Bug#293317: marked as done (perl: Vulnerable to CAN-2005-015[56])

Debian Bug Tracking System Wed, 02 Feb 2005 06:42:43 -0800

Your message dated Thu, 3 Feb 2005 01:24:10 +1100
with message-id <[EMAIL PROTECTED]>
and subject line Bug#293317: perl: Vulnerable to CAN-2005-015[56]
has caused the attached Bug report to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 2 Feb 2005 13:58:31 +0000
>From [EMAIL PROTECTED] Wed Feb 02 05:58:31 2005
Return-path: <[EMAIL PROTECTED]>
Received: from box79162.elkhouse.de [213.9.79.162] 
        by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
        id 1CwL1b-0007Yp-00; Wed, 02 Feb 2005 05:58:31 -0800
Received: from martin by box79162.elkhouse.de with local (Exim 4.34)
        id 1CwL16-0006c5-PC; Wed, 02 Feb 2005 14:58:00 +0100
Date: Wed, 2 Feb 2005 14:58:00 +0100
From: Martin Pitt <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: perl: Vulnerable to CAN-2005-015[56]
Message-ID: <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
        protocol="application/pgp-signature"; boundary="jq0ap7NbKX2Kqbes"
Content-Disposition: inline
X-Reportbug-Version: 3.2
User-Agent: Mutt/1.5.6+20040907i
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
        (1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE 
        autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level: 


--jq0ap7NbKX2Kqbes
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Package: perl
Version: 5.8.4-5
Severity: critical
Tags: security patch
Justification: root security hole

Hi Brendan!

suid-perl scripts in conjunction with the PERLIO_DEBUG environment
variable have two vulnerabilities (exploitable buffer overflow and
arbitrary file overwrite).

Please see the Ubuntu USN for details:

  http://www.ubuntulinux.org/support/documentation/usn/usn-72-1

The Ubuntu debdiff is at

  http://patches.ubuntu.com/patches/perl.CAN-2005-0155_0156.diff

However, I just made the fix inline without putting it in
debian/patches.

Thanks,

Martin

-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.10
Locale: LANG=3Dde_DE.UTF-8, LC_CTYPE=3Dde_DE.UTF-8 (charmap=3DUTF-8)

Versions of packages perl depends on:
ii  libc6                       2.3.2.ds1-20 GNU C Library: Shared librarie=
s an
ii  libdb4.2                    4.2.52-17    Berkeley v4.2 Database Librari=
es [
ii  libgdbm3                    1.8.3-2      GNU dbm database routines (run=
time
ii  perl-base                   5.8.4-5      The Pathologically Eclectic Ru=
bbis
ii  perl-modules                5.8.4-5      Core Perl modules

-- no debconf information

--=20
Martin Pitt                       http://www.piware.de
Ubuntu Developer            http://www.ubuntulinux.org
Debian GNU/Linux Developer       http://www.debian.org

--jq0ap7NbKX2Kqbes
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFCANxoDecnbV4Fd/IRAoEcAJ9fAKOaDHt1qiqnzKpVp+Gou7WiJACcCR7e
V5EdodjDG7G0I2RhaLDCypw=
=Rd+A
-----END PGP SIGNATURE-----

--jq0ap7NbKX2Kqbes--

---------------------------------------
Received: (at 293317-done) by bugs.debian.org; 2 Feb 2005 14:24:14 +0000
>From [EMAIL PROTECTED] Wed Feb 02 06:24:13 2005
Return-path: <[EMAIL PROTECTED]>
Received: from londo.c47.org [198.142.1.20] (mail)
        by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
        id 1CwLQT-0005Bm-00; Wed, 02 Feb 2005 06:24:13 -0800
Received: from bod by londo.c47.org with local (Exim 3.36 #1 (Debian))
        id 1CwLQQ-00006m-00; Thu, 03 Feb 2005 01:24:10 +1100
Date: Thu, 3 Feb 2005 01:24:10 +1100
From: Brendan O'Dea <[EMAIL PROTECTED]>
To: Martin Pitt <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
Subject: Re: Bug#293317: perl: Vulnerable to CAN-2005-015[56]
Message-ID: <[EMAIL PROTECTED]>
References: <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <[EMAIL PROTECTED]>
User-Agent: Mutt/1.5.6+20040907i
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
        (1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER 
        autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level: 

On Wed, Feb 02, 2005 at 02:58:00PM +0100, Martin Pitt wrote:
>suid-perl scripts in conjunction with the PERLIO_DEBUG environment
>variable have two vulnerabilities (exploitable buffer overflow and
>arbitrary file overwrite).

Thanks, Joey sent this one through earlier.  Just finishing the builds
now.

--bod


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#293317: marked as done (perl: Vulnerable to CAN-2005-015[56])

Reply via email to