Debian DSA-208-1 : perl - broken safe compartment

medium Nessus Plugin ID 15045

Synopsis

The remote Debian host is missing a security-related update.

Description

A security hole has been discovered in Safe.pm which is used in all versions of Perl. The Safe extension module allows the creation of compartments in which perl code can be evaluated in a new namespace and the code evaluated in the compartment cannot refer to variables outside this namespace. However, when a Safe compartment has already been used, there's no guarantee that it is Safe any longer, because there's a way for code to be executed within the Safe compartment to alter its operation mask. Thus, programs that use a Safe compartment only once aren't affected by this bug.

Solution

Upgrade the Perl packages.

This problem has been fixed in version 5.6.1-8.2 for the current stable distribution (woody), in version 5.004.05-6.2 and 5.005.03-7.2 for the old stable distribution (potato) and in version 5.8.0-14 for the unstable distribution (sid).

See Also

http://www.debian.org/security/2002/dsa-208

Plugin Details

Severity: Medium

ID: 15045

File Name: debian_DSA-208.nasl

Version: 1.18

Type: local

Agent: unix

Published: 9/29/2004

Updated: 1/4/2021

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 4.7

CVSS v2

Risk Factor: Medium

Base Score: 4.6

Temporal Score: 3.4

Vector: CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:perl, cpe:/o:debian:debian_linux:2.2, p-cpe:/a:debian:debian_linux:perl-5.005, cpe:/o:debian:debian_linux:3.0, p-cpe:/a:debian:debian_linux:perl-5.004

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Ease: No known exploits are available

Patch Publication Date: 12/12/2002

Reference Information

CVE: CVE-2002-1323

BID: 6111

DSA: 208