:   577084 73eaeef8bc622b7f43f2979e82b1ca34
    http://security.ubuntu.com/ubuntu/pool/main/p/perl/libperl5.8_5.8.8-12ubuntu0.4_i386.deb
      Size/MD5:   534952 19ea6fa66b5e2871790b5282af8ebd0d
    http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl-base_5.8.8-12ubuntu0.4_i386.deb
      Size/MD5:   778508 2c656143bbd2b623722cdf1c019593b6
    http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl-debug_5.8.8-12ubuntu0.4_i386.deb
      Size/MD5:  2727530 1183721e44078c7bd599ea39d5f69342
    http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl-suid_5.8.8-12ubuntu0.4_i386.deb
      Size/MD5:    31736 9633785c18e45f63596b78aa1fcd78c6
    http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl_5.8.8-12ubuntu0.4_i386.deb
      Size/MD5:  3378692 52428aa23de842bdfb74c3343640ca09

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/p/perl/libperl-dev_5.8.8-12ubuntu0.4_lpia.deb
      Size/MD5:   580018 2d2aed254844454c0f48227300768a1b
    http://ports.ubuntu.com/pool/main/p/perl/libperl5.8_5.8.8-12ubuntu0.4_lpia.deb
      Size/MD5:     1062 89d3130c61783ed62f12f004b8d559a2
    http://ports.ubuntu.com/pool/main/p/perl/perl-base_5.8.8-12ubuntu0.4_lpia.deb
      Size/MD5:   812092 f97dc4ce5e270ee070bfbfe27ec7a70a
    http://ports.ubuntu.com/pool/main/p/perl/perl-debug_5.8.8-12ubuntu0.4_lpia.deb
      Size/MD5:  2704722 4f78a56363442bcfacdf58d3bd045e9a
    http://ports.ubuntu.com/pool/main/p/perl/perl-suid_5.8.8-12ubuntu0.4_lpia.deb
      Size/MD5:    32178 bb6b07dbfb9106e05dab1fbdf11ca944
    http://ports.ubuntu.com/pool/main/p/perl/perl_5.8.8-12ubuntu0.4_lpia.deb
      Size/MD5:  3384200 27f56ec04f41180f61a934111fbc304f

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/p/perl/libperl-dev_5.8.8-12ubuntu0.4_powerpc.deb
      Size/MD5:   656128 da32563656e3772e3d276b3224bc0cc7
    http://ports.ubuntu.com/pool/main/p/perl/libperl5.8_5.8.8-12ubuntu0.4_powerpc.deb
      Size/MD5:     1062 f094786f906673bf12ae6167012cc9a3
    http://ports.ubuntu.com/pool/main/p/perl/perl-base_5.8.8-12ubuntu0.4_powerpc.deb
      Size/MD5:   866722 8e2a00885b78d200ca38f6fabc6e78a2
    http://ports.ubuntu.com/pool/main/p/perl/perl-debug_5.8.8-12ubuntu0.4_powerpc.deb
      Size/MD5:  2904232 ae737ff09c537d35482129e51f798e7f
    http://ports.ubuntu.com/pool/main/p/perl/perl-suid_5.8.8-12ubuntu0.4_powerpc.deb
      Size/MD5:    37196 56f19062c86cab968075b6975ffee841
    http://ports.ubuntu.com/pool/main/p/perl/perl_5.8.8-12ubuntu0.4_powerpc.deb
      Size/MD5:  3774406 2f3d4a074be234ba0e585c232f6237cb

  sparc architecture (Sun SPARC/UltraSPARC):

    http://ports.ubuntu.com/pool/main/p/perl/libperl-dev_5.8.8-12ubuntu0.4_sparc.deb
      Size/MD5:   595878 c1c459e217eec1f63afce7a233d9b8e6
    http://ports.ubuntu.com/pool/main/p/perl/libperl5.8_5.8.8-12ubuntu0.4_sparc.deb
      Size/MD5:     1060 6b0d718a2869fd0558e34c76c07d19b3
    http://ports.ubuntu.com/pool/main/p/perl/perl-base_5.8.8-12ubuntu0.4_sparc.deb
      Size/MD5:   809210 b4b80f00828ceb4ca9d6bda4d08f58d5
    http://ports.ubuntu.com/pool/main/p/perl/perl-debug_5.8.8-12ubuntu0.4_sparc.deb
      Size/MD5:  2768090 a64ec353db0dfaacd92cff2b013f8604
    http://ports.ubuntu.com/pool/main/p/perl/perl-suid_5.8.8-12ubuntu0.4_sparc.deb
      Size/MD5:    32942 83cbf2d6c1805208e252cdfa34e29f5f
    http://ports.ubuntu.com/pool/main/p/perl/perl_5.8.8-12ubuntu0.4_sparc.deb
      Size/MD5:  3683884 98f6e1a797e6414e0fffc5b7627219d8


Download attachment "signature.asc" of type "application/pgp-signature" (236 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ