-----BEGIN PGP SIGNED MESSAGE-----
NOTE: THIS ADVISORY (SA-1997.08) HAS BEEN SUPERSEDED BY SA-1997.25!
Subject: Caldera Security Advisory SA-1997.08: Vulnerability in perl package
Caldera Security Advisory SA-1997.08
Original issue date: 6-July-1997
Last revised: 13-Oct-1997
Topic: Vulnerability in perl
I. Problem Description
A vulnerability exists within sperl that will allow local users gain
root access, if SUID root.
II. Impact
On systems such as Caldera OpenLinux 1.0 and 1.1, an unprivileged
user can gain root access.
III. Solution
As a temporary solution, You can disable the exploits for this bug
with the following command:
chmod u-s /usr/bin/sperl*
Obtain the new perl-5.003-5.i386.rpm, perl-add-5.003-5.i386.rpm,
perl-eg-5.003-5.i386.rpm, perl-man-5.003-5.i386.rpm, and
perl-pod-5.003-5.i386.rpm files and install according to the
instructions found in the README file which is one directory up
from the actual rpm files.
These packages are located on Caldera's FTP server (ftp.caldera.com):
/pub/openlinux/updates/1.0/current/RPMS
/pub/openlinux/updates/1.1/current/RPMS (Both are the same)
The MD5 checksum (from the "md5sum" command) for these package are:
e5ffce472926da6e7f6be29eba137388 perl-5.003-5.i386.rpm
8c6f96116c02853e9344b3e5514f5e49 perl-add-5.003-5.i386.rpm
bd0a2d596ba9c202940a8c4283c62b26 perl-eg-5.003-5.i386.rpm
54eb01649a08e76a4a9046ad8e71ee1a perl-man-5.003-5.i386.rpm
c8de577f03edc326316ea30a435ada00 perl-pod-5.003-5.i386.rpm
Please follow the instructions from the README file precisely to
update any older version of perl that may be on your system:
IV. References / Credits
This and other Caldera security resources are located at:
http://www.caldera.com/tech-ref/security/
This advisory is based on a security upgrade announced to
the Bugtraq list:
Subject: Buffer overflow in sperl5.003
Message-ID: <Pine.LNX.3.96.970417140348.24662A-101000@cray1.ecst.csuchico.edu
Jason Murphy <jtmurphy@ecst.csuchico.edu>
Willy Tarreau <tarreau@aemiaif.ibp.fr>
CERT Advisory CA-97.17:
ftp://info.cert.org/pub/cert_advisories/CA-97.17.sperl
V. PGP Signature
This message was signed with the PGP key for <security@caldera.com>.
This key can be obtained from:
ftp://ftp.caldera.com/pub/pgp-keys/
Or on an OpenLinux CDROM under:
/OpenLinux/pgp-keys/
NOTE: THIS ADVISORY (SA-1997.08) HAS BEEN SUPERSEDED BY SA-1997.25!
$Id: SA-1997.08,v 1.2 1997/10/13 18:03:10 ron Exp $
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBNEJjJOn+9R4958LpAQF+jQQAgYWb7vaaz9yZzitbnAMIb0qFqXpnJWGx
hBJgiUtEDAswfwCJDZo918TlT8pdXlMaV0HgTGINjX7MuQzyprP4MfykNSzQ27c2
mFMttNBI3FS9tH4PxWI3Dp9DKeDV8SxuPORSUB4ZD4REpdDlNruJMvdrpJL9vCCf
RGZEWtTkmVs=
=uz3I
-----END PGP SIGNATURE-----