Security advisory: perl (CVE-2005-3962)

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Security advisory: perl (CVE-2005-3962)

Yaakov (Cygwin/X)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Gerrit,

Perl is vulnerable to format string programming errors, that could be
exploited to execute arbitrary code.

Patch:
http://www.gentoo.org/cgi-bin/viewcvs.cgi/*checkout*/dev-lang/perl/files/perl-exp_intwrap.patch

More information:
http://www.gentoo.org/security/en/glsa/glsa-200512-01.xml
http://bugs.gentoo.org/show_bug.cgi?id=114113
http://www.dyadsecurity.com/perl-0002.html


Yaakov
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Cygwin)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDmeBWpiWmPGlmQSMRAtKSAJ9N5krNxl5rWV7pF8g3+LWqlhTheACfZvLd
GuMcXSOfKUXSD6bonxu2ya8=
=bcwk
-----END PGP SIGNATURE-----
Reply | Threaded
Open this post in threaded view
|

Re: Security advisory: perl (CVE-2005-3962)

Corinna Vinschen-2
On Dec  9 13:51, Yaakov S (Cygwin Ports) wrote:
> Gerrit,
>
> Perl is vulnerable to format string programming errors, that could be
> exploited to execute arbitrary code.
>
> Patch:
> http://www.gentoo.org/cgi-bin/viewcvs.cgi/*checkout*/dev-lang/perl/files/perl-exp_intwrap.patch

Gerrit?  Ping?


Corinna

--
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat
Reply | Threaded
Open this post in threaded view
|

Re: Security advisory: perl (CVE-2005-3962)

Gerrit P. Haase
Corinna schrieb:

> On Dec  9 13:51, Yaakov S (Cygwin Ports) wrote:
>> Gerrit,
>>
>> Perl is vulnerable to format string programming errors, that could be
>> exploited to execute arbitrary code.
>>
>> Patch:
>> http://www.gentoo.org/cgi-bin/viewcvs.cgi/*checkout*/dev-lang/perl/files/perl-exp_intwrap.patch

> Gerrit?  Ping?

Ah, yes.  Will revisit this issue today.


Gerrit
--
=^..^=

Reply | Threaded
Open this post in threaded view
|

Re: Security advisory: perl (CVE-2005-3962)

Yitzchak Scott-Thoennes
On Thu, Dec 29, 2005 at 09:55:16AM +0100, Gerrit P. Haase wrote:

> Corinna schrieb:
>
> > On Dec  9 13:51, Yaakov S (Cygwin Ports) wrote:
> >> Gerrit,
> >>
> >> Perl is vulnerable to format string programming errors, that could be
> >> exploited to execute arbitrary code.
> >>
> >> Patch:
> >> http://www.gentoo.org/cgi-bin/viewcvs.cgi/*checkout*/dev-lang/perl/files/perl-exp_intwrap.patch
>
> > Gerrit?  Ping?
>
> Ah, yes.  Will revisit this issue today.

The offical patch:

http://search.cpan.org/CPAN/authors/id/N/NW/NWCLARK/sprintf-5.8.7.patch

There were also a few subsequent patches to printf stuff, not directly
related to the above security advisory, and a fix to Sys::Syslog which
IIRC was.