Re: [SECURITY] [DSA 2267-1] perl security update
Am Freitag, den 01.07.2011, 19:52 +0200 schrieb Moritz Muehlenhoff: - - Debian Security Advisory DSA-2267-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff July 01, 2011 http://www.debian.org/security/faq - - Package: perl Vulnerability : restriction bypass Problem type : local Debian-specific: no CVE ID : CVE-2010-1447 Debian Bug : 631529 It was discovered that Perl's Safe module - a module to compile and execute code in restricted compartments - could by bypassed. Hello, is there any way to find out which Debian packages use Perl’s Safe module? What damage could a local attacker have caused by exploiting the Safe modules’s security flaw? Best wishes, Wolfgang -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1314114236.4649.7.camel@vivaldi
Re: [SECURITY] [DSA 2267-1] perl security update
Wolfgang Jeltsch wrote, On 08/23/2011 09:43 AM: is there any way to find out which Debian packages use Perl’s Safe module? What damage could a local attacker have caused by exploiting the Safe modules’s security flaw? Wolfgang, # Debian Package File Search $ dpfs() { lynx -dump -nolist -width=999 http://packages.debian.org/search?searchon=contentskeywords=${1}mode=filenamesuite=stablearch=any; | sed -ne '/File[[:space:]]*Packages/,/ _/{x;p}' ;} $ dpfs Safe.pm File Packages /usr/lib/interchange/Vend/Safe.pminterchange /usr/share/perl/5.10.1/Safe.pm perl-modules /usr/share/perl5/DBIx/Safe.pmlibdbix-safe-perl /usr/share/perl5/MIME/Base64/URLSafe.pm libmime-base64-urlsafe-perl /usr/share/perl5/Mail/SpamAssassin/Locker/UnixNFSSafe.pm spamassassin /usr/share/perl5/Test/Trap/Builder/SystemSafe.pm libtest-trap-perl /usr/share/perl5/Text/MicroMason/Safe.pm libtext-micromason-perl Safe.pm appears to be delivered (in squeeze at least) in 'perl-modules' (unless i'm looking at the wrong thing) Do a dependency search on anything you have installed that uses that: $ aptitude search '~i~DDepends:perl-modules' leave out the '~i' if you don't want to limit to just what you currently have installed. Of course that only tells you packages that have metadata indicating that they depend on 'perl-modules', there could be other things that use it without notification. (then you're into running global finds looking for 'use' and 'require' statements, whee!) --stephen -- Stephen Dowdy - Systems Administrator - NCAR/RAL 303.497.2869 - sdo...@ucar.edu- http://www.ral.ucar.edu/~sdowdy/ -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4e53ea65.4090...@ucar.edu