The Perl community has released a fix to the sprintf function that was recently discovered to have a buffer overflow in very specific cases. All Perl users should consider updating immediately.
Dyad Security recently released a security advisory explaining how in certain cases, a carefully crafted format string passed to sprintf can cause a buffer overflow. This buffer overflow can then be used by an attacker to execute code on the machine. This was discovered in the context of a design problem with the Webmin administration package that allowed a malicious user to pass unchecked data into sprintf. A related fix for Sys::Syslog has already been released.
The Perl 5 Porters team have solved this sprintf overflow problem, and have released a set of patches, specific to four different versions of Perl.
- For Perl 5.8.0
- For Perl 5.8.1 and 5.8.2
- For Perl 5.8.3
- For Perl 5.8.4 through 5.8.7
While this specific patch fixes a buffer overflow, and thus prevents malicious code execution, programmers must still be careful. Patched or not, sprintf can still be used as the basis of a denial-of-service attack. It will create huge, memory-eating blocks of data if passed malicious format strings from an attacker. It's best if no unchecked data from outside sources get passed to sprintf, either directly or through a function such as syslog.
For further information, or information about The Perl Foundation, please email pr at perlfoundation.org.