Bug 176731

Summary: CVE-2005-3962 Perl Format String Vulnerability
Product: [Retired] Fedora Legacy Reporter: David Eisenstein <deisenst>
Component: perlAssignee: David Eisenstein <deisenst>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bugs, donjr, jpdalbec, mic, peak, pekkas, tseaver
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://www.securityfocus.com/bid/15629
Whiteboard: LEGACY, rh9, 1, 2,
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-02-25 14:54:20 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 152845    
Bug Blocks:    
Attachments:
Description Flags
Proposed updates-testing announcement text
none
Oops ... typo. Updated text for updates-testing.
none
Grr, fix didn't take. *Real* corrected text.
none
Fourth time a charm?? none

Description David Eisenstein 2005-12-31 04:44:43 UTC 
Description of problem:  (from John Dalbec's 9-Dec posting to
fedora-legacy-list):

HIGH: Perl Format String Vulnerability
Affected:
Perl versions 5.9.2 and 5.8.6 confirmed; potentially all Perl versions
Webmin version 1.23 and prior

Description: Perl is widely used as a scripting language for a variety
of applications including web-based software. Perl contains a
vulnerability that can be triggered by passing a format specifier of the
form "%INT_MAXn". The vulnerability causes an integer variable in a Perl
function to wrap around (change its parity) that can be exploited to
execute arbitrary code. For instance, "%2147483647n" format specifier
will trigger the flaw in Perl running on 32-bit Operating Systems. Note
that the flaw can be exploited only via Perl-based applications that
contain a format string vulnerability. The discoverers have reportedly
found several applications that are vulnerable. 

One of the affected applications is Webmin, a web interface to perform
administrative tasks like server and user configuration. Webmin's web
server miniserv.pl, which runs on port 10000/tcp by default, contains a
format string vulnerability. By passing a username containing a format
specifier, an attacker can exploit the flaw to execute arbitrary code
with possibly root privileges. Immunity, Inc. has made an exploit
available to some of its customers. 

A workaround for the Webmin flaw is to block the traffic to port
10000/tcp at the network perimeter.

References:
DyadSecurity Advisory
  http://www.dyadsecurity.com/perl-0002.html
  http://www.dyadsecurity.com/webmin-0001.html
Posting by giarc
  http://archives.neohapsis.com/archives/fulldisclosure/2005-12/0001.html
Posting by Dave Aitel
  http://archives.neohapsis.com/archives/fulldisclosure/2005-12/0015.html
Webmin Homepage:  http://www.webmin.com
SecurityFocus BID:  http://www.securityfocus.com/bid/15629

How reproducible:
Didn't try.

Version-Release number of selected component (if applicable):
All legacy-supported Perl releases for RH9, FC1, FC2.

Note that RH7.3's release is apparently not affected:
(from fedora-legacy-list posting by Pavel Kankovsky, 
<http://tinyurl.com/99mde>)

"Perl 5.6.1 in RH 7.3 appears not to be affected (%N$ is not supported).
Newer versions are probably affected."
Comment 1 David Eisenstein 2005-12-31 04:56:09 UTC 
Red Hat has issued updated packages for FC3, FC4, RHEL 3, and RHEL 4.
Patches should be available from their packages.

From RHEL-3's announcement:

"An integer overflow bug was found in Perl's format string processor.  It
is possible for an attacker to cause perl to crash or execute arbitrary
code if the attacker is able to process a malicious format string.  This
issue is only exploitable through a script wich passes arbitrary untrusted
strings to the format string processor.  The Common Vulnerabilities and
Exposures project assigned the name CVE-2005-3962 to this issue."

References:

  * CVE-2005-3962  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3962
  * FEDORA-2005-1145 (FC3)
http://www.redhat.com/archives/fedora-announce-list/2005-December/msg00043.html
    (which is updated by FEDORA-2005-1149 @
http://www.redhat.com/archives/fedora-announce-list/2005-December/msg00050.html).
  * FEDORA-2005-1144 (FC4)
http://www.redhat.com/archives/fedora-announce-list/2005-December/msg00042.html
  * RHSA-2005:881 (RHEL3)  http://rhn.redhat.com/errata/RHSA-2005-881.html
  * RHSA-2005:880 (RHEL4)  http://rhn.redhat.com/errata/RHSA-2005-880.html

Note that Michael Mansour adds (in <http://tinyurl.com/9e7s9>):

"If you are running Webmin version 1.240 or older (and have logging via syslog
enabled), then this affects you. Webmin version 1.250 has been out for a while
which fixes this, so just upgrade. http://www.webmin.com"
Comment 2 David Eisenstein 2005-12-31 05:24:38 UTC 
Oh, also for FC2 since we'll be in here already, we can implement the fixed
patch for the 'perl fails "lib/FindBin" test (breaks MRTG)' bug (Bug #127023).

This would replace the broken 'perl-5.8.3-findbin-selinux.patch' (ref.
Bug #127023 comment #13) with a back-ported 'perl-5.8.6-findbin-selinux.patch'
from Bug #127023 comment #37 (attachment #114407 [details]).
Comment 3 David Eisenstein 2006-01-26 10:24:43 UTC 
Patches available for RH9, FC1 & FC2 at
    http://dev.perl.org/perl5/news/2005/perl_patches_fix_sprintf_buffer.html
Comment 4 David Eisenstein 2006-01-27 05:30:12 UTC 
Have patched and built FC1 packages.  Am going to install them on my own FC1
box & do a bit of my own testing, and will post those packages here shortly.

This will be followed by RH9 and FC2 packages, which will probably be built
on jane, all for source-level PUBLISH verification.
Comment 5 David Eisenstein 2006-01-30 21:25:40 UTC 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are updated SRPM's to QA that fix CVE-2005-3962:

"An integer overflow bug was found in Perl's format string processor.  It
is possible for an attacker to cause perl to crash or execute arbitrary
code if the attacker is able to process a malicious format string.  This
issue is only exploitable through a script wich passes arbitrary untrusted
strings to the format string processor.	 The Common Vulnerabilities and
Exposures project assigned the name CVE-2005-3962 to this issue."

Note that Red Hat Linux 7.3 is not subject to this vulnerability.

========= SHA1SUM ======================  ======== PACKAGE =================
RH9:

Source:
http://fedoralegacy.org/contrib/perl/perl-5.8.0-90.0.13.legacy.src.rpm
d90454e7968300eced057d96f2d0b71e5851efc2__perl-5.8.0-90.0.13.legacy.src.rpm

Binaries:
all at http://fedoralegacy.org/contrib/perl/
b4eb707694df6a713af14c810e09a32b6d35d0cc__perl-5.8.0-90.0.13.legacy.i386.rpm
7ebac7c5b581380dd3a3cf9c00be63f2c0f13e3c__perl-CGI-2.81-90.0.13.legacy.i386.rpm
dfccbc4661407f3d89b41382228a5a0cae44c4e6__perl-CPAN-1.61-90.0.13.legacy.i386.rpm
8868bce8ebf170e72da5cb93d98baa3293535c42__perl-DB_File-1.804-90.0.13.legacy.i386.rpm
17e5a5342e65c66abe6581b7d84f0493f55b0e67__perl-suidperl-5.8.0-90.0.13.legacy.i386.rpm


FC1:

Source:
http://fedoralegacy.org/contrib/perl/perl-5.8.3-17.5.legacy.src.rpm
29ad66a48ac7864ade5d8c229bee971769bdef73__perl-5.8.3-17.5.legacy.src.rpm

Binaries:
all at http://fedoralegacy.org/contrib/perl/
b190e6b47b8097a4b3b071146b205ed24cf42e5a__perl-5.8.3-17.5.legacy.i386.rpm
56506d8b583c811541f39edaea9aa8639f211dfe__perl-suidperl-5.8.3-17.5.legacy.i386.rpm


FC2:

Source:
http://fedoralegacy.org/contrib/perl/perl-5.8.3-19.5.legacy.src.rpm
f43269a9059dbd4a0e58392a2132dab0c1a94957__perl-5.8.3-19.5.legacy.src.rpm

Binaries:
all at http://fedoralegacy.org/contrib/perl/
27fa46819964802400f5479ee82254b7ce3b8b67__perl-5.8.3-19.5.legacy.i386.rpm
52f202f072773751db900b7df1784c0a7d846a62__perl-suidperl-5.8.3-19.5.legacy.i386.rpm


Changelogs:
- -----------
RH9:
* Sat Jan 28 2006 David Eisenstein <deisenst> 2:5.8.0-90.0.13.legacy
- - Integrate fix for CVE-2005-3962 - Perl Format String Vulnerability,
  bugzilla Bug #176731.

FC1:
* Thu Jan 26 2006 David Eisenstein <deisenst> 3:5.8.3-17.5.legacy
- - Integrate fix for CVE-2005-3962 - Perl Format String Vulnerability,
  bugzilla Bug #176731.

FC2:
* Sat Jan 28 2006 David Eisenstein <deisenst> 3:5.8.3-19.5.legacy
- - Replace broken perl-5.8.3-findbin-selinux.patch with better patch by
  Jose Pedro Oliveira so perl will not fail "lib/FindBin" test.	 See
  Bugzilla Bug #176731 comment 2.

* Sat Jan 28 2006 David Eisenstein <deisenst> 3:5.8.3-19.4.legacy
- - Integrate fix for CVE-2005-3962 - Perl Format String Vulnerability,
  bugzilla Bug #176731.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFD3oSexou1V/j9XZwRAkjIAKCN6/PoHxQDENDS96UCrsPMOHZ4wwCfXb8P
j2IqdEUrhGSp9YL8CSo2W8M=
=3MPo
-----END PGP SIGNATURE-----
Comment 6 Pekka Savola 2006-01-31 11:02:45 UTC 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
                                                                               
                                                                     
QA w/ rpm-build-compare.sh:
 - source file integrity good
 - spec file changes minimal
 - patches verified to come from perl upstream and Fedora CVS (for findbin).
                                                                               
                                                                     
+PUBLISH RHL9, FC1, FC2
                                                                               
                                                                     
d90454e7968300eced057d96f2d0b71e5851efc2  perl-5.8.0-90.0.13.legacy.src.rpm
29ad66a48ac7864ade5d8c229bee971769bdef73  perl-5.8.3-17.5.legacy.src.rpm
f43269a9059dbd4a0e58392a2132dab0c1a94957  perl-5.8.3-19.5.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
 
iD8DBQFD30TUGHbTkzxSL7QRAvzYAJ4konRtB0r3rgphsBk/uPe31QzkuQCgijL0
5zRfbU323xr9C3nP9HHg4cc=
=AuMY
-----END PGP SIGNATURE-----
Comment 7 David Eisenstein 2006-02-06 10:42:33 UTC 
By the way, Marc, I believe I built all these packages' binaries on jane
before submitting them for PUBLISH QA.  So they ought to already be built.
Do you need the build announcement text?
Comment 8 Marc Deslauriers 2006-02-06 22:40:48 UTC 
Oh, good. Could you make the announcement text?
Comment 9 David Eisenstein 2006-02-07 20:56:37 UTC 
Created attachment 124336 [details]
Proposed updates-testing announcement text

Here it is, Marc.  Should be ready to push to updates-testing once the pack-
ages are sha1sum'ed and signed.  Thanks.
Comment 10 David Eisenstein 2006-02-07 21:02:06 UTC 
Created attachment 124337 [details]
Oops ... typo.  Updated text for updates-testing.
Comment 11 David Eisenstein 2006-02-07 21:04:55 UTC 
Created attachment 124338 [details]
Grr, fix didn't take.  *Real* corrected text.
Comment 12 David Eisenstein 2006-02-07 21:08:10 UTC 
Created attachment 124339 [details]
Fourth time a charm??
Comment 13 Marc Deslauriers 2006-02-09 00:40:12 UTC 
Packages were pushed to updates-testing.
Comment 14 Tom Yates 2006-02-09 21:57:46 UTC 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

4d2401a09f2cc0b126df88659bd9e259a528146d perl-5.8.0-90.0.13.legacy.i386.rpm
3b5448a2a8d8241a85c4c54ad5d5deb4b9d466d4 perl-CGI-2.81-90.0.13.legacy.i386.rpm
40a05fcf3a7d128e7fa79b00022d54d0542bd3af perl-CPAN-1.61-90.0.13.legacy.i386.rpm
5444ce68de7e8f0b1b051a15a1658c7d497be61b perl-DB_File-1.804-90.0.13.legacy.i386.rpm
76ff3cdbe78a2e7c92c1f95760906fd396f974bf perl-suidperl-5.8.0-90.0.13.legacy.i386.rpm

installs OK.  spamassassin depending heavily on perl, i have restarted
spamd, and i don't see any problems processing mail.  i don't know how
good a test others may consider that, but i'm happy.

+VERIFY RH9

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFD67uuePtvKV31zw4RApsuAKDLcmN6ITYuC0XE6AcmGp2225yVlACeN6/R
6RykrIrT5qxK+uVRiE7j2mk=
=LPnP
-----END PGP SIGNATURE-----
Comment 15 Pekka Savola 2006-02-10 06:03:51 UTC 
Timeout in 4 weeks.
Comment 16 Pekka Savola 2006-02-14 06:33:06 UTC 
New policy: automatic accept after two weeks if no negative feedback.
Comment 17 Donald Maner 2006-02-24 04:30:09 UTC 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I performed QA on the following packages:

fc1:
3267a9d83ac3cadcfa650b1625cf5c458adb5540  perl-5.8.3-17.5.legacy.i386.rpm
50a02fd2d68f47d35f76bc690281253bbdf9a486  perl-DBI-1.37-1.1.legacy.i386.rpm
2445d66c7ced8bccc7d875a21404216a0cd5cdb6  perl-suidperl-5.8.3-17.5.legacy.i386.rpm

fc2:
772f9571df3a0eab7749bb0d162311f4cd539879  perl-5.8.3-19.5.legacy.i386.rpm
69a623c7db409341705bfc125b5fd6f0c056af7b  perl-DBI-1.40-4.1.legacy.i386.rpm
83cf2b36b48760eb1f99a042214eead7a9650d38  perl-suidperl-5.8.3-19.5.legacy.i386.rpm

Packages installed fine.  Performed QA using ikonboard 3.1.1 forums.  MySQL
database on fc4 box.  Forum testing worked fine, was able to post, read and
search successfully.

+VERIFY fc1,fc2

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.1 (GNU/Linux)

iD8DBQFD/o0ipxMPKJzn2lIRAoJvAJ4iaVSe9TxnMR/J7AikyEym35TCHQCeJ95J
1a7qgGn+nZ7TvOkcO4DOs4k=
=r4/E
-----END PGP SIGNATURE-----
Comment 18 Pekka Savola 2006-02-24 05:55:44 UTC 
Thanks!
Comment 19 Tres Seaver 2006-02-24 18:14:44 UTC 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Packages tested:

  3267a9d83ac3cadcfa650b1625cf5c458adb5540  perl-5.8.3-17.5.legacy.i386.rpm
  50a02fd2d68f47d35f76bc690281253bbdf9a486  perl-DBI-1.37-1.1.legacy.i386.rpm


  - SHA1 checksums and GPG signatures verified.

  - Both packages installed cleanly.

  - Webmin ran fine after the update (I was able to log in, browse MySQL
    databases, etc.)

+VERIFY FC1
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFD/04p+gerLs4ltQ4RAn+vAKC3igyTHtvW8Wo35L6bAh1V1neKjgCgpJRF
Tx5iOTu8q8ic43G1Z466ZC0=
=1+Cq
-----END PGP SIGNATURE-----
Comment 20 Pekka Savola 2006-02-25 07:56:28 UTC 
Thanks!
Comment 21 Marc Deslauriers 2006-02-25 14:54:20 UTC 
Packages were released.