[ic] Perl advisory
Mike Heins
mike at perusion.com
Tue Sep 23 22:38:23 EDT 2003
Quoting Paul Vinciguerra (pvinci at vinciguerra.com):
> I just recieved the following advisory and was wondering the impact on IC of
> these vulnerabilities.
We have already examined it, and the chance of a problem is pretty
small. The main risk is to machines like demo.icdevgroup.com, where
you give random people admin access and they could cause some Perl to
be evaluated with [perl] or [calc]. At that point your database is
in their hands anyway....subject to the security provisions you have
in place there.
Even then, they could only do what their IC daemon does; but that might
include reading some files you don't want read.
In any case, the update to Safe v1.09 is as simple as:
perl -MCPAN -e 'install Safe'
It takes seconds because it is such a small Perl-only module.
If you can't upgrade Perl yourself, you should tell your system
admin and have them patch.
>
> -Paul
>
> -------------------------------------------------------------------------
> Two security issues have been found in Perl that affect the Perl packages
> shipped with Red Hat Linux:
>
> When safe.pm versions 2.0.7 and earlier are used with Perl 5.8.0 and
> earlier, it is possible for an attacker to break out of safe compartments
> within Safe::reval and Safe::rdo by using a redefined @_ variable.
[snip rest]
--
Mike Heins
Perusion -- Expert Interchange Consulting http://www.perusion.com/
phone +1.513.523.7621 <mike at perusion.com>
There's nothing sweeter than life nor more precious than time.
-- Barney
More information about the interchange-users
mailing list