Login or Register to Ask a Question and Join Our Community


Security Advisories (RSS)

USN-700-1: Perl vulnerabilities

Login to Discuss or Reply to this Discussion in Our Community

 
Thread Tools Search this Thread
Special Forums Cybersecurity Security Advisories (RSS) USN-700-1: Perl vulnerabilities
# 1  
Old 12-23-2008
USN-700-1: Perl vulnerabilities
Referenced CVEs:
CVE-2007-4829, CVE-2008-1927, CVE-2008-5302, CVE-2008-5303


Description:
===========================================================Ubuntu Security Notice USN-700-1 December 24, 2008libarchive-tar-perl, perl vulnerabilitiesCVE-2007-4829, CVE-2008-1927, CVE-2008-5302, CVE-2008-5303===========================================================A security issue affects the following Ubuntu releases:Ubuntu 6.06 LTSUbuntu 7.10Ubuntu 8.04 LTSUbuntu 8.10This advisory also applies to the corresponding versions ofKubuntu, Edubuntu, and Xubuntu.The problem can be corrected by upgrading your system to thefollowing package versions:Ubuntu 6.06 LTS: libarchive-tar-perl 1.26-2ubuntu0.1 libperl5.8 5.8.7-10ubuntu1.2Ubuntu 7.10: libarchive-tar-perl 1.31-1ubuntu0.1 libperl5.8 5.8.8-7ubuntu3.4 perl-modules 5.8.8-7ubuntu3.4Ubuntu 8.04 LTS: libarchive-tar-perl 1.36-1ubuntu0.1 libperl5.8 5.8.8-12ubuntu0.3 perl-modules 5.8.8-12ubuntu0.3Ubuntu 8.10: perl-modules 5.10.0-11.1ubuntu2.2In general, a standard system upgrade is sufficient to effect thenecessary changes.Details follow:Jonathan Smith discovered that the Archive::Tar Perl module did notcorrectly handle symlinks when extracting archives. If a user orautomated system were tricked into opening a specially crafted tar file,a remote attacker could over-write arbitrary files. (CVE-2007-4829)Tavis Ormandy and Will Drewry discovered that Perl did not correctlyhandle certain utf8 characters in regular expressions. If a user orautomated system were tricked into using a specially crafted expression,a remote attacker could crash the application, leading to a denialof service. Ubuntu 8.10 was not affected by this issue. (CVE-2008-1927)A race condition was discovered in the File::Path Perl module's rmtreefunction. If a local attacker successfully raced another user's callof rmtree, they could create arbitrary setuid binaries. Ubuntu 6.06and 8.10 were not affected by this issue. (CVE-2008-5302)A race condition was discovered in the File::Path Perl module's rmtreefunction. If a local attacker successfully raced another user's call ofrmtree, they could delete arbitrary files. Ubuntu 6.06 was not affectedby this issue. (CVE-2008-5303)





More...
Login or Register to Ask a Question

Previous Thread | Next Thread
Login or Register to Ask a Question