Debian Security Advisory

DSA-431-1 perl -- information leak

Date Reported:
01 Feb 2004
Affected Packages:
Security database references:
In the Bugtraq database (at SecurityFocus): BugTraq ID 9543.
In Mitre's CVE dictionary: CVE-2003-0618.
More information:

Paul Szabo discovered a number of similar bugs in suidperl, a helper program to run perl scripts with setuid privileges. By exploiting these bugs, an attacker could abuse suidperl to discover information about files (such as testing for their existence and some of their permissions) that should not be accessible to unprivileged users.

For the current stable distribution (woody) this problem has been fixed in version 5.6.1-8.6.

For the unstable distribution (sid), this problem will be fixed soon. Refer to Debian bug #220486.

We recommend that you update your perl package if you have the "perl-suid" package installed.

Fixed in:

Debian GNU/Linux 3.0 (woody)

Architecture-independent component:
Intel IA-32:
Intel IA-64:
Motorola 680x0:
Big endian MIPS:
Little endian MIPS:
IBM S/390:
Sun Sparc:

MD5 checksums of the listed files are available in the original advisory.

MD5 checksums of the listed files are available in the revised advisory.