Re: [SECURITY] [DSA 2267-1] perl security update
Am Freitag, den 01.07.2011, 19:52 +0200 schrieb Moritz Muehlenhoff: - - Debian Security Advisory DSA-2267-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff July 01, 2011 http://www.debian.org/security/faq - - Package: perl Vulnerability : restriction bypass Problem type : local Debian-specific: no CVE ID : CVE-2010-1447 Debian Bug : 631529 It was discovered that Perl's Safe module - a module to compile and execute code in restricted compartments - could by bypassed. Hello, is there any way to find out which Debian packages use Perl’s Safe module? What damage could a local attacker have caused by exploiting the Safe modules’s security flaw? Best wishes, Wolfgang -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1314114236.4649.7.camel@vivaldi
Re: [SECURITY] [DSA 2267-1] perl security update
Wolfgang Jeltsch wrote, On 08/23/2011 09:43 AM:
is there any way to find out which Debian packages use Perl’s Safe
module? What damage could a local attacker have caused by exploiting the
Safe modules’s security flaw?
Wolfgang,
# Debian Package File Search
$ dpfs() { lynx -dump -nolist -width=999
http://packages.debian.org/search?searchon=contentskeywords=${1}mode=filenamesuite=stablearch=any;
| sed -ne '/File[[:space:]]*Packages/,/ _/{x;p}' ;}
$ dpfs Safe.pm
File Packages
/usr/lib/interchange/Vend/Safe.pminterchange
/usr/share/perl/5.10.1/Safe.pm perl-modules
/usr/share/perl5/DBIx/Safe.pmlibdbix-safe-perl
/usr/share/perl5/MIME/Base64/URLSafe.pm
libmime-base64-urlsafe-perl
/usr/share/perl5/Mail/SpamAssassin/Locker/UnixNFSSafe.pm spamassassin
/usr/share/perl5/Test/Trap/Builder/SystemSafe.pm libtest-trap-perl
/usr/share/perl5/Text/MicroMason/Safe.pm
libtext-micromason-perl
Safe.pm appears to be delivered (in squeeze at least) in 'perl-modules'
(unless i'm looking at the wrong thing)
Do a dependency search on anything you have installed that uses that:
$ aptitude search '~i~DDepends:perl-modules'
leave out the '~i' if you don't want to limit to just what you currently
have installed.
Of course that only tells you packages that have metadata indicating that
they depend on 'perl-modules', there could be other things that use it
without notification. (then you're into running global finds looking
for 'use' and 'require' statements, whee!)
--stephen
--
Stephen Dowdy - Systems Administrator - NCAR/RAL
303.497.2869 - sdo...@ucar.edu- http://www.ral.ucar.edu/~sdowdy/
--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/4e53ea65.4090...@ucar.edu
