Updated Perl modules alleviate Webmin security flaw
Tue, 13-Dec-2005 by
Andy Lester
edit post
<![CDATA[
<p>
The Perl community has updated the core module
<a href="http://search.cpan.org/dist/Sys-Syslog">Sys::Syslog</a>
to help alleviate a security hole in the
<a href="http://www.webmin.com">Webmin</a>
web administration package. All Webmin users should update immediately
to the updated version of Sys::Syslog.
</p>
<p>
Dyad Security released
<a href="http://dyadsecurity.com/webmin-0001.html">a security advisory</a>
explaining how arbitrary, untrusted data can get passed by Webmin
into Perl's Sys::Syslog module as a <tt>sprintf</tt> format string.
This allows an attack to create arbitrarily large strings, overwhelming
server resources and causing a denial of service.
</p>
<p>
However, Dyad Security's
<a href="http://dyadsecurity.com/perl-0002.html">other security advisory</a>,
detailing an integer overflow bug in Perl's <tt>sprintf</tt>, meant that the
Webmin bug could potentially mean arbitrary code execution with the
permissions of the web server process, not just a denial of service.
</p>
<p>
The release of the
<a href="http://search.cpan.org/dist/Sys-Syslog">updated Sys::Syslog</a>
handles the specific coding problem presented by Webmin, and perhaps
other packages, of passing format strings to the <tt>syslog()</tt>
function when the programer does not realize that <tt>syslog()</tt>
acts as a proxy for <tt>sprintf</tt>. The new <tt>syslog()</tt>
function now notes the special case of only passing one message
parameter, and does what the programmer intended: treats the parameter
as a single message string and does not call <tt>sprintf</tt>.
</p>
<p>
The other issue, with the <tt>sprintf</tt> integer overflow, is still
being worked on. Fixes have been made, and patches for older versions
of Perl are being created. The Perl 5 Porters are taking the time to
make sure that the patches work for as many existing Perl 5 installations
as possible. Watch
<a href="http://news.perlfoundation.org/">news.perlfoundation.org</a>
for information on the patches as they become available.
</p>
<p>
Further queries may be sent to <tt>pr at perlfoundation.org</tt>.
</p>
]]>
Comments (0)
