Perl vulnerability

2005-12-1300:00:00

ubuntu.com

4.6 Medium

CVSS2

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:L/AC:L/Au:N/C:P/I:P/A:P

6.5 Medium

AI Score

Confidence

Low

0.002 Low

EPSS

Percentile

51.6%

JSON

Releases

Ubuntu 5.10
Ubuntu 5.04
Ubuntu 4.10

Details

USN-222-1 fixed a vulnerability in the Perl interpreter. It was
discovered that the version of USN-222-1 was not sufficient to handle
all possible cases of malformed input that could lead to arbitrary
code execution, so another update is necessary.

Original advisory:

Jack Louis of Dyad Security discovered that Perl did not
sufficiently check the explicit length argument in format strings.
Specially crafted format strings with overly large length arguments
led to a crash of the Perl interpreter or even to execution of
arbitrary attacker-defined code with the privileges of the user
running the Perl program.

However, this attack was only possible in insecure Perl programs
which use variables with user-defined values in string
interpolations without checking their validity.

OSVersionArchitecturePackageVersionFilename
Ubuntu5.10noarchperl-base< *UNKNOWN
Ubuntu5.10noarchlibperl5.8< *UNKNOWN
Ubuntu5.04noarchperl-base< *UNKNOWN
Ubuntu5.04noarchlibperl5.8< *UNKNOWN
Ubuntu4.10noarchperl-base< *UNKNOWN
Ubuntu4.10noarchlibperl5.8< *UNKNOWN

OS	Version	Architecture	Package	Version	Filename
Ubuntu	5.10	noarch	perl-base	< *	UNKNOWN
Ubuntu	5.10	noarch	libperl5.8	< *	UNKNOWN
Ubuntu	5.04	noarch	perl-base	< *	UNKNOWN
Ubuntu	5.04	noarch	libperl5.8	< *	UNKNOWN
Ubuntu	4.10	noarch	perl-base	< *	UNKNOWN
Ubuntu	4.10	noarch	libperl5.8	< *	UNKNOWN