Patches fix sprintf buffer overflow
Thu, 15-Dec-2005 by
Andy Lester
edit post
<![CDATA[
<p>
The Perl community has released a fix to the <tt>sprintf</tt> function
that was recently discovered to have a buffer overflow in very specific
cases. All Perl users should consider updating immediately.
</p>
<p>
Dyad Security recently released
<a href="http://dyadsecurity.com/perl-0002.html">a security advisory</a>
explaining how in certain cases, a carefully crafted format string
passed to <tt>sprintf</tt> can cause a buffer overflow. This buffer
overflow can then be used by an attacker to execute code on the machine.
This was discovered in the context of a design problem with the Webmin
administration package that allowed a malicious user to pass unchecked
data into <tt>sprintf</tt>. A related fix for Sys::Syslog
<a href="http://www.perlfoundation.org/news/2005/webmin_flaw_alleviated.html"
>has already been released</A>.
</p>
<p>
The Perl 5 Porters team have solved this <tt>sprintf</tt> overflow
problem, and have released a set of patches, specific to four different
versions of Perl.
<ul>
<li>For Perl 5.8.0<br>
<a href="ftp://ftp.cpan.org/pub/CPAN/authors/id/N/NW/NWCLARK/sprintf-5.8.0.patch"
>ftp://ftp.cpan.org/pub/CPAN/authors/id/N/NW/NWCLARK/sprintf-5.8.0.patch</a></li>
<li>For Perl 5.8.1 and 5.8.2<br>
<a href="ftp://ftp.cpan.org/pub/CPAN/authors/id/N/NW/NWCLARK/sprintf-5.8.2.patch"
>ftp://ftp.cpan.org/pub/CPAN/authors/id/N/NW/NWCLARK/sprintf-5.8.2.patch</a></li>
<li>For Perl 5.8.3<br>
<a href="ftp://ftp.cpan.org/pub/CPAN/authors/id/N/NW/NWCLARK/sprintf-5.8.3.patch"
>ftp://ftp.cpan.org/pub/CPAN/authors/id/N/NW/NWCLARK/sprintf-5.8.3.patch</a></li>
<li>For Perl 5.8.4 through 5.8.7<br>
<a href="ftp://ftp.cpan.org/pub/CPAN/authors/id/N/NW/NWCLARK/sprintf-5.8.7.patch"
>ftp://ftp.cpan.org/pub/CPAN/authors/id/N/NW/NWCLARK/sprintf-5.8.7.patch</a></li>
</ul>
</p>
<p>
While this specific patch fixes a buffer overflow, and thus prevents
malicious code execution, programmers must still be careful.
Patched or not, <tt>sprintf</tt> can still be used as the basis of a
denial-of-service attack. It will create huge, memory-eating blocks of
data if passed malicious format strings from an attacker. It's best if
no unchecked data from outside sources get passed to <tt>sprintf</tt>,
either directly or through a function such as <tt>syslog</tt>.
</p>
<p>
For further information, or information about The Perl Foundation, please email
<tt>pr at perlfoundation.org</tt>.
</p>
]]>
Comments (2)
When can we expect a patch for windows 2003?
The patches are already available on the CPAN if you build from source. If you're using ActiveState's builds, that's something to direct to ActiveState.
