Date: Sun, 28 Sep 2003 23:19:11 +0900 (JST) From: IIJIMA Hiromitsu <delmonta@ht.sakura.ne.jp> To: FreeBSD-gnats-submit@FreeBSD.org Subject: bin/57315: Safe.pm security hole in 4.x base system's perl Message-ID: <20030928141911.BAAAAA97F@sodans.usata.org> Resent-Message-ID: <200309281420.h8SEK6A8078389@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 57315 >Category: bin >Synopsis: Safe.pm security hole in 4.x base system's perl >Confidential: no >Severity: critical >Priority: high >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sun Sep 28 07:20:05 PDT 2003 >Closed-Date: >Last-Modified: >Originator: IIJIMA Hiromitsu >Release: FreeBSD 4.7-RELEASE-p3 i386 >Organization: DENNOU GEDOU GAKKAI, N. D. D. http://www.dennougedougakkai-ndd.org >Environment: System: FreeBSD sodans.usata.org 4.7-RELEASE-p3 FreeBSD 4.7-RELEASE-p3 #0: Wed Jan 22 14:50:19 JST 2003 root@www.my.domain:/usr/src/sys/compile/RENTALv6 i386 Userland is upgraded to -p16, while the kernel is still -p3. >Description: Safe.pm in FreeBSD 4.x base system's perl 5.005_03 has security hole labelled as CAN-2002-1323. For more information, see the websites at: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1323 http://groups.google.com/groups?threadm=rt-17744-39131.3.96370682846239%40bugs6.perl.org [NOTE] ports/lang/perl5 (perl 5.6.1) and ports/lang/perl5.8 (perl 5.8.0) are not affected, since they have files/patch-Safe.pm in the ports. ports/japanese/perl5 (perl 5.005_03 plus Japanese patch) are affected just as 4.x base system's one, so I'll send another PR. >How-To-Repeat: Try the exploit code at Google Groups archive. >Fix: Apply ports/lang/perl5/patch-Safe.pm to base system's perl. It applies to perl 5.005_03 with no problem. ports/lang/perl5.8/patch-Safe.pm does not apply to perl 5.005_03, since it is an upgrade from Safe.pm 2.07 to 2.09 while perl 5.005_03 has Safe.pm 2.06. >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030928141911.BAAAAA97F>