Package: eperl
Version: 2.2.14-14
Severity: normal
Hello,
recently I came across the following bit of code in the source file
eperl-2.2.14/eperl_perl5.c (function 'Perl5_Run', around line 215):
if ((cpBuf = ePerl_ReadErrorFile(perlstderr, perlscript, source))
!= NULL) {
fprintf(stderr, cpBuf);
}
Here the fprintf command uses the stderr output of the perl
interpreter as a printf format string without any sanitisation. This
leads to a format string vulerability.
The following eperl call illustrates the problem:
[EMAIL PROTECTED] [~] echo '<: for (;%s$i = 0; $i < 10; $i++) { print "foo
#${i}\n"; } :>' | eperl -c -
Scalar found where operator expected at /tmp/ePerl.stdin.14972.tmp0 line 1,
near "/tmp/ePerl.stdin.14972.tmp0$i"
(Missing operator before $i?)
syntax error at /tmp/ePerl.stdin.14972.tmp0 line 1, near "Ï�ª¿È$i "
Execution of /tmp/ePerl.stdin.14972.tmp0 aborted due to compilation errors.
Here the perl interpreter gives the error message
... line 1, near "%s$i"
and the fprintf call dumps some memory contents instead of the %s.
I did not check whether this is exploitable, but probably the problem
should be fixed anyway.
I hope this helps,
Jochen
-- System Information:
Debian Release: 4.0
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18.1
Locale: LANG=en_GB.iso885915, LC_CTYPE=en_GB.iso885915 (charmap=ISO-8859-15)
Versions of packages eperl depends on:
ii libc6 2.3.6.ds1-8 GNU C Library: Shared libraries
ii libperl5.8 5.8.8-6.1 Shared Perl library
ii perl 5.8.8-6.1 Larry Wall's Practical Extraction
ii perl-base [perlapi-5.8.8] 5.8.8-6.1 The Pathologically Eclectic Rubbis
eperl recommends no packages.
-- no debconf information
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
