Technical Description

Fedora has released a security patch to correct three vulnerabilities identified in Perl. The first issue resides in the "rmtree()" function in the perl "File::Path" module, which could be exploited to remove arbitrary files and directories via a symlink attack. The second flaw resides in the "PERLIO_DEBUG" environment variable, which may be exploited by malicious users to overwrite arbitrary files. The third vulnerability is due to a buffer overflow error which occurs when handling a very long path. An attacker could exploit this issue to execute arbitrary files with full root privileges.

Affected Products

Fedora Core 3

Solution

http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/
1509fe0fadb22b69b5f878341b34d767 SRPMS/perl-5.8.5-12.FC3.src.rpm
c90f95a4aacf003d94d2420dd6629650 x86_64/perl-5.8.5-12.FC3.x86_64.rpm
c46fe5d5db1ca845e67b39f21ea37d99 x86_64/perl-suidperl-5.8.5-12.FC3.x86_64.rpm
32a2972a6d1d56a60a213249e70ac7ff x86_64/debug/perl-debuginfo-5.8.5-12.FC3.x86_64.rpm
fb672eecfac3216363fae01b52cb1fd8 i386/perl-5.8.5-12.FC3.i386.rpm
c54d4bb985501c643eb7be1309543779 i386/perl-suidperl-5.8.5-12.FC3.i386.rpm
dbbc18ba952c8df14788658dcf13d014 i386/debug/perl-debuginfo-5.8.5-12.FC3.i386.rpm

References

http://www.vupen.com/english/advisories/2005/0443
http://www.redhat.com/archives/fedora-announce-list/2005-May/msg00005.html

Credits

Vulnerabilities reported by Ville Skytta and Petr Rockai

ChangeLog

2005-05-03 : Initial release

Vulnerability Management

Subscribe to VUPEN VNS and receive real-time alerts with CVE, CWE, and CVSS when new advisories or patches relevant to your systems and network configurations are available.

Feedback

If you have additional information or corrections for this security advisory please submit them via our contact form.