[Full-Disclosure] [USN-70-1] Perl DBI module vulnerability

From: Martin Pitt (martin.pitt_at_canonical.com)
Date: 01/25/05

  • Next message: Thierry Carrez: "[ GLSA 200501-31 ] teTeX, pTeX, CSTeX: Multiple vulnerabilities"
    Date: Tue, 25 Jan 2005 17:45:27 +0100
    To: ubuntu-security-announce@lists.ubuntu.com
    
    
    
    

    ===========================================================
    Ubuntu Security Notice USN-70-1 January 25, 2005
    libdbi-perl vulnerabilities
    CAN-2005-0077
    ===========================================================

    A security issue affects the following Ubuntu releases:

    Ubuntu 4.10 (Warty Warthog)

    The following packages are affected:

    libdbi-perl

    The problem can be corrected by upgrading the affected package to
    version 1.42-3ubuntu0.1. In general, a standard system upgrade is
    sufficient to effect the necessary changes.

    Details follow:

    Javier Fernández-Sanguino Peña from the Debian Security Audit Project
    discovered that the module DBI::ProxyServer in Perl's DBI library
    created a PID file in an insecure manner. This could allow a symbolic
    link attack to create or overwrite arbitrary files with the privileges
    of the user invoking a program using this module (like 'dbiproxy').

    Now the module does not create a such a PID file by default.

      Source archives:

        http://security.ubuntu.com/ubuntu/pool/main/libd/libdbi-perl/libdbi-perl_1.42-3ubuntu0.1.diff.gz
          Size/MD5: 13840 0ea63225d70126bd2492516466a2209d
        http://security.ubuntu.com/ubuntu/pool/main/libd/libdbi-perl/libdbi-perl_1.42-3ubuntu0.1.dsc
          Size/MD5: 608 f6a5286d0a38572cd3ff944669ecf457
        http://security.ubuntu.com/ubuntu/pool/main/libd/libdbi-perl/libdbi-perl_1.42.orig.tar.gz
          Size/MD5: 348167 ca8c8a1a4797d98121b41c1d0a5b3b7c

      amd64 architecture (Athlon64, Opteron, EM64T Xeon)

        http://security.ubuntu.com/ubuntu/pool/main/libd/libdbi-perl/libdbi-perl_1.42-3ubuntu0.1_amd64.deb
          Size/MD5: 575324 487ed69858f7a4d6b0bc4810ea9b99ec

      i386 architecture (x86 compatible Intel/AMD)

        http://security.ubuntu.com/ubuntu/pool/main/libd/libdbi-perl/libdbi-perl_1.42-3ubuntu0.1_i386.deb
          Size/MD5: 573900 eb99ce7af5c6c89bdc969210107807ae

      powerpc architecture (Apple Macintosh G3/G4/G5)

        http://security.ubuntu.com/ubuntu/pool/main/libd/libdbi-perl/libdbi-perl_1.42-3ubuntu0.1_powerpc.deb
          Size/MD5: 577426 58c6f55a93ba0081a0737d16449a0dc8

    
    

    
    

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html



  • Next message: Thierry Carrez: "[ GLSA 200501-31 ] teTeX, pTeX, CSTeX: Multiple vulnerabilities"

    Relevant Pages

    • [USN-70-1] Perl DBI module vulnerability
      ... Ubuntu 4.10 ... The following packages are affected: ... The problem can be corrected by upgrading the affected package to ... Javier Fernández-Sanguino Peña from the Debian Security Audit Project ...
      (Bugtraq)
    • [USN-70-1] Perl DBI module vulnerability
      ... Ubuntu 4.10 ... The following packages are affected: ... The problem can be corrected by upgrading the affected package to ... Javier Fernández-Sanguino Peña from the Debian Security Audit Project ...
      (Full-Disclosure)
    • [Full-disclosure] [USN-95-1] Linux kernel vulnerabilities
      ... Ubuntu 4.10 ... The following packages are affected: ... Georgi Guninski discovered a buffer overflow in the ATM driver. ... the previous Ubuntu security update (kernel version ...
      (Full-Disclosure)
    • [USN-95-1] Linux kernel vulnerabilities
      ... Ubuntu 4.10 ... The following packages are affected: ... Georgi Guninski discovered a buffer overflow in the ATM driver. ... the previous Ubuntu security update (kernel version ...
      (Bugtraq)
    • [USN-17-1] passwd vulnerability
      ... Ubuntu 4.10 ... The following packages are affected: ... The problem can be corrected by upgrading the affected package to ... their login shell without having to change their password. ...
      (Bugtraq)