Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 28 Sep 2003 23:19:11 +0900 (JST)
From:      IIJIMA Hiromitsu <delmonta@ht.sakura.ne.jp>
To:        FreeBSD-gnats-submit@FreeBSD.org
Subject:   bin/57315: Safe.pm security hole in 4.x base system's perl
Message-ID:  <20030928141911.BAAAAA97F@sodans.usata.org>
Resent-Message-ID: <200309281420.h8SEK6A8078389@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 

>Number:         57315
>Category:       bin
>Synopsis:       Safe.pm security hole in 4.x base system's perl
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Sep 28 07:20:05 PDT 2003
>Closed-Date:
>Last-Modified:
>Originator:     IIJIMA Hiromitsu
>Release:        FreeBSD 4.7-RELEASE-p3 i386
>Organization:
DENNOU GEDOU GAKKAI, N. D. D. http://www.dennougedougakkai-ndd.org
>Environment:
System: FreeBSD sodans.usata.org 4.7-RELEASE-p3 FreeBSD 4.7-RELEASE-p3 #0: Wed Jan 22 14:50:19 JST 2003 root@www.my.domain:/usr/src/sys/compile/RENTALv6 i386

Userland is upgraded to -p16, while the kernel is still -p3.

>Description:
	Safe.pm in FreeBSD 4.x base system's perl 5.005_03 has security hole
	labelled as CAN-2002-1323.

	For more information, see the websites at:
	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1323
	http://groups.google.com/groups?threadm=rt-17744-39131.3.96370682846239%40bugs6.perl.org

	[NOTE] ports/lang/perl5 (perl 5.6.1) and ports/lang/perl5.8 (perl 5.8.0)
	are not affected, since they have files/patch-Safe.pm in the ports.

	ports/japanese/perl5 (perl 5.005_03 plus Japanese patch) are affected
	just as 4.x base system's one, so I'll send another PR.

>How-To-Repeat:
	Try the exploit code at Google Groups archive.

>Fix:
	Apply ports/lang/perl5/patch-Safe.pm to base system's perl.
	It applies to perl 5.005_03 with no problem.

	ports/lang/perl5.8/patch-Safe.pm does not apply to perl 5.005_03,
	since it is an upgrade from Safe.pm 2.07 to 2.09 while perl 5.005_03
	has Safe.pm 2.06.
>Release-Note:
>Audit-Trail:
>Unformatted:

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030928141911.BAAAAA97F>