Patches fix sprintf buffer overflow

The Perl community has released a fix to the sprintf function that was recently discovered to have a buffer overflow in very specific cases. All Perl users should consider updating immediately.

Dyad Security recently released a security advisory explaining how in certain cases, a carefully crafted format string passed to sprintf can cause a buffer overflow. This buffer overflow can then be used by an attacker to execute code on the machine. This was discovered in the context of a design problem with the Webmin administration package that allowed a malicious user to pass unchecked data into sprintf. A related fix for Sys::Syslog has already been released.

The Perl 5 Porters team have solved this sprintf overflow problem, and have released a set of patches, specific to four different versions of Perl.

While this specific patch fixes a buffer overflow, and thus prevents malicious code execution, programmers must still be careful. Patched or not, sprintf can still be used as the basis of a denial-of-service attack. It will create huge, memory-eating blocks of data if passed malicious format strings from an attacker. It's best if no unchecked data from outside sources get passed to sprintf, either directly or through a function such as syslog.

For further information, or information about The Perl Foundation, please email pr at perlfoundation.org.

Category: Perl 5 Development

Comments (2)


When can we expect a patch for windows 2003?


The patches are already available on the CPAN if you build from source. If you're using ActiveState's builds, that's something to direct to ActiveState.


Sign in to add comment