Safe.pm 2.0.7 and earlier, when used in Perl 5.8.0 and
earlier, may allow attackers to break out of safe compartments
in (1) Safe::reval or (2) Safe::rdo using a redefined @_
variable, which is not reset between successive calls.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CAN-2002-1323 to this issue.
2. Vulnerable Supported Versions
System Binaries
----------------------------------------------------------------------
UnixWare 7.1.3 /usr/gnu/lib/perl5/i386-svr4/5.00404/Safe.pm
Open UNIX 8.0.0 /usr/gnu/lib/perl5/i386-svr4/5.00404/Safe.pm
UnixWare 7.1.1 /usr/gnu/lib/perl5/i386-svr4/5.00404/Safe.pm
3. Solution
The proper solution is to install the latest packages.
SCO security advisories via email:
http://www.sco.com/support/forums/security.html
This security fix closes SCO incidents sr887197 fz528449
erg712495.
6. Disclaimer
SCO is not responsible for the misuse of any of the information
we provide on this website and/or through our security
advisories. Our advisories are a service to our customers
intended to promote secure installation and use of SCO
products.
7. Acknowledgments
SCO would like to thank Andreas Jurenda
If you would like to receive SCO Security Advisories please visit:
http://www.thescogroup.com/support/forums/announce.html
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
________________________________________________________________________
______
SCO Security Advisory
Subject: UnixWare 7.1.3 Open UNIX 8.0.0 UnixWare 7.1.1 : perl unsafe Safe compartment
Advisory number: SCOSA-2004.1
Issue date: 2004 March 29
Cross reference: sr887197 fz528449 erg712495 CAN-2002-1323
________________________________________________________________________
______
1. Problem Description
Safe.pm 2.0.7 and earlier, when used in Perl 5.8.0 and
earlier, may allow attackers to break out of safe compartments
in (1) Safe::reval or (2) Safe::rdo using a redefined @_
variable, which is not reset between successive calls.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CAN-2002-1323 to this issue.
2. Vulnerable Supported Versions
System Binaries
----------------------------------------------------------------------
UnixWare 7.1.3 /usr/gnu/lib/perl5/i386-svr4/5.00404/Safe.pm
Open UNIX 8.0.0 /usr/gnu/lib/perl5/i386-svr4/5.00404/Safe.pm
UnixWare 7.1.1 /usr/gnu/lib/perl5/i386-svr4/5.00404/Safe.pm
3. Solution
The proper solution is to install the latest packages.
4. UnixWare 7.1.3
Open UNIX 8.0.0
UnixWare 7.1.2
4.1 Location of Fixed Binaries
ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2004.1
4.2 Verification
MD5 (erg712495.Z) = a58a6ad7b7ea39ee48abc8bc3cc0d4fe
md5 is available for download from
ftp://ftp.sco.com/pub/security/tools
4.3 Installing Fixed Binaries
Upgrade the affected binaries with the following sequence:
1. Download the erg712495.Z file to a directory on your machine.
2. As root, uncompress the file and add the package to your system
using these commands:
# uncompress erg712495.Z
# pkgadd -d erg712495
3. There is no need to reboot the system after installing this package.
If you have questions regarding this supplement, or the product on
which it is installed, please contact your software supplier.
5. References
Specific references for this advisory:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1323
SCO security resources:
http://www.sco.com/support/security/index.html
SCO security advisories via email:
http://www.sco.com/support/forums/security.html
This security fix closes SCO incidents sr887197 fz528449
erg712495.
6. Disclaimer
SCO is not responsible for the misuse of any of the information
we provide on this website and/or through our security
advisories. Our advisories are a service to our customers
intended to promote secure installation and use of SCO
products.
7. Acknowledgments
SCO would like to thank Andreas Jurenda
If you would like to receive SCO Security Advisories please visit:
http://www.thescogroup.com/support/forums/announce.html
________________________________________________________________________
______
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (SCO/UNIX_SVR5)
iD8DBQFAa1gDaqoBO7ipriERAmUSAJ4wj29qyF8tdLnaf73PAJy0uwmXGACfR4qY
V04ijiOTJg8nxlajD4dtwCw=
=1x3D
-----END PGP SIGNATURE-----
[ reply ]