search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

CERT Coordination Center

Perl contains an integer sign error in format string processing

Vulnerability Note VU#948385

Original Release Date: 2005-12-06 | Last Revised: 2012-08-30

Overview

The Perl interpreter contains a flaw that may increase the impact of format string vulnerabilities in programs written in Perl.

Description

Perl is a programming language used in many applications and commonly used for web applications. The Perl interpreter, which interprets and executes Perl programs, contains an integer sign error in its format string processing for formatted I/O.

Impact

An attacker may leverage this vulnerability to increase the impact a format string vulnerability in a Perl program. This vulnerability in the Perl interpreter is not directly exploitable.

Solution

Patch the Perl interpreter per vendor instructions.

Vendor Information

948385
 
Expand all

Fedora Project Affected

Updated:  December 28, 2005

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

For Fedora Core 4, consult FEDORA-2005-1144, which updates the remediation described in FEDORA-2005-1113.

For Fedora Core 3, consult FEDORA-2005-1145, which updates the remediation described in FEDORA-2005-1117.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Gentoo Linux Affected

Updated:  December 08, 2005

Statement Date:   December 08, 2005

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

Consult GLSA 200512-01 for vulnerability details and remediation instructions.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Mandriva, Inc. Affected

Updated:  December 28, 2005

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

Consult MDKSA-2005:225 for information about updated Perl packages.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

OpenPKG Affected

Updated:  December 06, 2005

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

Consult OpenPKG-SA-2005.025 for vulnerability details and remediation instructions.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Perl Developers Affected

Notified:  December 01, 2005 Updated: December 28, 2005

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

In a Dec 15, 2005 stamement, the Perl Foundation reports patches are available addressing this vulnerability.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Red Hat, Inc. Affected

Updated:  December 28, 2005

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

For Red Hat Desktop v. 4 and Enterprise Linux v. 4, consult RHSA-2005:880 for remedition instructions..

For Red Hat Desktop v. 3 and Enterprise Linux v. 3, consult RHSA-2005:881 for remedition instructions..

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SUSE Linux Affected

Updated:  December 28, 2005

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

Consult SUSE-SA:2005:071 for remediation instructions.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Trustix Secure Linux Affected

Updated:  December 28, 2005

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

Consult Trustix Secure Linux Security Advisory #2005-0070 for update Perl package information.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Ubuntu Affected

Updated:  December 06, 2005

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

Consult Ubuntu Security Notice USN-222-1 for vulnerability details and remediation instructions.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base 0 AV:--/AC:--/Au:--/C:--/I:--/A:--
Temporal 0 E:ND/RL:ND/RC:ND
Environmental 0 CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND

References

Acknowledgements

Thanks to Jack Louis of Dyad Security, Inc. for reporting this vulnerability.

This document was written by Hal Burch.

Other Information

CVE IDs: CVE-2005-3962
Date Public: 2005-12-01
Date First Published: 2005-12-06
Date Last Updated: 2012-08-30 18:58 UTC
Document Revision: 40

Sponsored by CISA.

Download PGP Key

Read CERT/CC Blog

Learn about Vulnerability Analysis