Vulnerability Note VU#948385

Perl contains an integer sign error in format string processing

Overview

The Perl interpreter contains a flaw that may increase the impact of format string vulnerabilities in programs written in Perl.

I. Description

Perl is a programming language used in many applications and commonly used for web applications. The Perl interpreter, which interprets and executes Perl programs, contains an integer sign error in its format string processing for formatted I/O.

II. Impact

An attacker may leverage this vulnerability to increase the impact a format string vulnerability in a Perl program. This vulnerability in the Perl interpreter is not directly exploitable.

III. Solution

Patch the Perl interpreter per vendor instructions.

Systems Affected

Vendor	Status	Date Notified
Fedora Project	Vulnerable	28-Dec-2005
Gentoo Linux	Vulnerable	8-Dec-2005
Mandriva, Inc.	Vulnerable	28-Dec-2005
OpenPKG	Vulnerable	6-Dec-2005
Perl Developers	Vulnerable	28-Dec-2005
Red Hat, Inc.	Vulnerable	28-Dec-2005
SUSE Linux	Vulnerable	28-Dec-2005
Trustix Secure Linux	Vulnerable	28-Dec-2005
Ubuntu	Vulnerable	6-Dec-2005

References

http://www.kb.cert.org/vuls/id/946969
http://www.dyadsecurity.com/perl-0002.html
http://secunia.com/advisories/17802/

Credit

Thanks to Jack Louis of Dyad Security, Inc. for reporting this vulnerability.

This document was written by Hal Burch.

Other Information

Date Public:	2005-12-01
Date First Published:	2005-12-06
Date Last Updated:	2005-12-28
CERT Advisory:
CVE-ID(s):	CVE-2005-3962
NVD-ID(s):	CVE-2005-3962
US-CERT Technical Alerts:
Metric:	0.00
Document Revision:	25

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Produced 2005 by US-CERT, a government organization
Disclaimers and copyright information

Get Adobe Reader