search menu icon-carat-right cmu-wordmark

CERT Coordination Center


Perl contains an integer sign error in format string processing

Vulnerability Note VU#948385

Original Release Date: 2005-12-06 | Last Revised: 2012-08-30

Overview

The Perl interpreter contains a flaw that may increase the impact of format string vulnerabilities in programs written in Perl.

Description

Perl is a programming language used in many applications and commonly used for web applications. The Perl interpreter, which interprets and executes Perl programs, contains an integer sign error in its format string processing for formatted I/O.

Impact

An attacker may leverage this vulnerability to increase the impact a format string vulnerability in a Perl program. This vulnerability in the Perl interpreter is not directly exploitable.

Solution

Patch the Perl interpreter per vendor instructions.

Vendor Information

948385
Expand all

Fedora Project

Updated:  December 28, 2005

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

For Fedora Core 4, consult FEDORA-2005-1144, which updates the remediation described in FEDORA-2005-1113.

For Fedora Core 3, consult FEDORA-2005-1145, which updates the remediation described in FEDORA-2005-1117.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Gentoo Linux

Updated:  December 08, 2005

Statement Date:   December 08, 2005

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

Consult GLSA 200512-01 for vulnerability details and remediation instructions.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Mandriva, Inc.

Updated:  December 28, 2005

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

Consult MDKSA-2005:225 for information about updated Perl packages.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

OpenPKG

Updated:  December 06, 2005

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

Consult OpenPKG-SA-2005.025 for vulnerability details and remediation instructions.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Perl Developers

Notified:  December 01, 2005 Updated:  December 28, 2005

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

In a Dec 15, 2005 stamement, the Perl Foundation reports patches are available addressing this vulnerability.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Red Hat, Inc.

Updated:  December 28, 2005

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

For Red Hat Desktop v. 4 and Enterprise Linux v. 4, consult RHSA-2005:880 for remedition instructions..

For Red Hat Desktop v. 3 and Enterprise Linux v. 3, consult RHSA-2005:881 for remedition instructions..

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SUSE Linux

Updated:  December 28, 2005

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

Consult SUSE-SA:2005:071 for remediation instructions.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Trustix Secure Linux

Updated:  December 28, 2005

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

Consult Trustix Secure Linux Security Advisory #2005-0070 for update Perl package information.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Ubuntu

Updated:  December 06, 2005

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

Consult Ubuntu Security Notice USN-222-1 for vulnerability details and remediation instructions.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base 0.0 AV:--/AC:--/Au:--/C:--/I:--/A:--
Temporal 0.0 E:ND/RL:ND/RC:ND
Environmental 0 CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND

References

Credit

Thanks to Jack Louis of Dyad Security, Inc. for reporting this vulnerability.

This document was written by Hal Burch.

Other Information

CVE IDs: CVE-2005-3962
Date Public: 2005-12-01
Date First Published: 2005-12-06
Date Last Updated: 2012-08-30 18:58 UTC
Document Revision: 40

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.