USN-72-1: Perl vulnerabilities
Ubuntu Security Notice USN-72-1
2nd February, 2005
perl vulnerabilities
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 4.10
Details
Two exploitable vulnerabilities involving setuid-enabled perl scripts
have been discovered. The package "perl-suid" provides a wrapper
around perl which allows to use setuid-root perl scripts, i.e.
user-callable Perl scripts which have full root privileges.
Previous versions allowed users to overwrite arbitrary files by
setting the PERLIO_DEBUG environment variable and calling an arbitrary
setuid-root perl script. The file that PERLIO_DEBUG points to was then
overwritten by Perl debug messages. This did not allow precise control
over the file content, but could destroy important data. PERLIO_DEBUG
is now ignored for setuid scripts. (CAN-2005-0155)
In addition, calling a setuid-root perl script with a very long path
caused a buffer overflow if PERLIO_DEBUG was set. This buffer overflow
could be exploited to execute arbitrary files with full root
privileges. (CAN-2005-0156)
Update instructions
The problem can be corrected by updating your system to the following package version:
- Ubuntu 4.10:
- perl
To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.
None