Executive Summary
| Summary | |
|---|---|
| Title | New Perl packages correct Safe handling |
| Informations | |||
|---|---|---|---|
| Name | DSA-208 | First vendor Publication | 2002-12-12 |
| Vendor | Debian | Last vendor Modification | 2002-12-12 |
| Severity (Vendor) | N/A | Revision | 1 |
Security-Database Scoring CVSS v3
| Cvss vector : N/A | |||
|---|---|---|---|
| Overall CVSS Score | NA | ||
| Base Score | NA | Environmental Score | NA |
| impact SubScore | NA | Temporal Score | NA |
| Exploitabality Sub Score | NA | ||
| Calculate full CVSS 3.0 Vectors scores | |||
Security-Database Scoring CVSS v2
| Cvss vector : (AV:L/AC:L/Au:N/C:P/I:P/A:P) | |||
|---|---|---|---|
| Cvss Base Score | 4.6 | Attack Range | Local |
| Cvss Impact Score | 6.4 | Attack Complexity | Low |
| Cvss Expoit Score | 3.9 | Authentication | None Required |
| Calculate full CVSS 2.0 Vectors scores | |||
Detail
| A security hole has been discovered in Safe.pm which is used in all versions of Perl. The Safe extension module allows the creation of compartments in which perl code can be evaluated in a new namespace and the code evaluated in the compartment cannot refer to variables outside this namespace. However, when a Safe compartment has already been used, there's no guarantee that it is Safe any longer, because there's a way for code to be executed within the Safe compartment to alter its operation mask. Thus, programs that use a Safe compartment only once aren't affected by this bug. This problem has been fixed in version 5.6.1-8.2 for the current stable distribution (woody), in version 5.004.05-6.2 and 5.005.03-7.2 for the old stable distribution (potato) and in version 5.8.0-14 for the unstable distribution (sid). We recommend that you upgrade your Perl packages. wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 2.2 alias potato |
Original Source
| Url : http://www.debian.org/security/2002/dsa-208 |
OVAL Definitions
| Definition Id: oval:org.mitre.oval:def:1160 | |||
| Oval ID: | oval:org.mitre.oval:def:1160 | ||
| Title: | Safe.PM Unsafe Code Execution Vulnerability | ||
| Description: | Safe.pm 2.0.7 and earlier, when used in Perl 5.8.0 and earlier, may allow attackers to break out of safe compartments in (1) Safe::reval or (2) Safe::rdo using a redefined @_ variable, which is not reset between successive calls. | ||
| Family: | unix | Class: | vulnerability |
| Reference(s): | CVE-2002-1323 | Version: | 3 |
| Platform(s): | Sun Solaris 8 Sun Solaris 9 | Product(s): | Perl |
| Definition Synopsis: | |||
| |||
CPE : Common Platform Enumeration
OpenVAS Exploits
| Date | Description |
|---|---|
| 2009-06-03 | Name : Solaris Update for Perl 119449-01 File : nvt/gb_solaris_119449_01.nasl |
| 2008-01-17 | Name : Debian Security Advisory DSA 208-1 (perl, perl-5.004, perl-5.005) File : nvt/deb_208_1.nasl |
Open Source Vulnerability Database (OSVDB)
| Id | Description |
|---|---|
| 2183 | Perl Safe.pm Access Bypass Safe.pm contains a flaw that could allow a local or remote attacker execute code outside of Safe.pm's restricted environment called a compartment. If the compartment has been accessed at least once, an attacker could change the the mask of the compartment to access code outside of the compartment. |
Nessus® Vulnerability Scanner
| Date | Description |
|---|---|
| 2004-09-29 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-208.nasl - Type : ACT_GATHER_INFO |
| 2004-07-06 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2003-257.nasl - Type : ACT_GATHER_INFO |
Alert History
| Date | Informations |
|---|---|
| 2014-02-17 11:29:33 |
|
