Debian Security Advisory

DSA-208-1 perl -- broken safe compartment

Date Reported:
12 Dec 2002
Affected Packages:
perl
perl-5.004
perl-5.005
Vulnerable:
Yes
Security database references:
In the Bugtraq database (at SecurityFocus): BugTraq ID 6111.
In Mitre's CVE dictionary: CVE-2002-1323.
More information:

A security hole has been discovered in Safe.pm which is used in all versions of Perl. The Safe extension module allows the creation of compartments in which perl code can be evaluated in a new namespace and the code evaluated in the compartment cannot refer to variables outside this namespace. However, when a Safe compartment has already been used, there's no guarantee that it is Safe any longer, because there's a way for code to be executed within the Safe compartment to alter its operation mask. Thus, programs that use a Safe compartment only once aren't affected by this bug.

This problem has been fixed in version 5.6.1-8.2 for the current stable distribution (woody), in version 5.004.05-6.2 and 5.005.03-7.2 for the old stable distribution (potato) and in version 5.8.0-14 for the unstable distribution (sid).

We recommend that you upgrade your Perl packages.

Fixed in:

Debian GNU/Linux 2.2 (potato)

Source:
http://security.debian.org/pool/updates/main/p/perl-5.004/perl-5.004_5.004.05-6.2.dsc
http://security.debian.org/pool/updates/main/p/perl-5.004/perl-5.004_5.004.05-6.2.diff.gz
http://security.debian.org/pool/updates/main/p/perl-5.004/perl-5.004_5.004.05.orig.tar.gz
http://security.debian.org/pool/updates/main/p/perl-5.005/perl-5.005_5.005.03-7.2.dsc
http://security.debian.org/pool/updates/main/p/perl-5.005/perl-5.005_5.005.03-7.2.diff.gz
http://security.debian.org/pool/updates/main/p/perl-5.005/perl-5.005_5.005.03.orig.tar.gz
Architecture-independent component:
http://security.debian.org/pool/updates/main/p/perl-5.004/perl-5.004-doc_5.004.05-6.2_all.deb
http://security.debian.org/pool/updates/main/p/perl-5.005/perl-5.005-doc_5.005.03-7.2_all.deb
Alpha:
http://security.debian.org/pool/updates/main/p/perl-5.004/perl-5.004_5.004.05-6.2_alpha.deb
http://security.debian.org/pool/updates/main/p/perl-5.004/perl-5.004-base_5.004.05-6.2_alpha.deb
http://security.debian.org/pool/updates/main/p/perl-5.004/perl-5.004-debug_5.004.05-6.2_alpha.deb
http://security.debian.org/pool/updates/main/p/perl-5.004/perl-5.004-suid_5.004.05-6.2_alpha.deb
http://security.debian.org/pool/updates/main/p/perl-5.005/perl-5.005_5.005.03-7.2_alpha.deb
http://security.debian.org/pool/updates/main/p/perl-5.005/perl-5.005-base_5.005.03-7.2_alpha.deb
http://security.debian.org/pool/updates/main/p/perl-5.005/perl-5.005-debug_5.005.03-7.2_alpha.deb
http://security.debian.org/pool/updates/main/p/perl-5.005/perl-5.005-suid_5.005.03-7.2_alpha.deb
http://security.debian.org/pool/updates/main/p/perl-5.005/perl-5.005-thread_5.005.03-7.2_alpha.deb
ARM:
http://security.debian.org/pool/updates/main/p/perl-5.004/perl-5.004_5.004.05-6.2_arm.deb
http://security.debian.org/pool/updates/main/p/perl-5.004/perl-5.004-base_5.004.05-6.2_arm.deb
http://security.debian.org/pool/updates/main/p/perl-5.004/perl-5.004-debug_5.004.05-6.2_arm.deb
http://security.debian.org/pool/updates/main/p/perl-5.004/perl-5.004-suid_5.004.05-6.2_arm.deb
http://security.debian.org/pool/updates/main/p/perl-5.005/perl-5.005_5.005.03-7.2_arm.deb
http://security.debian.org/pool/updates/main/p/perl-5.005/perl-5.005-base_5.005.03-7.2_arm.deb
http://security.debian.org/pool/updates/main/p/perl-5.005/perl-5.005-debug_5.005.03-7.2_arm.deb
http://security.debian.org/pool/updates/main/p/perl-5.005/perl-5.005-suid_5.005.03-7.2_arm.deb
http://security.debian.org/pool/updates/main/p/perl-5.005/perl-5.005-thread_5.005.03-7.2_arm.deb
Intel IA-32:
http://security.debian.org/pool/updates/main/p/perl-5.004/perl-5.004_5.004.05-6.2_i386.deb
http://security.debian.org/pool/updates/main/p/perl-5.004/perl-5.004-base_5.004.05-6.2_i386.deb
http://security.debian.org/pool/updates/main/p/perl-5.004/perl-5.004-debug_5.004.05-6.2_i386.deb
http://security.debian.org/pool/updates/main/p/perl-5.004/perl-5.004-suid_5.004.05-6.2_i386.deb
http://security.debian.org/pool/updates/main/p/perl-5.005/perl-5.005_5.005.03-7.2_i386.deb
http://security.debian.org/pool/updates/main/p/perl-5.005/perl-5.005-base_5.005.03-7.2_i386.deb
http://security.debian.org/pool/updates/main/p/perl-5.005/perl-5.005-debug_5.005.03-7.2_i386.deb
http://security.debian.org/pool/updates/main/p/perl-5.005/perl-5.005-suid_5.005.03-7.2_i386.deb
http://security.debian.org/pool/updates/main/p/perl-5.005/perl-5.005-thread_5.005.03-7.2_i386.deb
Motorola 680x0:
http://security.debian.org/pool/updates/main/p/perl-5.004/perl-5.004_5.004.05-6.2_m68k.deb
http://security.debian.org/pool/updates/main/p/perl-5.004/perl-5.004-base_5.004.05-6.2_m68k.deb
http://security.debian.org/pool/updates/main/p/perl-5.004/perl-5.004-debug_5.004.05-6.2_m68k.deb
http://security.debian.org/pool/updates/main/p/perl-5.004/perl-5.004-suid_5.004.05-6.2_m68k.deb
http://security.debian.org/pool/updates/main/p/perl-5.005/perl-5.005_5.005.03-7.2_m68k.deb
http://security.debian.org/pool/updates/main/p/perl-5.005/perl-5.005-base_5.005.03-7.2_m68k.deb
http://security.debian.org/pool/updates/main/p/perl-5.005/perl-5.005-debug_5.005.03-7.2_m68k.deb
http://security.debian.org/pool/updates/main/p/perl-5.005/perl-5.005-suid_5.005.03-7.2_m68k.deb
http://security.debian.org/pool/updates/main/p/perl-5.005/perl-5.005-thread_5.005.03-7.2_m68k.deb
PowerPC:
http://security.debian.org/pool/updates/main/p/perl-5.004/perl-5.004_5.004.05-6.2_powerpc.deb
http://security.debian.org/pool/updates/main/p/perl-5.004/perl-5.004-base_5.004.05-6.2_powerpc.deb
http://security.debian.org/pool/updates/main/p/perl-5.004/perl-5.004-debug_5.004.05-6.2_powerpc.deb
http://security.debian.org/pool/updates/main/p/perl-5.004/perl-5.004-suid_5.004.05-6.2_powerpc.deb
http://security.debian.org/pool/updates/main/p/perl-5.005/perl-5.005_5.005.03-7.2_powerpc.deb
http://security.debian.org/pool/updates/main/p/perl-5.005/perl-5.005-base_5.005.03-7.2_powerpc.deb
http://security.debian.org/pool/updates/main/p/perl-5.005/perl-5.005-debug_5.005.03-7.2_powerpc.deb
http://security.debian.org/pool/updates/main/p/perl-5.005/perl-5.005-suid_5.005.03-7.2_powerpc.deb
http://security.debian.org/pool/updates/main/p/perl-5.005/perl-5.005-thread_5.005.03-7.2_powerpc.deb
Sun Sparc:
http://security.debian.org/pool/updates/main/p/perl-5.004/perl-5.004_5.004.05-6.2_sparc.deb
http://security.debian.org/pool/updates/main/p/perl-5.004/perl-5.004-base_5.004.05-6.2_sparc.deb
http://security.debian.org/pool/updates/main/p/perl-5.004/perl-5.004-debug_5.004.05-6.2_sparc.deb
http://security.debian.org/pool/updates/main/p/perl-5.004/perl-5.004-suid_5.004.05-6.2_sparc.deb
http://security.debian.org/pool/updates/main/p/perl-5.005/perl-5.005_5.005.03-7.2_sparc.deb
http://security.debian.org/pool/updates/main/p/perl-5.005/perl-5.005-base_5.005.03-7.2_sparc.deb
http://security.debian.org/pool/updates/main/p/perl-5.005/perl-5.005-debug_5.005.03-7.2_sparc.deb
http://security.debian.org/pool/updates/main/p/perl-5.005/perl-5.005-suid_5.005.03-7.2_sparc.deb
http://security.debian.org/pool/updates/main/p/perl-5.005/perl-5.005-thread_5.005.03-7.2_sparc.deb

Debian GNU/Linux 3.0 (woody)

Source:
http://security.debian.org/pool/updates/main/p/perl/perl_5.6.1-8.2.dsc
http://security.debian.org/pool/updates/main/p/perl/perl_5.6.1-8.2.diff.gz
http://security.debian.org/pool/updates/main/p/perl/perl_5.6.1.orig.tar.gz
Architecture-independent component:
http://security.debian.org/pool/updates/main/p/perl/libcgi-fast-perl_5.6.1-8.2_all.deb
http://security.debian.org/pool/updates/main/p/perl/perl-doc_5.6.1-8.2_all.deb
http://security.debian.org/pool/updates/main/p/perl/perl-modules_5.6.1-8.2_all.deb
Alpha:
http://security.debian.org/pool/updates/main/p/perl/libperl-dev_5.6.1-8.2_alpha.deb
http://security.debian.org/pool/updates/main/p/perl/libperl5.6_5.6.1-8.2_alpha.deb
http://security.debian.org/pool/updates/main/p/perl/perl_5.6.1-8.2_alpha.deb
http://security.debian.org/pool/updates/main/p/perl/perl-base_5.6.1-8.2_alpha.deb
http://security.debian.org/pool/updates/main/p/perl/perl-debug_5.6.1-8.2_alpha.deb
http://security.debian.org/pool/updates/main/p/perl/perl-suid_5.6.1-8.2_alpha.deb
ARM:
http://security.debian.org/pool/updates/main/p/perl/libperl-dev_5.6.1-8.2_arm.deb
http://security.debian.org/pool/updates/main/p/perl/libperl5.6_5.6.1-8.2_arm.deb
http://security.debian.org/pool/updates/main/p/perl/perl_5.6.1-8.2_arm.deb
http://security.debian.org/pool/updates/main/p/perl/perl-base_5.6.1-8.2_arm.deb
http://security.debian.org/pool/updates/main/p/perl/perl-debug_5.6.1-8.2_arm.deb
http://security.debian.org/pool/updates/main/p/perl/perl-suid_5.6.1-8.2_arm.deb
Intel IA-32:
http://security.debian.org/pool/updates/main/p/perl/libperl-dev_5.6.1-8.2_i386.deb
http://security.debian.org/pool/updates/main/p/perl/libperl5.6_5.6.1-8.2_i386.deb
http://security.debian.org/pool/updates/main/p/perl/perl_5.6.1-8.2_i386.deb
http://security.debian.org/pool/updates/main/p/perl/perl-base_5.6.1-8.2_i386.deb
http://security.debian.org/pool/updates/main/p/perl/perl-debug_5.6.1-8.2_i386.deb
http://security.debian.org/pool/updates/main/p/perl/perl-suid_5.6.1-8.2_i386.deb
Intel IA-64:
http://security.debian.org/pool/updates/main/p/perl/libperl-dev_5.6.1-8.2_ia64.deb
http://security.debian.org/pool/updates/main/p/perl/libperl5.6_5.6.1-8.2_ia64.deb
http://security.debian.org/pool/updates/main/p/perl/perl_5.6.1-8.2_ia64.deb
http://security.debian.org/pool/updates/main/p/perl/perl-base_5.6.1-8.2_ia64.deb
http://security.debian.org/pool/updates/main/p/perl/perl-debug_5.6.1-8.2_ia64.deb
http://security.debian.org/pool/updates/main/p/perl/perl-suid_5.6.1-8.2_ia64.deb
HPPA:
http://security.debian.org/pool/updates/main/p/perl/libperl-dev_5.6.1-8.2_hppa.deb
http://security.debian.org/pool/updates/main/p/perl/libperl5.6_5.6.1-8.2_hppa.deb
http://security.debian.org/pool/updates/main/p/perl/perl_5.6.1-8.2_hppa.deb
http://security.debian.org/pool/updates/main/p/perl/perl-base_5.6.1-8.2_hppa.deb
http://security.debian.org/pool/updates/main/p/perl/perl-debug_5.6.1-8.2_hppa.deb
http://security.debian.org/pool/updates/main/p/perl/perl-suid_5.6.1-8.2_hppa.deb
Motorola 680x0:
http://security.debian.org/pool/updates/main/p/perl/libperl-dev_5.6.1-8.2_m68k.deb
http://security.debian.org/pool/updates/main/p/perl/libperl5.6_5.6.1-8.2_m68k.deb
http://security.debian.org/pool/updates/main/p/perl/perl_5.6.1-8.2_m68k.deb
http://security.debian.org/pool/updates/main/p/perl/perl-base_5.6.1-8.2_m68k.deb
http://security.debian.org/pool/updates/main/p/perl/perl-debug_5.6.1-8.2_m68k.deb
http://security.debian.org/pool/updates/main/p/perl/perl-suid_5.6.1-8.2_m68k.deb
Big endian MIPS:
http://security.debian.org/pool/updates/main/p/perl/libperl-dev_5.6.1-8.2_mips.deb
http://security.debian.org/pool/updates/main/p/perl/libperl5.6_5.6.1-8.2_mips.deb
http://security.debian.org/pool/updates/main/p/perl/perl_5.6.1-8.2_mips.deb
http://security.debian.org/pool/updates/main/p/perl/perl-base_5.6.1-8.2_mips.deb
http://security.debian.org/pool/updates/main/p/perl/perl-debug_5.6.1-8.2_mips.deb
http://security.debian.org/pool/updates/main/p/perl/perl-suid_5.6.1-8.2_mips.deb
Little endian MIPS:
http://security.debian.org/pool/updates/main/p/perl/libperl-dev_5.6.1-8.2_mipsel.deb
http://security.debian.org/pool/updates/main/p/perl/libperl5.6_5.6.1-8.2_mipsel.deb
http://security.debian.org/pool/updates/main/p/perl/perl_5.6.1-8.2_mipsel.deb
http://security.debian.org/pool/updates/main/p/perl/perl-base_5.6.1-8.2_mipsel.deb
http://security.debian.org/pool/updates/main/p/perl/perl-debug_5.6.1-8.2_mipsel.deb
http://security.debian.org/pool/updates/main/p/perl/perl-suid_5.6.1-8.2_mipsel.deb
PowerPC:
http://security.debian.org/pool/updates/main/p/perl/libperl-dev_5.6.1-8.2_powerpc.deb
http://security.debian.org/pool/updates/main/p/perl/libperl5.6_5.6.1-8.2_powerpc.deb
http://security.debian.org/pool/updates/main/p/perl/perl_5.6.1-8.2_powerpc.deb
http://security.debian.org/pool/updates/main/p/perl/perl-base_5.6.1-8.2_powerpc.deb
http://security.debian.org/pool/updates/main/p/perl/perl-debug_5.6.1-8.2_powerpc.deb
http://security.debian.org/pool/updates/main/p/perl/perl-suid_5.6.1-8.2_powerpc.deb
IBM S/390:
http://security.debian.org/pool/updates/main/p/perl/libperl-dev_5.6.1-8.2_s390.deb
http://security.debian.org/pool/updates/main/p/perl/libperl5.6_5.6.1-8.2_s390.deb
http://security.debian.org/pool/updates/main/p/perl/perl_5.6.1-8.2_s390.deb
http://security.debian.org/pool/updates/main/p/perl/perl-base_5.6.1-8.2_s390.deb
http://security.debian.org/pool/updates/main/p/perl/perl-debug_5.6.1-8.2_s390.deb
http://security.debian.org/pool/updates/main/p/perl/perl-suid_5.6.1-8.2_s390.deb
Sun Sparc:
http://security.debian.org/pool/updates/main/p/perl/libperl-dev_5.6.1-8.2_sparc.deb
http://security.debian.org/pool/updates/main/p/perl/libperl5.6_5.6.1-8.2_sparc.deb
http://security.debian.org/pool/updates/main/p/perl/perl_5.6.1-8.2_sparc.deb
http://security.debian.org/pool/updates/main/p/perl/perl-base_5.6.1-8.2_sparc.deb
http://security.debian.org/pool/updates/main/p/perl/perl-debug_5.6.1-8.2_sparc.deb
http://security.debian.org/pool/updates/main/p/perl/perl-suid_5.6.1-8.2_sparc.deb

MD5 checksums of the listed files are available in the original advisory.