Safe.pm could allow an attacker to bypass access restrictions

safe-pm-bypass-restrictions (10574)

Medium Risk

Description:

Safe.pm could allow a remote or local attacker to bypass access restrictions, and possibly execute code outside of the restricted environment. If the Safe compartment has been used at least once, an attacker could modify the "@_" variable to modify the compartment's mask, which would allow the attacker to execute code outside of the restricted compartment the next time Safe.pm is used.

Platforms Affected:

• Debian, Debian Linux 2.2
• Debian, Debian Linux 3.0
• Gentoo, Linux
• Malcolm Beattie, Safe.pm prior to 2.08
• OpenPKG, OpenPKG 1.0
• OpenPKG, OpenPKG 1.1
• OpenPKG, OpenPKG CURRENT
• RedHat, Enterprise Linux 2.1 ES
• RedHat, Enterprise Linux 2.1 WS
• RedHat, Enterprise Linux 2.1 AW
• RedHat, Enterprise Linux 2.1 AS
• RedHat, Linux 7.1
• RedHat, Linux 7.1 for iSeries
• RedHat, Linux 7.1 for pSeries
• RedHat, Linux 7.2
• RedHat, Linux 7.3
• RedHat, Linux 8.0
• RedHat, Linux 9.0
• RedHat, Linux Advanced Workstation 2.1 Itanium
• SCO, Caldera OpenLinux 7.1.1
• SCO, Caldera OpenLinux 7.1.3
• SCO, Caldera OpenLinux Server 3.1.1
• SCO, Caldera OpenLinux Workstation 3.1.1
• SCO, Caldera OpenUnix 8.0.0
• SGI, IRIX 2.2.1
• SGI, IRIX 2.3
• Trustix, Secure Linux 1.01
• Trustix, Secure Linux 1.1
• Trustix, Secure Linux 1.2
• Trustix, Secure Linux 1.5

Remedy:

Upgrade to the latest version of Safe.pm (2.09 or later), available from the CPAN Web site. See References.

For Debian GNU/Linux:
Upgrade to the latest version of perl, perl 5.004, or perl 5.005 package, as listed below. Refer to DSA-208-1 for more information. See References.

perl 5.004:
Debian GNU/Linux 2.2 (potato): 5.004.05-6.2 or later

perl 5.005:
Debian GNU/Linux 2.2 (potato): 5.005.03-7.2 or later

perl:
Debian GNU/Linux 3.0 (woody): 5.6.1-8.2 or later

For OpenPKG:
Upgrade to the latest perl package, as listed below. Refer to OpenPKG Security Advisory OpenPKG-SA-2002.014 for more information. See References.

OpenPKG 1.0: 5.6.1-1.0.2 or later
OpenPKG 1.1: 5.6.1-1.1.1 or later
OpenPKG CURRENT: 5.8.0-20021216 or later

For Trustix Secure Linux 1.01, 1.1, 1.2, and 1.5:
Upgrade to the latest perl package (5.00503-14tr or later), as listed in Trustix Secure Linux Security Advisory #2002-0087 for more information. See References.

For Gentoo Linux:
Upgrade versions sys-devel/perl-5.6.1-r9 and earlier or sys-devel/5.8.0-r5 or earlier, as listed in Gentoo Linux Security Announcement 200212-6. See References.

For Red Hat Linux:
Upgrade to the latest perl package, as listed below. Refer to RHSA-2003:256-15 for more information. See References.

Red Hat 7.1 for iSeries and pSeries: 5.6.1-36.1.71 or later
Red Hat 7.2: 5.6.1-36.1.72 or later
Red Hat 7.3: 5.6.1-36.1.73 or later
Red Hat 8.0: 5.8.0-88.3 or later
Red Hat 9: 5.8.0-88.3 or later

For Red Hat Linux containing the perl package:
Upgrade to the latest perl package, as listed below. Refer to RHSA-2003:257-12 for more information. See References.

Red Hat Enterprise Linux AS (v. 2.1), ES (v.2.1), WS (v.2.1), and Red Hat Linux Advanced Workstation 2.1 for the Itanium Processor: 5.6.1-36.1.99ent or later

For SGI IRIX:
Apply the patch for this vulnerability, as listed in SGI Security Advisory 20031002-01-U. See References.

For Caldera OpenLinux 3.1.1 Server and Workstation:
Upgrade to the latest perl package, as listed below. Refer to SCO Security Advisory CSSA-2004-007.0 for more information. See References.

Caldera OpenLinux 3.1.1 Server and Workstation: 5.8.3-1 or later

For Caldera UnixWare 7.1.3 and 7.1.1, and OpenUnix 8.0.0:
Upgrade to the latest perl package, as listed below. Refer to SCO Security Advisory CSSA-2004-1 for more information. See References.

Caldera OpenLinux 7.1.3 and 7.1.1, and OpenUnix 8.0.0: 5.00404 or later

For other distributions:
Contact your vendor for upgrade or patch information.

Consequences:

Bypass Security

References:

• CIAC Information Bulletin N-155, Red Hat Updated Perl packages fix security issues at http://www.ciac.org/ciac/bulletins/n-155.shtml.
• CPAN Web site, search.cpan.org: Safe - Compile and execute code in restricted compartments at http://search.cpan.org/author/ABERGMAN/Safe/Safe.pm.
• Gentoo Linux Security Announcement 200212-6, perl -- broken safe compartment at http://www.linuxsecurity.com/content/view/104440/104/.
• SCO Security Advisory CSSA-2004-007.0, OpenLinux: Perl Safe.pm unsafe access at http://lwn.net/Alerts/72271/.
• SCO Security Advisory SCOSA-2004.1, UnixWare 7.1.3 Open UNIX 8.0.0 UnixWare 7.1.1 : perl unsafe Safe compartment at http://www.linuxsecurity.com/content/view/105895/98/. (From LinuxSecurity archive)
• SGI Security Advisory 20030606-01-A, Perl "Safe.pm" vulnerability at ftp://patches.sgi.com/support/free/security/advisories/20030606-01-A.
• SGI Security Advisory 20031002-01-U, SGI Advanced Linux Environment security update #3 at ftp://patches.sgi.com/support/free/security/advisories/20031002-01-U.asc.
• Trustix Secure Linux Security Advisory #2002-0087, perl -- Safe compartments not being safe at http://www.trustix.net/errata/2002/0087/.
• VulnWatch Mailing List, Tue Nov 05 2002 - 23:59:18 CST , Perl Safe.pm compartment reuse vuln at http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0061.html.
• BID-6111: Safe.PM Unsafe Code Execution Vulnerability
• CVE-2002-1323: Safe.pm 2.0.7 and earlier, when used in Perl 5.8.0 and earlier, may allow attackers to break out of safe compartments in (1) Safe::reval or (2) Safe::rdo using a redefined @_ variable, which is not reset between successive calls.
• DSA-208: perl -- broken safe compartment
• OpenPKG-SA-2002.014: Perl Safe.pm
• OSVDB ID: 2183: Perl Safe.pm Access Bypass
• OSVDB ID: 3814: Multiple Unix Vendor passwd Malformed ulimit /etc/passwd Manipulation
• RHSA-2003-256: Updated Perl packages fix security issues.
• RHSA-2003-257: perl security update

Reported:

Nov 05, 2002

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.

For corrections or additions please email xforce@iss.net

Return to the main page