[tinysofa-announce] TSSA-2004-002 - perl

tinysofa Security Team security at tinysofa.org
Mon May 3 12:10:24 UTC 2004 

- --------------------------------------------------------------------------
tinysofa Security Advisory #2004-002

Package name:      perl
Summary:           Major security hole
Advisory ID:       TSSA-2004-002
Date:              2004-05-03
Affected versions: tinysofa enterprise server 1.0

- --------------------------------------------------------------------------
Package description:

  perl:
  Perl is a high-level programming language with roots in C, sed, awk
  and shell scripting.


Problem description:

  perl:
  Due to changes in the perl installation process, starting from version
  5.8.4, the suidperl binary is a hard link to the perl5.8.4 binary, instead
  of the sperl5.8.4 binary. As a result of this change, and due to the
  package specifying that suidperl is a setuid binary, the perl5.8.4 binary
  was also setuid. This is a critical security hole that allows local users
  to access the system as root. This update fixes Bug #4:
  <URI:http://www.tinysofa.org/bugs/show_bug.cgi?id=4>


Action:
  We recommend that all systems with these packages installed be upgraded.
  Please note that if you do not need the functionality provided by this
  package, you may want to remove it from your system.


Location:
  All tinysofa updates are available from
  <URI:http://http.tinysofa.org/pub/tinysofa/updates/>
  <URI:ftp://ftp.tinysofa.org/pub/tinysofa/updates/>


Automatic updates:
  Users of the SWUP tool can enjoy having updates automatically
  installed using 'swup --upgrade'.


Questions?
  Check out our mailing lists:
  <URI:http://www.tinysofa.org/support/>


Verification:
  This advisory is signed with the tinysofa security sign key.
  This key is available from:
  <URI:http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xAEDCBB4B>

  Aall tinysofa packages are signed with the tinysofa stable sign key.
  This key is available from:
  <URI:http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x0F1240A2>

  The advisory is available from the tinysofa errata database at
  <URI:http://www.tinysofa.org/support/errata/>
  or directly at
  <URI:http://www.tinysofa.org/support/errata/2004/002.html>


MD5sums of the packages:
- --------------------------------------------------------------------------
76da1c41f914145475e37853cefda339  perl-5.8.4-2ts.i586.rpm
2e5b746c870a13f5cbcf7bdcf062427c  perl-devel-5.8.4-2ts.i586.rpm
749468986c3e5e39a0a06a14d34142f6  perl-doc-5.8.4-2ts.i586.rpm
- --------------------------------------------------------------------------


tinysofa Security Team
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.tinysofa.org/pipermail/tinysofa-announce/attachments/20040503/62734a09/attachment.bin

More information about the Tinysofa-announce mailing list