drucken bookmarks versenden konfigurieren admin pdf Sicherheit: Fehler bei wiederholter Verwendung von safe.pm in perl
Name: |
Fehler bei wiederholter Verwendung von safe.pm in perl
|
|
ID: |
CSSA-2004-007.0 |
|
Distribution: |
SCO OpenLinux |
|
Plattformen: |
SCO OpenLinux 3.1.1 Server, SCO OpenLinux 3.1.1 Workstation |
|
Datum: |
So, 22. Februar 2004, 12:00 |
|
Referenzen: |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1323 |
|
Applikationen: |
Perl |
|
Originalnachricht |
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
______________________________________________________________________________
SCO Security Advisory
Subject: OpenLinux: Perl Safe.pm unsafe access Advisory number: CSSA-2004-007.0 Issue date: 2004 February 20 Cross reference: sr887196 fz528498 erg712494 CAN-2002-1323 ______________________________________________________________________________
1. Problem Description
When Perl code is executed within a Safe compartment, it cannot access variables outside of the compartment unless the outside code chooses to share the variables with the code inside the compartment.
If code inside a Safe compartment is executed via Safe->reval() twice, it is able to change its operation mask the second time. This could allow the code to access variables outside the Safe compartment.
Safe.pm 2.0.7 and earlier, when used in Perl 5.8.0 and earlier, may allow attackers to break out of safe compartments in (1) Safe::reval or (2) Safe::rdo using a redefined @_ variable, which is not reset between successive calls.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2002-1323 to this issue.
2. Vulnerable Supported Versions
System Package ---------------------------------------------------------------------- OpenLinux 3.1.1 Server prior to perl-5.8.3-1.i386.rpm prior to perl-add-5.8.3-1.i386.rpm prior to perl-man-5.8.3-1.i386.rpm prior to perl-pod-5.8.3-1.i386.rpm
OpenLinux 3.1.1 Workstation prior to perl-5.8.3-1.i386.rpm prior to perl-add-5.8.3-1.i386.rpm prior to perl-man-5.8.3-1.i386.rpm prior to perl-pod-5.8.3-1.i386.rpm
3. Solution
The proper solution is to install the latest packages. Many customers find it easier to use the Caldera System Updater, called cupdate (or kcupdate under the KDE environment), to update these packages rather than downloading and installing them by hand.
4. OpenLinux 3.1.1 Server
4.1 Package Location
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2004-007.0/RPMS
4.2 Packages
8fc1043f58ddc9f2c48a392e3a9e5707 perl-5.8.3-1.i386.rpm c52377b6aa6ba00169108fdf1060e239 perl-add-5.8.3-1.i386.rpm cb4dbc39349ea672b47bfc776f3b0fa4 perl-man-5.8.3-1.i386.rpm 010741a985deaf7e2b8a289d3e4b4b8b perl-pod-5.8.3-1.i386.rpm
4.3 Installation
rpm -Fvh perl-5.8.3-1.i386.rpm rpm -Fvh perl-add-5.8.3-1.i386.rpm rpm -Fvh perl-man-5.8.3-1.i386.rpm rpm -Fvh perl-pod-5.8.3-1.i386.rpm
4.4 Source Package Location
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2004-007.0/SRPMS
4.5 Source Packages
aa44c605f0c3c82cef1096c2c9f1e958 perl-5.8.3-1.src.rpm
5. OpenLinux 3.1.1 Workstation
5.1 Package Location
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2004-007.0/RPMS
5.2 Packages
21a823ce2022d2c3a69848b48d06d9de perl-5.8.3-1.i386.rpm 77b22dc0bdf24d927e635e76f4706a05 perl-add-5.8.3-1.i386.rpm eb60dd4c6abc0f4b9894ea6a1473ffdc perl-man-5.8.3-1.i386.rpm 357d02c4844793bc36b7e92c41bb2e26 perl-pod-5.8.3-1.i386.rpm
5.3 Installation
rpm -Fvh perl-5.8.3-1.i386.rpm rpm -Fvh perl-add-5.8.3-1.i386.rpm rpm -Fvh perl-man-5.8.3-1.i386.rpm rpm -Fvh perl-pod-5.8.3-1.i386.rpm
5.4 Source Package Location
SRPMS
5.5 Source Packages
6b1fdec04ed3c6d4de7b0c65528e71cd perl-5.8.3-1.src.rpm
6. References
Specific references for this advisory: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1323 http://www.iss.net/security_center/static/10574.php http://www.securityfocus.com/bid/6111 http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0061.html http://use.perl.org/articles/02/10/06/1118222.shtml?tid=5 http://bugs6.perl.org/rt2/Ticket/Display.html?id=17744
SCO security resources: http://www.sco.com/support/security/index.html
This security fix closes SCO incidents sr887196 fz528498 erg712494.
7. Disclaimer
SCO is not responsible for the misuse of any of the information we provide on this website and/or through our security advisories. Our advisories are a service to our customers intended to promote secure installation and use of SCO products.
8. Acknowledgements
SCO would like to thank Andreas Jurenda
______________________________________________________________________________
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (SCO/UNIX_SVR5)
iD8DBQFANmqybluZssSXDTERAlihAKDJmttTCjq9c0C1Fuaa6mDV6n6y2QCbBbNa xtexYEHCq6tX0LaYTCREjkQ= =ld1L -----END PGP SIGNATURE-----
|
|
|
|