Bulletin d'alerte Debian

DSA-208-1 perl -- Manipulation de compartiments sûrs vulnérable

Date du rapport:

12 décembre 2002

Paquets concernés:

Vulnérabilité:

Oui

Références dans la base de données de sécurité:

Dans la base de données de suivi des bogues (chez SecurityFocus) : Identificateur BugTraq 6111.
Dans le dictionnaire CVE du Mitre : CVE-2002-1323.

Pour plus d'information:

Une faille de sécurité a été découverte dans le fichier Safe.pm qui est utilisé dans toutes les versions de Perl. Le module d'extension Safe permet la création de compartiments dans lesquels le code perl est évalué dans un nouvel espace de noms ; le code évalué dans le compartiment ne peut faire référence à des variables en dehors de ce compartiment. Cependant, quand un compartiment Safe a déjà été utilisé, il n'y a aucune garantie que le compartiment soit toujours sécurisé (« Safe ») car il existe un moyen pour que le code exécuté dans le compartiment sécurisé puisse modifier son masque de travail. Ainsi, les programmes n'utilisant un compartiment sécurisé qu'une seule fois ne sont pas affectés par ce bogue.

Ce problème a été corrigé dans la version 5.6.1-8.2 dans l'actuelle distribution stable (Woody), dans les versions 5.004.05-6.2 et 5.005.03-7.2 pour l'ancienne distribution stable (Potato) et dans la version 5.8.0-14 pour la distribution unstable (Sid).

Nous vous recommandons de mettre à jour vos paquets Perl.

Corrigé dans:

Debian GNU/Linux 2.2 (potato)

Source :: http://security.debian.org/pool/updates/main/p/perl-5.004/perl-5.004_5.004.05-6.2.dsc; http://security.debian.org/pool/updates/main/p/perl-5.004/perl-5.004_5.004.05-6.2.diff.gz; http://security.debian.org/pool/updates/main/p/perl-5.004/perl-5.004_5.004.05.orig.tar.gz; http://security.debian.org/pool/updates/main/p/perl-5.005/perl-5.005_5.005.03-7.2.dsc; http://security.debian.org/pool/updates/main/p/perl-5.005/perl-5.005_5.005.03-7.2.diff.gz; http://security.debian.org/pool/updates/main/p/perl-5.005/perl-5.005_5.005.03.orig.tar.gz
Composant indépendant de l'architecture :: http://security.debian.org/pool/updates/main/p/perl-5.004/perl-5.004-doc_5.004.05-6.2_all.deb; http://security.debian.org/pool/updates/main/p/perl-5.005/perl-5.005-doc_5.005.03-7.2_all.deb
Alpha:: http://security.debian.org/pool/updates/main/p/perl-5.004/perl-5.004_5.004.05-6.2_alpha.deb; http://security.debian.org/pool/updates/main/p/perl-5.004/perl-5.004-base_5.004.05-6.2_alpha.deb; http://security.debian.org/pool/updates/main/p/perl-5.004/perl-5.004-debug_5.004.05-6.2_alpha.deb; http://security.debian.org/pool/updates/main/p/perl-5.004/perl-5.004-suid_5.004.05-6.2_alpha.deb; http://security.debian.org/pool/updates/main/p/perl-5.005/perl-5.005_5.005.03-7.2_alpha.deb; http://security.debian.org/pool/updates/main/p/perl-5.005/perl-5.005-base_5.005.03-7.2_alpha.deb; http://security.debian.org/pool/updates/main/p/perl-5.005/perl-5.005-debug_5.005.03-7.2_alpha.deb; http://security.debian.org/pool/updates/main/p/perl-5.005/perl-5.005-suid_5.005.03-7.2_alpha.deb; http://security.debian.org/pool/updates/main/p/perl-5.005/perl-5.005-thread_5.005.03-7.2_alpha.deb
ARM:: http://security.debian.org/pool/updates/main/p/perl-5.004/perl-5.004_5.004.05-6.2_arm.deb; http://security.debian.org/pool/updates/main/p/perl-5.004/perl-5.004-base_5.004.05-6.2_arm.deb; http://security.debian.org/pool/updates/main/p/perl-5.004/perl-5.004-debug_5.004.05-6.2_arm.deb; http://security.debian.org/pool/updates/main/p/perl-5.004/perl-5.004-suid_5.004.05-6.2_arm.deb; http://security.debian.org/pool/updates/main/p/perl-5.005/perl-5.005_5.005.03-7.2_arm.deb; http://security.debian.org/pool/updates/main/p/perl-5.005/perl-5.005-base_5.005.03-7.2_arm.deb; http://security.debian.org/pool/updates/main/p/perl-5.005/perl-5.005-debug_5.005.03-7.2_arm.deb; http://security.debian.org/pool/updates/main/p/perl-5.005/perl-5.005-suid_5.005.03-7.2_arm.deb; http://security.debian.org/pool/updates/main/p/perl-5.005/perl-5.005-thread_5.005.03-7.2_arm.deb
Intel IA-32:: http://security.debian.org/pool/updates/main/p/perl-5.004/perl-5.004_5.004.05-6.2_i386.deb; http://security.debian.org/pool/updates/main/p/perl-5.004/perl-5.004-base_5.004.05-6.2_i386.deb; http://security.debian.org/pool/updates/main/p/perl-5.004/perl-5.004-debug_5.004.05-6.2_i386.deb; http://security.debian.org/pool/updates/main/p/perl-5.004/perl-5.004-suid_5.004.05-6.2_i386.deb; http://security.debian.org/pool/updates/main/p/perl-5.005/perl-5.005_5.005.03-7.2_i386.deb; http://security.debian.org/pool/updates/main/p/perl-5.005/perl-5.005-base_5.005.03-7.2_i386.deb; http://security.debian.org/pool/updates/main/p/perl-5.005/perl-5.005-debug_5.005.03-7.2_i386.deb; http://security.debian.org/pool/updates/main/p/perl-5.005/perl-5.005-suid_5.005.03-7.2_i386.deb; http://security.debian.org/pool/updates/main/p/perl-5.005/perl-5.005-thread_5.005.03-7.2_i386.deb
Motorola 680x0:: http://security.debian.org/pool/updates/main/p/perl-5.004/perl-5.004_5.004.05-6.2_m68k.deb; http://security.debian.org/pool/updates/main/p/perl-5.004/perl-5.004-base_5.004.05-6.2_m68k.deb; http://security.debian.org/pool/updates/main/p/perl-5.004/perl-5.004-debug_5.004.05-6.2_m68k.deb; http://security.debian.org/pool/updates/main/p/perl-5.004/perl-5.004-suid_5.004.05-6.2_m68k.deb; http://security.debian.org/pool/updates/main/p/perl-5.005/perl-5.005_5.005.03-7.2_m68k.deb; http://security.debian.org/pool/updates/main/p/perl-5.005/perl-5.005-base_5.005.03-7.2_m68k.deb; http://security.debian.org/pool/updates/main/p/perl-5.005/perl-5.005-debug_5.005.03-7.2_m68k.deb; http://security.debian.org/pool/updates/main/p/perl-5.005/perl-5.005-suid_5.005.03-7.2_m68k.deb; http://security.debian.org/pool/updates/main/p/perl-5.005/perl-5.005-thread_5.005.03-7.2_m68k.deb
PowerPC:: http://security.debian.org/pool/updates/main/p/perl-5.004/perl-5.004_5.004.05-6.2_powerpc.deb; http://security.debian.org/pool/updates/main/p/perl-5.004/perl-5.004-base_5.004.05-6.2_powerpc.deb; http://security.debian.org/pool/updates/main/p/perl-5.004/perl-5.004-debug_5.004.05-6.2_powerpc.deb; http://security.debian.org/pool/updates/main/p/perl-5.004/perl-5.004-suid_5.004.05-6.2_powerpc.deb; http://security.debian.org/pool/updates/main/p/perl-5.005/perl-5.005_5.005.03-7.2_powerpc.deb; http://security.debian.org/pool/updates/main/p/perl-5.005/perl-5.005-base_5.005.03-7.2_powerpc.deb; http://security.debian.org/pool/updates/main/p/perl-5.005/perl-5.005-debug_5.005.03-7.2_powerpc.deb; http://security.debian.org/pool/updates/main/p/perl-5.005/perl-5.005-suid_5.005.03-7.2_powerpc.deb; http://security.debian.org/pool/updates/main/p/perl-5.005/perl-5.005-thread_5.005.03-7.2_powerpc.deb
Sun Sparc:: http://security.debian.org/pool/updates/main/p/perl-5.004/perl-5.004_5.004.05-6.2_sparc.deb; http://security.debian.org/pool/updates/main/p/perl-5.004/perl-5.004-base_5.004.05-6.2_sparc.deb; http://security.debian.org/pool/updates/main/p/perl-5.004/perl-5.004-debug_5.004.05-6.2_sparc.deb; http://security.debian.org/pool/updates/main/p/perl-5.004/perl-5.004-suid_5.004.05-6.2_sparc.deb; http://security.debian.org/pool/updates/main/p/perl-5.005/perl-5.005_5.005.03-7.2_sparc.deb; http://security.debian.org/pool/updates/main/p/perl-5.005/perl-5.005-base_5.005.03-7.2_sparc.deb; http://security.debian.org/pool/updates/main/p/perl-5.005/perl-5.005-debug_5.005.03-7.2_sparc.deb; http://security.debian.org/pool/updates/main/p/perl-5.005/perl-5.005-suid_5.005.03-7.2_sparc.deb; http://security.debian.org/pool/updates/main/p/perl-5.005/perl-5.005-thread_5.005.03-7.2_sparc.deb

Debian GNU/Linux 3.0 (woody)

Source :: http://security.debian.org/pool/updates/main/p/perl/perl_5.6.1-8.2.dsc; http://security.debian.org/pool/updates/main/p/perl/perl_5.6.1-8.2.diff.gz; http://security.debian.org/pool/updates/main/p/perl/perl_5.6.1.orig.tar.gz
Composant indépendant de l'architecture :: http://security.debian.org/pool/updates/main/p/perl/libcgi-fast-perl_5.6.1-8.2_all.deb; http://security.debian.org/pool/updates/main/p/perl/perl-doc_5.6.1-8.2_all.deb; http://security.debian.org/pool/updates/main/p/perl/perl-modules_5.6.1-8.2_all.deb
Alpha:: http://security.debian.org/pool/updates/main/p/perl/libperl-dev_5.6.1-8.2_alpha.deb; http://security.debian.org/pool/updates/main/p/perl/libperl5.6_5.6.1-8.2_alpha.deb; http://security.debian.org/pool/updates/main/p/perl/perl_5.6.1-8.2_alpha.deb; http://security.debian.org/pool/updates/main/p/perl/perl-base_5.6.1-8.2_alpha.deb; http://security.debian.org/pool/updates/main/p/perl/perl-debug_5.6.1-8.2_alpha.deb; http://security.debian.org/pool/updates/main/p/perl/perl-suid_5.6.1-8.2_alpha.deb
ARM:: http://security.debian.org/pool/updates/main/p/perl/libperl-dev_5.6.1-8.2_arm.deb; http://security.debian.org/pool/updates/main/p/perl/libperl5.6_5.6.1-8.2_arm.deb; http://security.debian.org/pool/updates/main/p/perl/perl_5.6.1-8.2_arm.deb; http://security.debian.org/pool/updates/main/p/perl/perl-base_5.6.1-8.2_arm.deb; http://security.debian.org/pool/updates/main/p/perl/perl-debug_5.6.1-8.2_arm.deb; http://security.debian.org/pool/updates/main/p/perl/perl-suid_5.6.1-8.2_arm.deb
Intel IA-32:: http://security.debian.org/pool/updates/main/p/perl/libperl-dev_5.6.1-8.2_i386.deb; http://security.debian.org/pool/updates/main/p/perl/libperl5.6_5.6.1-8.2_i386.deb; http://security.debian.org/pool/updates/main/p/perl/perl_5.6.1-8.2_i386.deb; http://security.debian.org/pool/updates/main/p/perl/perl-base_5.6.1-8.2_i386.deb; http://security.debian.org/pool/updates/main/p/perl/perl-debug_5.6.1-8.2_i386.deb; http://security.debian.org/pool/updates/main/p/perl/perl-suid_5.6.1-8.2_i386.deb
Intel IA-64:: http://security.debian.org/pool/updates/main/p/perl/libperl-dev_5.6.1-8.2_ia64.deb; http://security.debian.org/pool/updates/main/p/perl/libperl5.6_5.6.1-8.2_ia64.deb; http://security.debian.org/pool/updates/main/p/perl/perl_5.6.1-8.2_ia64.deb; http://security.debian.org/pool/updates/main/p/perl/perl-base_5.6.1-8.2_ia64.deb; http://security.debian.org/pool/updates/main/p/perl/perl-debug_5.6.1-8.2_ia64.deb; http://security.debian.org/pool/updates/main/p/perl/perl-suid_5.6.1-8.2_ia64.deb
HPPA:: http://security.debian.org/pool/updates/main/p/perl/libperl-dev_5.6.1-8.2_hppa.deb; http://security.debian.org/pool/updates/main/p/perl/libperl5.6_5.6.1-8.2_hppa.deb; http://security.debian.org/pool/updates/main/p/perl/perl_5.6.1-8.2_hppa.deb; http://security.debian.org/pool/updates/main/p/perl/perl-base_5.6.1-8.2_hppa.deb; http://security.debian.org/pool/updates/main/p/perl/perl-debug_5.6.1-8.2_hppa.deb; http://security.debian.org/pool/updates/main/p/perl/perl-suid_5.6.1-8.2_hppa.deb
Motorola 680x0:: http://security.debian.org/pool/updates/main/p/perl/libperl-dev_5.6.1-8.2_m68k.deb; http://security.debian.org/pool/updates/main/p/perl/libperl5.6_5.6.1-8.2_m68k.deb; http://security.debian.org/pool/updates/main/p/perl/perl_5.6.1-8.2_m68k.deb; http://security.debian.org/pool/updates/main/p/perl/perl-base_5.6.1-8.2_m68k.deb; http://security.debian.org/pool/updates/main/p/perl/perl-debug_5.6.1-8.2_m68k.deb; http://security.debian.org/pool/updates/main/p/perl/perl-suid_5.6.1-8.2_m68k.deb
Big endian MIPS:: http://security.debian.org/pool/updates/main/p/perl/libperl-dev_5.6.1-8.2_mips.deb; http://security.debian.org/pool/updates/main/p/perl/libperl5.6_5.6.1-8.2_mips.deb; http://security.debian.org/pool/updates/main/p/perl/perl_5.6.1-8.2_mips.deb; http://security.debian.org/pool/updates/main/p/perl/perl-base_5.6.1-8.2_mips.deb; http://security.debian.org/pool/updates/main/p/perl/perl-debug_5.6.1-8.2_mips.deb; http://security.debian.org/pool/updates/main/p/perl/perl-suid_5.6.1-8.2_mips.deb
Little endian MIPS:: http://security.debian.org/pool/updates/main/p/perl/libperl-dev_5.6.1-8.2_mipsel.deb; http://security.debian.org/pool/updates/main/p/perl/libperl5.6_5.6.1-8.2_mipsel.deb; http://security.debian.org/pool/updates/main/p/perl/perl_5.6.1-8.2_mipsel.deb; http://security.debian.org/pool/updates/main/p/perl/perl-base_5.6.1-8.2_mipsel.deb; http://security.debian.org/pool/updates/main/p/perl/perl-debug_5.6.1-8.2_mipsel.deb; http://security.debian.org/pool/updates/main/p/perl/perl-suid_5.6.1-8.2_mipsel.deb
PowerPC:: http://security.debian.org/pool/updates/main/p/perl/libperl-dev_5.6.1-8.2_powerpc.deb; http://security.debian.org/pool/updates/main/p/perl/libperl5.6_5.6.1-8.2_powerpc.deb; http://security.debian.org/pool/updates/main/p/perl/perl_5.6.1-8.2_powerpc.deb; http://security.debian.org/pool/updates/main/p/perl/perl-base_5.6.1-8.2_powerpc.deb; http://security.debian.org/pool/updates/main/p/perl/perl-debug_5.6.1-8.2_powerpc.deb; http://security.debian.org/pool/updates/main/p/perl/perl-suid_5.6.1-8.2_powerpc.deb
IBM S/390:: http://security.debian.org/pool/updates/main/p/perl/libperl-dev_5.6.1-8.2_s390.deb; http://security.debian.org/pool/updates/main/p/perl/libperl5.6_5.6.1-8.2_s390.deb; http://security.debian.org/pool/updates/main/p/perl/perl_5.6.1-8.2_s390.deb; http://security.debian.org/pool/updates/main/p/perl/perl-base_5.6.1-8.2_s390.deb; http://security.debian.org/pool/updates/main/p/perl/perl-debug_5.6.1-8.2_s390.deb; http://security.debian.org/pool/updates/main/p/perl/perl-suid_5.6.1-8.2_s390.deb
Sun Sparc:: http://security.debian.org/pool/updates/main/p/perl/libperl-dev_5.6.1-8.2_sparc.deb; http://security.debian.org/pool/updates/main/p/perl/libperl5.6_5.6.1-8.2_sparc.deb; http://security.debian.org/pool/updates/main/p/perl/perl_5.6.1-8.2_sparc.deb; http://security.debian.org/pool/updates/main/p/perl/perl-base_5.6.1-8.2_sparc.deb; http://security.debian.org/pool/updates/main/p/perl/perl-debug_5.6.1-8.2_sparc.deb; http://security.debian.org/pool/updates/main/p/perl/perl-suid_5.6.1-8.2_sparc.deb

Les sommes MD5 des fichiers indiqués sont disponibles sur la page originale de l'alerte de sécurité.