| Description: | The remote host is missing an update to perl
announced via advisory USN-700-1.
Details follow:
Jonathan Smith discovered that the Archive::Tar Perl module did not
correctly handle symlinks when extracting archives. If a user or
automated system were tricked into opening a specially crafted tar file,
a remote attacker could over-write arbitrary files. (CVE-2007-4829)
Tavis Ormandy and Will Drewry discovered that Perl did not correctly
handle certain utf8 characters in regular expressions. If a user or
automated system were tricked into using a specially crafted expression,
a remote attacker could crash the application, leading to a denial
of service. Ubuntu 8.10 was not affected by this issue. (CVE-2008-1927)
A race condition was discovered in the File::Path Perl module's rmtree
function. If a local attacker successfully raced another user's call
of rmtree, they could create arbitrary setuid binaries. Ubuntu 6.06
and 8.10 were not affected by this issue. (CVE-2008-5302)
A race condition was discovered in the File::Path Perl module's rmtree
function. If a local attacker successfully raced another user's call of
rmtree, they could delete arbitrary files. Ubuntu 6.06 was not affected
by this issue. (CVE-2008-5303)
Solution:
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 6.06 LTS:
libarchive-tar-perl 1.26-2ubuntu0.1
libperl5.8 5.8.7-10ubuntu1.2
Ubuntu 7.10:
libarchive-tar-perl 1.31-1ubuntu0.1
libperl5.8 5.8.8-7ubuntu3.4
perl-modules 5.8.8-7ubuntu3.4
Ubuntu 8.04 LTS:
libarchive-tar-perl 1.36-1ubuntu0.1
libperl5.8 5.8.8-12ubuntu0.3
perl-modules 5.8.8-12ubuntu0.3
Ubuntu 8.10:
perl-modules 5.10.0-11.1ubuntu2.2
In general, a standard system upgrade is sufficient to effect the
necessary changes.
http://www.securityspace.com/smysecure/catid.html?in=USN-700-1 |
