From owner-freebsd-security  Tue Jun 10 10:04:48 1997
Return-Path: <owner-security>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.5/8.8.5) id KAA16926
          for security-outgoing; Tue, 10 Jun 1997 10:04:48 -0700 (PDT)
Received: from rover.village.org (rover.village.org [204.144.255.49])
          by hub.freebsd.org (8.8.5/8.8.5) with SMTP id KAA16914
          for <freebsd-security@freebsd.org>; Tue, 10 Jun 1997 10:04:41 -0700 (PDT)
Received: from rover.village.org [127.0.0.1] 
	by rover.village.org with esmtp (Exim 1.60 #1)
	id 0wbULB-0001Fg-00; Tue, 10 Jun 1997 11:04:17 -0600
To: Guy Helmer <ghelmer@cs.iastate.edu>
Subject: Re: Security problem with FreeBSD 2.2.1 default installation 
Cc: Michael Haro <perl@netmug.org>, freebsd-security@freebsd.org
In-reply-to: Your message of "Tue, 03 Jun 1997 10:29:16 CDT."
		<Pine.HPP.3.96.970603101840.16150E-100000@sunfire.cs.iastate.edu> 
References: <Pine.HPP.3.96.970603101840.16150E-100000@sunfire.cs.iastate.edu>  
Date: Tue, 10 Jun 1997 11:04:17 -0600
From: Warner Losh <imp@village.org>
Message-Id: <E0wbULB-0001Fg-00@rover.village.org>
Sender: owner-security@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

In message <Pine.HPP.3.96.970603101840.16150E-100000@sunfire.cs.iastate.edu> Guy Helmer writes:
: See the CERT Advisory CA-97.17 (sperl) for this problem at
: 
: ftp://info.cert.org/pub/cert_advisories/CA-97.17.sperl
: 
: dated May 29, 1997.  It would not have been known at the time FreeBSD
: 2.2.1 (or 2.2.2, for that matter) was released.  

This bug was fixed in the sources of 2.2 2.1 and -current on May 20,
after the 2.2.2 release.  Since Perl 4 is way way way unsupported by
the Perl community, I just patched the exploit that caused the program
I was using to get root.  I didn't audit all of Perl 4 to make sure it
was cool.  Since perl 5 seems to be moving into the source tree, this
may become a non-issue.

Guy's advise is excellent:  Disable sperl unless you have a specific
need for it.

Warner