Debians sikkerhedsbulletin

DSA-431-1 perl -- informationslækage

Rapporteret den:
1. feb 2004
Berørte pakker:
perl
Sårbar:
Ja
Referencer i sikkerhedsdatabaser:
I Bugtraq-databasen (hos SecurityFocus): BugTraq-id 9543.
I Mitres CVE-ordbog: CVE-2003-0618.
Yderligere oplysninger:

Paul Szabo har opdaget en række ens fejl i suidperl, et hjælpeprogram til afvikling af perl-skripter med setuid-rettigheder. Ved udnyttelse af disse fejl kunne en angriber misbruge suidperl til at få oplysninger om filer (såsom undersøge om de findes og nogle af deres rettigheder), som ikke burde være tilgængelige for upriviligerede brugere.

I den nuværende stabile distribution (woody) er dette problem rettet i version 5.6.1-8.6.

I den ustabile distribution (sid), vil dette problem snart blive rettet. Se Debians fejl nummer 220486.

Vi anbefaler at du opdaterer din perl-pakke, hvis pakken "perl-suid" er installeret.

Rettet i:

Debian GNU/Linux 3.0 (woody)

Kildekode:
http://security.debian.org/pool/updates/main/p/perl/perl_5.6.1-8.6.dsc
http://security.debian.org/pool/updates/main/p/perl/perl_5.6.1-8.6.diff.gz
http://security.debian.org/pool/updates/main/p/perl/perl_5.6.1.orig.tar.gz
Arkitekturuafhængig komponent:
http://security.debian.org/pool/updates/main/p/perl/libcgi-fast-perl_5.6.1-8.6_all.deb
http://security.debian.org/pool/updates/main/p/perl/perl-doc_5.6.1-8.6_all.deb
http://security.debian.org/pool/updates/main/p/perl/perl-modules_5.6.1-8.6_all.deb
Alpha:
http://security.debian.org/pool/updates/main/p/perl/libperl-dev_5.6.1-8.6_alpha.deb
http://security.debian.org/pool/updates/main/p/perl/libperl5.6_5.6.1-8.6_alpha.deb
http://security.debian.org/pool/updates/main/p/perl/perl_5.6.1-8.6_alpha.deb
http://security.debian.org/pool/updates/main/p/perl/perl-base_5.6.1-8.6_alpha.deb
http://security.debian.org/pool/updates/main/p/perl/perl-debug_5.6.1-8.6_alpha.deb
http://security.debian.org/pool/updates/main/p/perl/perl-suid_5.6.1-8.6_alpha.deb
ARM:
http://security.debian.org/pool/updates/main/p/perl/libperl-dev_5.6.1-8.6_arm.deb
http://security.debian.org/pool/updates/main/p/perl/libperl5.6_5.6.1-8.6_arm.deb
http://security.debian.org/pool/updates/main/p/perl/perl_5.6.1-8.6_arm.deb
http://security.debian.org/pool/updates/main/p/perl/perl-base_5.6.1-8.6_arm.deb
http://security.debian.org/pool/updates/main/p/perl/perl-debug_5.6.1-8.6_arm.deb
http://security.debian.org/pool/updates/main/p/perl/perl-suid_5.6.1-8.6_arm.deb
Intel IA-32:
http://security.debian.org/pool/updates/main/p/perl/libperl-dev_5.6.1-8.6_i386.deb
http://security.debian.org/pool/updates/main/p/perl/libperl5.6_5.6.1-8.6_i386.deb
http://security.debian.org/pool/updates/main/p/perl/perl_5.6.1-8.6_i386.deb
http://security.debian.org/pool/updates/main/p/perl/perl-base_5.6.1-8.6_i386.deb
http://security.debian.org/pool/updates/main/p/perl/perl-debug_5.6.1-8.6_i386.deb
http://security.debian.org/pool/updates/main/p/perl/perl-suid_5.6.1-8.6_i386.deb
Intel IA-64:
http://security.debian.org/pool/updates/main/p/perl/libperl-dev_5.6.1-8.6_ia64.deb
http://security.debian.org/pool/updates/main/p/perl/libperl5.6_5.6.1-8.6_ia64.deb
http://security.debian.org/pool/updates/main/p/perl/perl_5.6.1-8.6_ia64.deb
http://security.debian.org/pool/updates/main/p/perl/perl-base_5.6.1-8.6_ia64.deb
http://security.debian.org/pool/updates/main/p/perl/perl-debug_5.6.1-8.6_ia64.deb
http://security.debian.org/pool/updates/main/p/perl/perl-suid_5.6.1-8.6_ia64.deb
HPPA:
http://security.debian.org/pool/updates/main/p/perl/libperl-dev_5.6.1-8.6_hppa.deb
http://security.debian.org/pool/updates/main/p/perl/libperl5.6_5.6.1-8.6_hppa.deb
http://security.debian.org/pool/updates/main/p/perl/perl_5.6.1-8.6_hppa.deb
http://security.debian.org/pool/updates/main/p/perl/perl-base_5.6.1-8.6_hppa.deb
http://security.debian.org/pool/updates/main/p/perl/perl-debug_5.6.1-8.6_hppa.deb
http://security.debian.org/pool/updates/main/p/perl/perl-suid_5.6.1-8.6_hppa.deb
Motorola 680x0:
http://security.debian.org/pool/updates/main/p/perl/libperl-dev_5.6.1-8.6_m68k.deb
http://security.debian.org/pool/updates/main/p/perl/libperl5.6_5.6.1-8.6_m68k.deb
http://security.debian.org/pool/updates/main/p/perl/perl_5.6.1-8.6_m68k.deb
http://security.debian.org/pool/updates/main/p/perl/perl-base_5.6.1-8.6_m68k.deb
http://security.debian.org/pool/updates/main/p/perl/perl-debug_5.6.1-8.6_m68k.deb
http://security.debian.org/pool/updates/main/p/perl/perl-suid_5.6.1-8.6_m68k.deb
Big endian MIPS:
http://security.debian.org/pool/updates/main/p/perl/libperl-dev_5.6.1-8.6_mips.deb
http://security.debian.org/pool/updates/main/p/perl/libperl5.6_5.6.1-8.6_mips.deb
http://security.debian.org/pool/updates/main/p/perl/perl_5.6.1-8.6_mips.deb
http://security.debian.org/pool/updates/main/p/perl/perl-base_5.6.1-8.6_mips.deb
http://security.debian.org/pool/updates/main/p/perl/perl-debug_5.6.1-8.6_mips.deb
http://security.debian.org/pool/updates/main/p/perl/perl-suid_5.6.1-8.6_mips.deb
Little endian MIPS:
http://security.debian.org/pool/updates/main/p/perl/libperl-dev_5.6.1-8.6_mipsel.deb
http://security.debian.org/pool/updates/main/p/perl/libperl5.6_5.6.1-8.6_mipsel.deb
http://security.debian.org/pool/updates/main/p/perl/perl_5.6.1-8.6_mipsel.deb
http://security.debian.org/pool/updates/main/p/perl/perl-base_5.6.1-8.6_mipsel.deb
http://security.debian.org/pool/updates/main/p/perl/perl-debug_5.6.1-8.6_mipsel.deb
http://security.debian.org/pool/updates/main/p/perl/perl-suid_5.6.1-8.6_mipsel.deb
PowerPC:
http://security.debian.org/pool/updates/main/p/perl/libperl-dev_5.6.1-8.6_powerpc.deb
http://security.debian.org/pool/updates/main/p/perl/libperl5.6_5.6.1-8.6_powerpc.deb
http://security.debian.org/pool/updates/main/p/perl/perl_5.6.1-8.6_powerpc.deb
http://security.debian.org/pool/updates/main/p/perl/perl-base_5.6.1-8.6_powerpc.deb
http://security.debian.org/pool/updates/main/p/perl/perl-debug_5.6.1-8.6_powerpc.deb
http://security.debian.org/pool/updates/main/p/perl/perl-suid_5.6.1-8.6_powerpc.deb
IBM S/390:
http://security.debian.org/pool/updates/main/p/perl/libperl-dev_5.6.1-8.6_s390.deb
http://security.debian.org/pool/updates/main/p/perl/libperl5.6_5.6.1-8.6_s390.deb
http://security.debian.org/pool/updates/main/p/perl/perl_5.6.1-8.6_s390.deb
http://security.debian.org/pool/updates/main/p/perl/perl-base_5.6.1-8.6_s390.deb
http://security.debian.org/pool/updates/main/p/perl/perl-debug_5.6.1-8.6_s390.deb
http://security.debian.org/pool/updates/main/p/perl/perl-suid_5.6.1-8.6_s390.deb
Sun Sparc:
http://security.debian.org/pool/updates/main/p/perl/libperl-dev_5.6.1-8.6_sparc.deb
http://security.debian.org/pool/updates/main/p/perl/libperl5.6_5.6.1-8.6_sparc.deb
http://security.debian.org/pool/updates/main/p/perl/perl_5.6.1-8.6_sparc.deb
http://security.debian.org/pool/updates/main/p/perl/perl-base_5.6.1-8.6_sparc.deb
http://security.debian.org/pool/updates/main/p/perl/perl-debug_5.6.1-8.6_sparc.deb
http://security.debian.org/pool/updates/main/p/perl/perl-suid_5.6.1-8.6_sparc.deb

MD5-kontrolsummer for de listede filer findes i den originale sikkerhedsbulletin.

MD5-kontrolsummer for de listede filer findes i den reviderede sikkerhedsbulletin.