Tue, 13-Dec-2005 by Andy Lester edit post
The Perl community has updated the core module Sys::Syslog to help alleviate a security hole in the Webmin web administration package. All Webmin users should update immediately to the updated version of Sys::Syslog.
Dyad Security released a security advisory explaining how arbitrary, untrusted data can get passed by Webmin into Perl's Sys::Syslog module as a sprintf format string. This allows an attack to create arbitrarily large strings, overwhelming server resources and causing a denial of service.
However, Dyad Security's other security advisory, detailing an integer overflow bug in Perl's sprintf, meant that the Webmin bug could potentially mean arbitrary code execution with the permissions of the web server process, not just a denial of service.
The release of the updated Sys::Syslog handles the specific coding problem presented by Webmin, and perhaps other packages, of passing format strings to the syslog() function when the programer does not realize that syslog() acts as a proxy for sprintf. The new syslog() function now notes the special case of only passing one message parameter, and does what the programmer intended: treats the parameter as a single message string and does not call sprintf.
The other issue, with the sprintf integer overflow, is still being worked on. Fixes have been made, and patches for older versions of Perl are being created. The Perl 5 Porters are taking the time to make sure that the patches work for as many existing Perl 5 installations as possible. Watch news.perlfoundation.org for information on the patches as they become available.
Further queries may be sent to pr at perlfoundation.org.
The Perl Foundation - supporting the Perl community since 2000. Find out more at www.perlfoundation.org.