Debian Security Advisory

DSA-431-1 perl -- information leak

Date Reported:

01 Feb 2004

Affected Packages:

perl

Vulnerable:

Yes

Security database references:

In the Bugtraq database (at SecurityFocus): BugTraq ID 9543.
In Mitre's CVE dictionary: CVE-2003-0618.

More information:

Paul Szabo discovered a number of similar bugs in suidperl, a helper program to run perl scripts with setuid privileges. By exploiting these bugs, an attacker could abuse suidperl to discover information about files (such as testing for their existence and some of their permissions) that should not be accessible to unprivileged users.

For the current stable distribution (woody) this problem has been fixed in version 5.6.1-8.6.

For the unstable distribution (sid), this problem will be fixed soon. Refer to Debian bug #220486.

We recommend that you update your perl package if you have the "perl-suid" package installed.

Fixed in:

Debian GNU/Linux 3.0 (woody)

Source:: http://security.debian.org/pool/updates/main/p/perl/perl_5.6.1-8.6.dsc; http://security.debian.org/pool/updates/main/p/perl/perl_5.6.1-8.6.diff.gz; http://security.debian.org/pool/updates/main/p/perl/perl_5.6.1.orig.tar.gz
Architecture-independent component:: http://security.debian.org/pool/updates/main/p/perl/libcgi-fast-perl_5.6.1-8.6_all.deb; http://security.debian.org/pool/updates/main/p/perl/perl-doc_5.6.1-8.6_all.deb; http://security.debian.org/pool/updates/main/p/perl/perl-modules_5.6.1-8.6_all.deb
Alpha:: http://security.debian.org/pool/updates/main/p/perl/libperl-dev_5.6.1-8.6_alpha.deb; http://security.debian.org/pool/updates/main/p/perl/libperl5.6_5.6.1-8.6_alpha.deb; http://security.debian.org/pool/updates/main/p/perl/perl_5.6.1-8.6_alpha.deb; http://security.debian.org/pool/updates/main/p/perl/perl-base_5.6.1-8.6_alpha.deb; http://security.debian.org/pool/updates/main/p/perl/perl-debug_5.6.1-8.6_alpha.deb; http://security.debian.org/pool/updates/main/p/perl/perl-suid_5.6.1-8.6_alpha.deb
ARM:: http://security.debian.org/pool/updates/main/p/perl/libperl-dev_5.6.1-8.6_arm.deb; http://security.debian.org/pool/updates/main/p/perl/libperl5.6_5.6.1-8.6_arm.deb; http://security.debian.org/pool/updates/main/p/perl/perl_5.6.1-8.6_arm.deb; http://security.debian.org/pool/updates/main/p/perl/perl-base_5.6.1-8.6_arm.deb; http://security.debian.org/pool/updates/main/p/perl/perl-debug_5.6.1-8.6_arm.deb; http://security.debian.org/pool/updates/main/p/perl/perl-suid_5.6.1-8.6_arm.deb
Intel IA-32:: http://security.debian.org/pool/updates/main/p/perl/libperl-dev_5.6.1-8.6_i386.deb; http://security.debian.org/pool/updates/main/p/perl/libperl5.6_5.6.1-8.6_i386.deb; http://security.debian.org/pool/updates/main/p/perl/perl_5.6.1-8.6_i386.deb; http://security.debian.org/pool/updates/main/p/perl/perl-base_5.6.1-8.6_i386.deb; http://security.debian.org/pool/updates/main/p/perl/perl-debug_5.6.1-8.6_i386.deb; http://security.debian.org/pool/updates/main/p/perl/perl-suid_5.6.1-8.6_i386.deb
Intel IA-64:: http://security.debian.org/pool/updates/main/p/perl/libperl-dev_5.6.1-8.6_ia64.deb; http://security.debian.org/pool/updates/main/p/perl/libperl5.6_5.6.1-8.6_ia64.deb; http://security.debian.org/pool/updates/main/p/perl/perl_5.6.1-8.6_ia64.deb; http://security.debian.org/pool/updates/main/p/perl/perl-base_5.6.1-8.6_ia64.deb; http://security.debian.org/pool/updates/main/p/perl/perl-debug_5.6.1-8.6_ia64.deb; http://security.debian.org/pool/updates/main/p/perl/perl-suid_5.6.1-8.6_ia64.deb
HPPA:: http://security.debian.org/pool/updates/main/p/perl/libperl-dev_5.6.1-8.6_hppa.deb; http://security.debian.org/pool/updates/main/p/perl/libperl5.6_5.6.1-8.6_hppa.deb; http://security.debian.org/pool/updates/main/p/perl/perl_5.6.1-8.6_hppa.deb; http://security.debian.org/pool/updates/main/p/perl/perl-base_5.6.1-8.6_hppa.deb; http://security.debian.org/pool/updates/main/p/perl/perl-debug_5.6.1-8.6_hppa.deb; http://security.debian.org/pool/updates/main/p/perl/perl-suid_5.6.1-8.6_hppa.deb
Motorola 680x0:: http://security.debian.org/pool/updates/main/p/perl/libperl-dev_5.6.1-8.6_m68k.deb; http://security.debian.org/pool/updates/main/p/perl/libperl5.6_5.6.1-8.6_m68k.deb; http://security.debian.org/pool/updates/main/p/perl/perl_5.6.1-8.6_m68k.deb; http://security.debian.org/pool/updates/main/p/perl/perl-base_5.6.1-8.6_m68k.deb; http://security.debian.org/pool/updates/main/p/perl/perl-debug_5.6.1-8.6_m68k.deb; http://security.debian.org/pool/updates/main/p/perl/perl-suid_5.6.1-8.6_m68k.deb
Big endian MIPS:: http://security.debian.org/pool/updates/main/p/perl/libperl-dev_5.6.1-8.6_mips.deb; http://security.debian.org/pool/updates/main/p/perl/libperl5.6_5.6.1-8.6_mips.deb; http://security.debian.org/pool/updates/main/p/perl/perl_5.6.1-8.6_mips.deb; http://security.debian.org/pool/updates/main/p/perl/perl-base_5.6.1-8.6_mips.deb; http://security.debian.org/pool/updates/main/p/perl/perl-debug_5.6.1-8.6_mips.deb; http://security.debian.org/pool/updates/main/p/perl/perl-suid_5.6.1-8.6_mips.deb
Little endian MIPS:: http://security.debian.org/pool/updates/main/p/perl/libperl-dev_5.6.1-8.6_mipsel.deb; http://security.debian.org/pool/updates/main/p/perl/libperl5.6_5.6.1-8.6_mipsel.deb; http://security.debian.org/pool/updates/main/p/perl/perl_5.6.1-8.6_mipsel.deb; http://security.debian.org/pool/updates/main/p/perl/perl-base_5.6.1-8.6_mipsel.deb; http://security.debian.org/pool/updates/main/p/perl/perl-debug_5.6.1-8.6_mipsel.deb; http://security.debian.org/pool/updates/main/p/perl/perl-suid_5.6.1-8.6_mipsel.deb
PowerPC:: http://security.debian.org/pool/updates/main/p/perl/libperl-dev_5.6.1-8.6_powerpc.deb; http://security.debian.org/pool/updates/main/p/perl/libperl5.6_5.6.1-8.6_powerpc.deb; http://security.debian.org/pool/updates/main/p/perl/perl_5.6.1-8.6_powerpc.deb; http://security.debian.org/pool/updates/main/p/perl/perl-base_5.6.1-8.6_powerpc.deb; http://security.debian.org/pool/updates/main/p/perl/perl-debug_5.6.1-8.6_powerpc.deb; http://security.debian.org/pool/updates/main/p/perl/perl-suid_5.6.1-8.6_powerpc.deb
IBM S/390:: http://security.debian.org/pool/updates/main/p/perl/libperl-dev_5.6.1-8.6_s390.deb; http://security.debian.org/pool/updates/main/p/perl/libperl5.6_5.6.1-8.6_s390.deb; http://security.debian.org/pool/updates/main/p/perl/perl_5.6.1-8.6_s390.deb; http://security.debian.org/pool/updates/main/p/perl/perl-base_5.6.1-8.6_s390.deb; http://security.debian.org/pool/updates/main/p/perl/perl-debug_5.6.1-8.6_s390.deb; http://security.debian.org/pool/updates/main/p/perl/perl-suid_5.6.1-8.6_s390.deb
Sun Sparc:: http://security.debian.org/pool/updates/main/p/perl/libperl-dev_5.6.1-8.6_sparc.deb; http://security.debian.org/pool/updates/main/p/perl/libperl5.6_5.6.1-8.6_sparc.deb; http://security.debian.org/pool/updates/main/p/perl/perl_5.6.1-8.6_sparc.deb; http://security.debian.org/pool/updates/main/p/perl/perl-base_5.6.1-8.6_sparc.deb; http://security.debian.org/pool/updates/main/p/perl/perl-debug_5.6.1-8.6_sparc.deb; http://security.debian.org/pool/updates/main/p/perl/perl-suid_5.6.1-8.6_sparc.deb

MD5 checksums of the listed files are available in the original advisory.

MD5 checksums of the listed files are available in the revised advisory.

This page is also available in the following languages:

dansk Deutsch español français 日本語 (Nihongo) polski Русский (Russkij) svenska

How to set the default document language

To report a problem with the web site, e-mail debian-www@lists.debian.org. For other contact information, see the Debian contact page.