Rapid7 VulnDB

RHSA-2013:0685: perl security update

Back to Search

RHSA-2013:0685: perl security update

Severity
8
CVSS
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
Published
03/13/2013
Created
07/25/2018
Added
03/27/2013
Modified
07/04/2017

Description

Perl is a high-level programming language commonly used for systemadministration utilities and web programming.A heap overflow flaw was found in Perl. If a Perl application alloweduser input to control the count argument of the string repeat operator, anattacker could cause the application to crash or, potentially, executearbitrary code with the privileges of the user running the application.(CVE-2012-5195)A denial of service flaw was found in the way Perl's rehashing codeimplementation, responsible for recalculation of hash keys andredistribution of hash content, handled certain input. If an attackersupplied specially-crafted input to be used as hash keys by a Perlapplication, it could cause excessive memory consumption. (CVE-2013-1667)It was found that the Perl CGI module, used to handle Common GatewayInterface requests and responses, incorrectly sanitized the values forSet-Cookie and P3P headers. If a Perl application using the CGI modulereused cookies values and accepted untrusted input from web browsers, aremote attacker could use this flaw to alter member items of the cookie oradd new items. (CVE-2012-5526)It was found that the Perl Locale::Maketext module, used to localize Perlapplications, did not properly handle backslashes or fully-qualified methodnames. An attacker could possibly use this flaw to execute arbitrary Perlcode with the privileges of a Perl application that uses untrustedLocale::Maketext templates. (CVE-2012-6329)Red Hat would like to thank the Perl project for reporting CVE-2012-5195and CVE-2013-1667. Upstream acknowledges Tim Brown as the originalreporter of CVE-2012-5195 and Yves Orton as the original reporter ofCVE-2013-1667.All Perl users should upgrade to these updated packages, which containbackported patches to correct these issues. All running Perl programsmust be restarted for this update to take effect.

Solution(s)

  • redhat-upgrade-perl
  • redhat-upgrade-perl-archive-extract
  • redhat-upgrade-perl-archive-tar
  • redhat-upgrade-perl-cgi
  • redhat-upgrade-perl-compress-raw-bzip2
  • redhat-upgrade-perl-compress-raw-zlib
  • redhat-upgrade-perl-compress-zlib
  • redhat-upgrade-perl-core
  • redhat-upgrade-perl-cpan
  • redhat-upgrade-perl-cpanplus
  • redhat-upgrade-perl-debuginfo
  • redhat-upgrade-perl-devel
  • redhat-upgrade-perl-digest-sha
  • redhat-upgrade-perl-extutils-cbuilder
  • redhat-upgrade-perl-extutils-embed
  • redhat-upgrade-perl-extutils-makemaker
  • redhat-upgrade-perl-extutils-parsexs
  • redhat-upgrade-perl-file-fetch
  • redhat-upgrade-perl-io-compress-base
  • redhat-upgrade-perl-io-compress-bzip2
  • redhat-upgrade-perl-io-compress-zlib
  • redhat-upgrade-perl-io-zlib
  • redhat-upgrade-perl-ipc-cmd
  • redhat-upgrade-perl-libs
  • redhat-upgrade-perl-locale-maketext-simple
  • redhat-upgrade-perl-log-message
  • redhat-upgrade-perl-log-message-simple
  • redhat-upgrade-perl-module-build
  • redhat-upgrade-perl-module-corelist
  • redhat-upgrade-perl-module-load
  • redhat-upgrade-perl-module-load-conditional
  • redhat-upgrade-perl-module-loaded
  • redhat-upgrade-perl-module-pluggable
  • redhat-upgrade-perl-object-accessor
  • redhat-upgrade-perl-package-constants
  • redhat-upgrade-perl-params-check
  • redhat-upgrade-perl-parent
  • redhat-upgrade-perl-parse-cpan-meta
  • redhat-upgrade-perl-pod-escapes
  • redhat-upgrade-perl-pod-simple
  • redhat-upgrade-perl-suidperl
  • redhat-upgrade-perl-term-ui
  • redhat-upgrade-perl-test-harness
  • redhat-upgrade-perl-test-simple
  • redhat-upgrade-perl-time-hires
  • redhat-upgrade-perl-time-piece
  • redhat-upgrade-perl-version

References

  • redhat-upgrade-perl
  • redhat-upgrade-perl-archive-extract
  • redhat-upgrade-perl-archive-tar
  • redhat-upgrade-perl-cgi
  • redhat-upgrade-perl-compress-raw-bzip2
  • redhat-upgrade-perl-compress-raw-zlib
  • redhat-upgrade-perl-compress-zlib
  • redhat-upgrade-perl-core
  • redhat-upgrade-perl-cpan
  • redhat-upgrade-perl-cpanplus
  • redhat-upgrade-perl-debuginfo
  • redhat-upgrade-perl-devel
  • redhat-upgrade-perl-digest-sha
  • redhat-upgrade-perl-extutils-cbuilder
  • redhat-upgrade-perl-extutils-embed
  • redhat-upgrade-perl-extutils-makemaker
  • redhat-upgrade-perl-extutils-parsexs
  • redhat-upgrade-perl-file-fetch
  • redhat-upgrade-perl-io-compress-base
  • redhat-upgrade-perl-io-compress-bzip2
  • redhat-upgrade-perl-io-compress-zlib
  • redhat-upgrade-perl-io-zlib
  • redhat-upgrade-perl-ipc-cmd
  • redhat-upgrade-perl-libs
  • redhat-upgrade-perl-locale-maketext-simple
  • redhat-upgrade-perl-log-message
  • redhat-upgrade-perl-log-message-simple
  • redhat-upgrade-perl-module-build
  • redhat-upgrade-perl-module-corelist
  • redhat-upgrade-perl-module-load
  • redhat-upgrade-perl-module-load-conditional
  • redhat-upgrade-perl-module-loaded
  • redhat-upgrade-perl-module-pluggable
  • redhat-upgrade-perl-object-accessor
  • redhat-upgrade-perl-package-constants
  • redhat-upgrade-perl-params-check
  • redhat-upgrade-perl-parent
  • redhat-upgrade-perl-parse-cpan-meta
  • redhat-upgrade-perl-pod-escapes
  • redhat-upgrade-perl-pod-simple
  • redhat-upgrade-perl-suidperl
  • redhat-upgrade-perl-term-ui
  • redhat-upgrade-perl-test-harness
  • redhat-upgrade-perl-test-simple
  • redhat-upgrade-perl-time-hires
  • redhat-upgrade-perl-time-piece
  • redhat-upgrade-perl-version

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;