This is the mail archive of the cygwin-apps mailing list for the Cygwin project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: Security advisory: perl (CVE-2005-3962)

From: Yitzchak Scott-Thoennes <sthoenna at efn dot org>
To: cygwin-apps at cygwin dot com
Date: Thu, 29 Dec 2005 01:14:14 -0800
Subject: Re: Security advisory: perl (CVE-2005-3962)
References: <4399E057.9050307@users.sourceforge.net> <20051228111832.GX32312@calimero.vinschen.de> <58678469357.20051229095516@familiehaase.de>

On Thu, Dec 29, 2005 at 09:55:16AM +0100, Gerrit P. Haase wrote:
> Corinna schrieb:
> 
> > On Dec  9 13:51, Yaakov S (Cygwin Ports) wrote:
> >> Gerrit,
> >> 
> >> Perl is vulnerable to format string programming errors, that could be
> >> exploited to execute arbitrary code.
> >> 
> >> Patch:
> >> http://www.gentoo.org/cgi-bin/viewcvs.cgi/*checkout*/dev-lang/perl/files/perl-exp_intwrap.patch
> 
> > Gerrit?  Ping?
> 
> Ah, yes.  Will revisit this issue today.

The offical patch:

http://search.cpan.org/CPAN/authors/id/N/NW/NWCLARK/sprintf-5.8.7.patch

There were also a few subsequent patches to printf stuff, not directly
related to the above security advisory, and a fix to Sys::Syslog which
IIRC was.

References:
- Security advisory: perl (CVE-2005-3962)
  - From: Yaakov S (Cygwin Ports)
- Re: Security advisory: perl (CVE-2005-3962)
  - From: Corinna Vinschen
- Re: Security advisory: perl (CVE-2005-3962)
  - From: Gerrit P. Haase

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]