Red Hat Bugzilla – Bug 114923
CVE-2003-0618 leaks file existance information
Last modified: 2009-08-28 10:16:28 EDT
CAN-2003-0618 was reported 2003Jul29 to Debian. You can test for the
existance of files even if you don't have permission to do so by using
the suidperl command.
# mkdir ~root/delme; chmod 700 ~root/delme;touch ~root/delme/1
$ suidperl ~root/delme/1
Script is not setuid/setgid in suidperl
$ suidperl ~root/delme/2
Can't open perl script "/root/delme/2": No such file ...
Affects: 2.1AS 2.1ES 2.1AW 2.1WS (5.6.1)
Affects: 3AS 3ES 3WS (5.8.0)
Debian released an errata for this issue in Feb 2004.
Actually this doesn't affect RHEL3 because the setuid perl package was
I did some verification work on this one. This issue does affect RHEL3. We may
not have shipped perl-suidperl in the past, we do now.
fixed with perl-5.6.1-38.EL2_1
assigning to email@example.com
that version isn't shipped yet, opening and marking MODIFIED
EL2.1 reached end of life.