CVE-2005-3962, Re: Perl Format String Vulnerability

David Eisenstein deisenst at gtw.net
Fri Dec 23 09:07:46 UTC 2005 

On Fri, 9 Dec 2005, John Dalbec wrote:

> Does this affect us?
> 
> (1) HIGH: Perl Format String Vulnerability
> Affected:
> Perl versions 5.9.2 and 5.8.6 confirmed; potentially all Perl versions
> Webmin version 1.23 and prior
> 
> Description: Perl is widely used as a scripting language for a variety
> of applications including web-based software. Perl contains a
> vulnerability that can be triggered by passing a format specifier of the
> form "%INT_MAXn". The vulnerability causes an integer variable in a Perl
> function to wrap around (change its parity) that can be exploited to
> execute arbitrary code. For instance, "%2147483647n" format specifier
> will trigger the flaw in Perl running on 32-bit Operating Systems. Note
> that the flaw can be exploited only via Perl-based applications that
> contain a format string vulnerability. The discoverers have reportedly
> found several applications that are vulnerable.
> <<snip>>

We are indeed vulnerable to this.  As Pavel Kankovsky pointed out,
RHL 7.3 is not likely vulnerable.  But RHL 9, FC1 & FC2 appear to be
vulnerable to this.  This affects webmin as well, but we do not support
webmin.

Red Hat has issued updated packages for FC3, FC4, RHEL 3, and RHEL 4.
>From RHEL-3's announcement:

"An integer overflow bug was found in Perl's format string processor.  It
is possible for an attacker to cause perl to crash or execute arbitrary
code if the attacker is able to process a malicious format string.  This
issue is only exploitable through a script wich passes arbitrary untrusted
strings to the format string processor.  The Common Vulnerabilities and
Exposures project assigned the name CVE-2005-3962 to this issue."

References:

  * CVE-2005-3962  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3962
  * FEDORA-2005-1145 (FC3) http://www.redhat.com/archives/fedora-announce-list/2005-December/msg00043.html
    (which is updated by FEDORA-2005-1149 @ http://www.redhat.com/archives/fedora-announce-list/2005-December/msg00050.html).
  * FEDORA-2005-1144 (FC4) http://www.redhat.com/archives/fedora-announce-list/2005-December/msg00042.html
  * RHSA-2005:881 (RHEL3)  http://rhn.redhat.com/errata/RHSA-2005-881.html
  * RHSA-2005:880 (RHEL4)  http://rhn.redhat.com/errata/RHSA-2005-880.html

> References:
> DyadSecurity Advisory
> http://www.dyadsecurity.com/perl-0002.html
> http://www.dyadsecurity.com/webmin-0001.html
> Posting by giarc
> http://archives.neohapsis.com/archives/fulldisclosure/2005-12/0001.html
> Posting by Dave Aitel
> http://archives.neohapsis.com/archives/fulldisclosure/2005-12/0015.html
> Webmin miniserv.pl Documentation
> http://www.dyadsecurity.com/webmin-0001.html
> Webmin Homepage
> http://www.webmin.com
> SecurityFocus BID
> http://www.securityfocus.com/bid/15629

More information about the fedora-legacy-list mailing list