[ic] Perl advisory

Mike Heins mike at perusion.com
Tue Sep 23 22:38:23 EDT 2003

Quoting Paul Vinciguerra (pvinci at vinciguerra.com):
> I just recieved the following advisory and was wondering the impact on IC of
> these vulnerabilities.

We have already examined it, and the chance of a problem is pretty
small. The main risk is to machines like demo.icdevgroup.com, where
you give random people admin access and they could cause some Perl to
be evaluated with [perl] or [calc]. At that point your database is
in their hands anyway....subject to the security provisions you have
in place there.

Even then, they could only do what their IC daemon does; but that might
include reading some files you don't want read.

In any case, the update to Safe v1.09 is as simple as:

	perl -MCPAN -e 'install Safe'

It takes seconds because it is such a small Perl-only module.

If you can't upgrade Perl yourself, you should tell your system
admin and have them patch.

> -Paul
> -------------------------------------------------------------------------
> Two security issues have been found in Perl that affect the Perl packages
> shipped with Red Hat Linux:
> When safe.pm versions 2.0.7 and earlier are used with Perl 5.8.0 and
> earlier, it is possible for an attacker to break out of safe compartments
> within Safe::reval and Safe::rdo by using a redefined @_ variable.

[snip rest]

Mike Heins
Perusion -- Expert Interchange Consulting    http://www.perusion.com/
phone +1.513.523.7621      <mike at perusion.com>

There's nothing sweeter than life nor more precious than time.
-- Barney

More information about the interchange-users mailing list