Bulletin d'alerte Debian

DSA-208-1 perl -- Manipulation de compartiments sûrs vulnérable

Date du rapport :
12 décembre 2002
Paquets concernés :
perl
perl-5.004
perl-5.005
Vulnérabilité :
Oui
Références dans la base de données de sécurité :
Dans la base de données de suivi des bogues (chez SecurityFocus) : Identifiant BugTraq 6111.
Dans le dictionnaire CVE du Mitre : CVE-2002-1323.
Plus de précisions :

Une faille de sécurité a été découverte dans le fichier Safe.pm qui est utilisé dans toutes les versions de Perl. Le module d'extension Safe permet la création de compartiments dans lesquels le code perl est évalué dans un nouvel espace de noms ; le code évalué dans le compartiment ne peut faire référence à des variables en dehors de ce compartiment. Cependant, quand un compartiment Safe a déjà été utilisé, il n'y a aucune garantie que le compartiment soit toujours sécurisé (« Safe ») car il existe un moyen pour que le code exécuté dans le compartiment sécurisé puisse modifier son masque de travail. Ainsi, les programmes n'utilisant un compartiment sécurisé qu'une seule fois ne sont pas affectés par ce bogue.

Ce problème a été corrigé dans la version 5.6.1-8.2 dans l'actuelle distribution stable (Woody), dans les versions 5.004.05-6.2 et 5.005.03-7.2 pour l'ancienne distribution stable (Potato) et dans la version 5.8.0-14 pour la distribution unstable (Sid).

Nous vous recommandons de mettre à jour vos paquets Perl.

Corrigé dans :

Debian GNU/Linux 2.2 (potato)

Source :
http://security.debian.org/pool/updates/main/p/perl-5.004/perl-5.004_5.004.05-6.2.dsc
http://security.debian.org/pool/updates/main/p/perl-5.004/perl-5.004_5.004.05-6.2.diff.gz
http://security.debian.org/pool/updates/main/p/perl-5.004/perl-5.004_5.004.05.orig.tar.gz
http://security.debian.org/pool/updates/main/p/perl-5.005/perl-5.005_5.005.03-7.2.dsc
http://security.debian.org/pool/updates/main/p/perl-5.005/perl-5.005_5.005.03-7.2.diff.gz
http://security.debian.org/pool/updates/main/p/perl-5.005/perl-5.005_5.005.03.orig.tar.gz
Composant indépendant de l'architecture :
http://security.debian.org/pool/updates/main/p/perl-5.004/perl-5.004-doc_5.004.05-6.2_all.deb
http://security.debian.org/pool/updates/main/p/perl-5.005/perl-5.005-doc_5.005.03-7.2_all.deb
Alpha:
http://security.debian.org/pool/updates/main/p/perl-5.004/perl-5.004_5.004.05-6.2_alpha.deb
http://security.debian.org/pool/updates/main/p/perl-5.004/perl-5.004-base_5.004.05-6.2_alpha.deb
http://security.debian.org/pool/updates/main/p/perl-5.004/perl-5.004-debug_5.004.05-6.2_alpha.deb
http://security.debian.org/pool/updates/main/p/perl-5.004/perl-5.004-suid_5.004.05-6.2_alpha.deb
http://security.debian.org/pool/updates/main/p/perl-5.005/perl-5.005_5.005.03-7.2_alpha.deb
http://security.debian.org/pool/updates/main/p/perl-5.005/perl-5.005-base_5.005.03-7.2_alpha.deb
http://security.debian.org/pool/updates/main/p/perl-5.005/perl-5.005-debug_5.005.03-7.2_alpha.deb
http://security.debian.org/pool/updates/main/p/perl-5.005/perl-5.005-suid_5.005.03-7.2_alpha.deb
http://security.debian.org/pool/updates/main/p/perl-5.005/perl-5.005-thread_5.005.03-7.2_alpha.deb
ARM:
http://security.debian.org/pool/updates/main/p/perl-5.004/perl-5.004_5.004.05-6.2_arm.deb
http://security.debian.org/pool/updates/main/p/perl-5.004/perl-5.004-base_5.004.05-6.2_arm.deb
http://security.debian.org/pool/updates/main/p/perl-5.004/perl-5.004-debug_5.004.05-6.2_arm.deb
http://security.debian.org/pool/updates/main/p/perl-5.004/perl-5.004-suid_5.004.05-6.2_arm.deb
http://security.debian.org/pool/updates/main/p/perl-5.005/perl-5.005_5.005.03-7.2_arm.deb
http://security.debian.org/pool/updates/main/p/perl-5.005/perl-5.005-base_5.005.03-7.2_arm.deb
http://security.debian.org/pool/updates/main/p/perl-5.005/perl-5.005-debug_5.005.03-7.2_arm.deb
http://security.debian.org/pool/updates/main/p/perl-5.005/perl-5.005-suid_5.005.03-7.2_arm.deb
http://security.debian.org/pool/updates/main/p/perl-5.005/perl-5.005-thread_5.005.03-7.2_arm.deb
Intel IA-32:
http://security.debian.org/pool/updates/main/p/perl-5.004/perl-5.004_5.004.05-6.2_i386.deb
http://security.debian.org/pool/updates/main/p/perl-5.004/perl-5.004-base_5.004.05-6.2_i386.deb
http://security.debian.org/pool/updates/main/p/perl-5.004/perl-5.004-debug_5.004.05-6.2_i386.deb
http://security.debian.org/pool/updates/main/p/perl-5.004/perl-5.004-suid_5.004.05-6.2_i386.deb
http://security.debian.org/pool/updates/main/p/perl-5.005/perl-5.005_5.005.03-7.2_i386.deb
http://security.debian.org/pool/updates/main/p/perl-5.005/perl-5.005-base_5.005.03-7.2_i386.deb
http://security.debian.org/pool/updates/main/p/perl-5.005/perl-5.005-debug_5.005.03-7.2_i386.deb
http://security.debian.org/pool/updates/main/p/perl-5.005/perl-5.005-suid_5.005.03-7.2_i386.deb
http://security.debian.org/pool/updates/main/p/perl-5.005/perl-5.005-thread_5.005.03-7.2_i386.deb
Motorola 680x0:
http://security.debian.org/pool/updates/main/p/perl-5.004/perl-5.004_5.004.05-6.2_m68k.deb
http://security.debian.org/pool/updates/main/p/perl-5.004/perl-5.004-base_5.004.05-6.2_m68k.deb
http://security.debian.org/pool/updates/main/p/perl-5.004/perl-5.004-debug_5.004.05-6.2_m68k.deb
http://security.debian.org/pool/updates/main/p/perl-5.004/perl-5.004-suid_5.004.05-6.2_m68k.deb
http://security.debian.org/pool/updates/main/p/perl-5.005/perl-5.005_5.005.03-7.2_m68k.deb
http://security.debian.org/pool/updates/main/p/perl-5.005/perl-5.005-base_5.005.03-7.2_m68k.deb
http://security.debian.org/pool/updates/main/p/perl-5.005/perl-5.005-debug_5.005.03-7.2_m68k.deb
http://security.debian.org/pool/updates/main/p/perl-5.005/perl-5.005-suid_5.005.03-7.2_m68k.deb
http://security.debian.org/pool/updates/main/p/perl-5.005/perl-5.005-thread_5.005.03-7.2_m68k.deb
PowerPC:
http://security.debian.org/pool/updates/main/p/perl-5.004/perl-5.004_5.004.05-6.2_powerpc.deb
http://security.debian.org/pool/updates/main/p/perl-5.004/perl-5.004-base_5.004.05-6.2_powerpc.deb
http://security.debian.org/pool/updates/main/p/perl-5.004/perl-5.004-debug_5.004.05-6.2_powerpc.deb
http://security.debian.org/pool/updates/main/p/perl-5.004/perl-5.004-suid_5.004.05-6.2_powerpc.deb
http://security.debian.org/pool/updates/main/p/perl-5.005/perl-5.005_5.005.03-7.2_powerpc.deb
http://security.debian.org/pool/updates/main/p/perl-5.005/perl-5.005-base_5.005.03-7.2_powerpc.deb
http://security.debian.org/pool/updates/main/p/perl-5.005/perl-5.005-debug_5.005.03-7.2_powerpc.deb
http://security.debian.org/pool/updates/main/p/perl-5.005/perl-5.005-suid_5.005.03-7.2_powerpc.deb
http://security.debian.org/pool/updates/main/p/perl-5.005/perl-5.005-thread_5.005.03-7.2_powerpc.deb
Sun Sparc:
http://security.debian.org/pool/updates/main/p/perl-5.004/perl-5.004_5.004.05-6.2_sparc.deb
http://security.debian.org/pool/updates/main/p/perl-5.004/perl-5.004-base_5.004.05-6.2_sparc.deb
http://security.debian.org/pool/updates/main/p/perl-5.004/perl-5.004-debug_5.004.05-6.2_sparc.deb
http://security.debian.org/pool/updates/main/p/perl-5.004/perl-5.004-suid_5.004.05-6.2_sparc.deb
http://security.debian.org/pool/updates/main/p/perl-5.005/perl-5.005_5.005.03-7.2_sparc.deb
http://security.debian.org/pool/updates/main/p/perl-5.005/perl-5.005-base_5.005.03-7.2_sparc.deb
http://security.debian.org/pool/updates/main/p/perl-5.005/perl-5.005-debug_5.005.03-7.2_sparc.deb
http://security.debian.org/pool/updates/main/p/perl-5.005/perl-5.005-suid_5.005.03-7.2_sparc.deb
http://security.debian.org/pool/updates/main/p/perl-5.005/perl-5.005-thread_5.005.03-7.2_sparc.deb

Debian GNU/Linux 3.0 (woody)

Source :
http://security.debian.org/pool/updates/main/p/perl/perl_5.6.1-8.2.dsc
http://security.debian.org/pool/updates/main/p/perl/perl_5.6.1-8.2.diff.gz
http://security.debian.org/pool/updates/main/p/perl/perl_5.6.1.orig.tar.gz
Composant indépendant de l'architecture :
http://security.debian.org/pool/updates/main/p/perl/libcgi-fast-perl_5.6.1-8.2_all.deb
http://security.debian.org/pool/updates/main/p/perl/perl-doc_5.6.1-8.2_all.deb
http://security.debian.org/pool/updates/main/p/perl/perl-modules_5.6.1-8.2_all.deb
Alpha:
http://security.debian.org/pool/updates/main/p/perl/libperl-dev_5.6.1-8.2_alpha.deb
http://security.debian.org/pool/updates/main/p/perl/libperl5.6_5.6.1-8.2_alpha.deb
http://security.debian.org/pool/updates/main/p/perl/perl_5.6.1-8.2_alpha.deb
http://security.debian.org/pool/updates/main/p/perl/perl-base_5.6.1-8.2_alpha.deb
http://security.debian.org/pool/updates/main/p/perl/perl-debug_5.6.1-8.2_alpha.deb
http://security.debian.org/pool/updates/main/p/perl/perl-suid_5.6.1-8.2_alpha.deb
ARM:
http://security.debian.org/pool/updates/main/p/perl/libperl-dev_5.6.1-8.2_arm.deb
http://security.debian.org/pool/updates/main/p/perl/libperl5.6_5.6.1-8.2_arm.deb
http://security.debian.org/pool/updates/main/p/perl/perl_5.6.1-8.2_arm.deb
http://security.debian.org/pool/updates/main/p/perl/perl-base_5.6.1-8.2_arm.deb
http://security.debian.org/pool/updates/main/p/perl/perl-debug_5.6.1-8.2_arm.deb
http://security.debian.org/pool/updates/main/p/perl/perl-suid_5.6.1-8.2_arm.deb
Intel IA-32:
http://security.debian.org/pool/updates/main/p/perl/libperl-dev_5.6.1-8.2_i386.deb
http://security.debian.org/pool/updates/main/p/perl/libperl5.6_5.6.1-8.2_i386.deb
http://security.debian.org/pool/updates/main/p/perl/perl_5.6.1-8.2_i386.deb
http://security.debian.org/pool/updates/main/p/perl/perl-base_5.6.1-8.2_i386.deb
http://security.debian.org/pool/updates/main/p/perl/perl-debug_5.6.1-8.2_i386.deb
http://security.debian.org/pool/updates/main/p/perl/perl-suid_5.6.1-8.2_i386.deb
Intel IA-64:
http://security.debian.org/pool/updates/main/p/perl/libperl-dev_5.6.1-8.2_ia64.deb
http://security.debian.org/pool/updates/main/p/perl/libperl5.6_5.6.1-8.2_ia64.deb
http://security.debian.org/pool/updates/main/p/perl/perl_5.6.1-8.2_ia64.deb
http://security.debian.org/pool/updates/main/p/perl/perl-base_5.6.1-8.2_ia64.deb
http://security.debian.org/pool/updates/main/p/perl/perl-debug_5.6.1-8.2_ia64.deb
http://security.debian.org/pool/updates/main/p/perl/perl-suid_5.6.1-8.2_ia64.deb
HPPA:
http://security.debian.org/pool/updates/main/p/perl/libperl-dev_5.6.1-8.2_hppa.deb
http://security.debian.org/pool/updates/main/p/perl/libperl5.6_5.6.1-8.2_hppa.deb
http://security.debian.org/pool/updates/main/p/perl/perl_5.6.1-8.2_hppa.deb
http://security.debian.org/pool/updates/main/p/perl/perl-base_5.6.1-8.2_hppa.deb
http://security.debian.org/pool/updates/main/p/perl/perl-debug_5.6.1-8.2_hppa.deb
http://security.debian.org/pool/updates/main/p/perl/perl-suid_5.6.1-8.2_hppa.deb
Motorola 680x0:
http://security.debian.org/pool/updates/main/p/perl/libperl-dev_5.6.1-8.2_m68k.deb
http://security.debian.org/pool/updates/main/p/perl/libperl5.6_5.6.1-8.2_m68k.deb
http://security.debian.org/pool/updates/main/p/perl/perl_5.6.1-8.2_m68k.deb
http://security.debian.org/pool/updates/main/p/perl/perl-base_5.6.1-8.2_m68k.deb
http://security.debian.org/pool/updates/main/p/perl/perl-debug_5.6.1-8.2_m68k.deb
http://security.debian.org/pool/updates/main/p/perl/perl-suid_5.6.1-8.2_m68k.deb
Big endian MIPS:
http://security.debian.org/pool/updates/main/p/perl/libperl-dev_5.6.1-8.2_mips.deb
http://security.debian.org/pool/updates/main/p/perl/libperl5.6_5.6.1-8.2_mips.deb
http://security.debian.org/pool/updates/main/p/perl/perl_5.6.1-8.2_mips.deb
http://security.debian.org/pool/updates/main/p/perl/perl-base_5.6.1-8.2_mips.deb
http://security.debian.org/pool/updates/main/p/perl/perl-debug_5.6.1-8.2_mips.deb
http://security.debian.org/pool/updates/main/p/perl/perl-suid_5.6.1-8.2_mips.deb
Little endian MIPS:
http://security.debian.org/pool/updates/main/p/perl/libperl-dev_5.6.1-8.2_mipsel.deb
http://security.debian.org/pool/updates/main/p/perl/libperl5.6_5.6.1-8.2_mipsel.deb
http://security.debian.org/pool/updates/main/p/perl/perl_5.6.1-8.2_mipsel.deb
http://security.debian.org/pool/updates/main/p/perl/perl-base_5.6.1-8.2_mipsel.deb
http://security.debian.org/pool/updates/main/p/perl/perl-debug_5.6.1-8.2_mipsel.deb
http://security.debian.org/pool/updates/main/p/perl/perl-suid_5.6.1-8.2_mipsel.deb
PowerPC:
http://security.debian.org/pool/updates/main/p/perl/libperl-dev_5.6.1-8.2_powerpc.deb
http://security.debian.org/pool/updates/main/p/perl/libperl5.6_5.6.1-8.2_powerpc.deb
http://security.debian.org/pool/updates/main/p/perl/perl_5.6.1-8.2_powerpc.deb
http://security.debian.org/pool/updates/main/p/perl/perl-base_5.6.1-8.2_powerpc.deb
http://security.debian.org/pool/updates/main/p/perl/perl-debug_5.6.1-8.2_powerpc.deb
http://security.debian.org/pool/updates/main/p/perl/perl-suid_5.6.1-8.2_powerpc.deb
IBM S/390:
http://security.debian.org/pool/updates/main/p/perl/libperl-dev_5.6.1-8.2_s390.deb
http://security.debian.org/pool/updates/main/p/perl/libperl5.6_5.6.1-8.2_s390.deb
http://security.debian.org/pool/updates/main/p/perl/perl_5.6.1-8.2_s390.deb
http://security.debian.org/pool/updates/main/p/perl/perl-base_5.6.1-8.2_s390.deb
http://security.debian.org/pool/updates/main/p/perl/perl-debug_5.6.1-8.2_s390.deb
http://security.debian.org/pool/updates/main/p/perl/perl-suid_5.6.1-8.2_s390.deb
Sun Sparc:
http://security.debian.org/pool/updates/main/p/perl/libperl-dev_5.6.1-8.2_sparc.deb
http://security.debian.org/pool/updates/main/p/perl/libperl5.6_5.6.1-8.2_sparc.deb
http://security.debian.org/pool/updates/main/p/perl/perl_5.6.1-8.2_sparc.deb
http://security.debian.org/pool/updates/main/p/perl/perl-base_5.6.1-8.2_sparc.deb
http://security.debian.org/pool/updates/main/p/perl/perl-debug_5.6.1-8.2_sparc.deb
http://security.debian.org/pool/updates/main/p/perl/perl-suid_5.6.1-8.2_sparc.deb

Les sommes MD5 des fichiers indiqués sont disponibles sur la page originale de l'alerte de sécurité.