Re: CERT Advisory CA-96.12 - Vulnerability in suidperl

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Carsten Paeth: "Re: possible SCSI device numbering solution"
• Previous message: William E. Roadcap: "Re: real kernel bloat"
• Next in thread: Alan Cox: "Re: CERT Advisory CA-96.12 - Vulnerability in suidperlu"
• Reply: Alan Cox: "Re: CERT Advisory CA-96.12 - Vulnerability in suidperlu"

Date: Wed, 26 Jun 1996 11:39:12 -0400
From: CERT Advisory <cert-advisory@cert.org>

CERT(sm) Advisory CA-96.12
June 26, 1996

Topic: Vulnerability in suidperl

Linux
=====
Linux 1.2 and 2.0 support saved set-user-id.

Most distributions of Linux provide suidperl and sperl.

The fixsperl script works on linux, and it is recommended that this
fix be applied until a new Perl release is made.

Note that to the best of my knowledge and understanding, Linux is *not*
vulnerable due to how we handle the setreuid() system call ---
setreuid() sets the saved set-user-id under certain circumstances,
including those which perl uses. So people don't need to panic; I don't
believe we need to disable suidperl under Linux.

- Ted

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
Comment: Processed by Mailcrypt 3.2, an Emacs/PGP interface

iQCVAwUBMdGH+kQVcM1Ga0KJAQHJNQQAgrl/EjJ6mtG1j9pGwR0yAq4CGnt1xRCk
lG/0yy+XRFcpxTmXTm140ZYgiimj+neJ3PkgGRP3mA720DhqLv/ZuXpgmnxl7bzQ
LSJjsXEuFaw0aSmg2smFHzUpN5GCjf6JvGWcClMyPio9JaIB5eNmq6TvqoYrXssB
B7/5Gw+P9jQ=
=BaEo
-----END PGP SIGNATURE-----

• Next message: Carsten Paeth: "Re: possible SCSI device numbering solution"
• Previous message: William E. Roadcap: "Re: real kernel bloat"
• Next in thread: Alan Cox: "Re: CERT Advisory CA-96.12 - Vulnerability in suidperlu"
• Reply: Alan Cox: "Re: CERT Advisory CA-96.12 - Vulnerability in suidperlu"