[PLDSA 31-1] New perl-CGI-Lite packages fix arbitrary code execution
Krzysiek Taraszka
dzimi at pld.org.pl
Sat May 3 14:46:14 CEST 2003
- -------------------------------------------------------------------------=
-
PLD Security Advisory PLDSA 31-1 security at pld.org.pl
http://www.pld.org.pl/security/ PLD Security Team
05 March 2003=09 =09=09=09http://www.pld.org.pl/security/faq
- -------------------------------------------------------------------------=
-
Package : prior to perl-CGI-Lite-2.0-5
Vulnerability : arbitrary command execution
Problem-Type : remote
PLD-specific : no
The CGI::Lite::escape_dangerous_chars() function fails to escape
the entire set of special characters that may have significance
to the underlying shell command processor. =A0When the function is
used from within a web CGI script which processes arbitrary user
input from some HTML form, an attacker may be able to read and/or
write some or all local files and may be able to obtain shell-
level access to the attacked web server.
The above problems have been fixed in version 2.001-1 for the
current stable distribution (ra).
We recommend that you upgrade your perl-CGI-Lite packages.
wget -c url
=09will fetch the file for you
rpm -Uhv file(s)*.rpm
will upgrade the referenced file.
If you are using "poldek" - the package manager, use the line as given belo=
w
for upgrade packages
poldek --update
will update the internal database
poldek --upgrade 'perl-CGI-Lite*'
will install corrected packages
If you are using "apt" - the package manager, use the line as given below
for upgrade packages
apt-get update
will update the internal database
apt-get upgrade 'perl-CGI-Lite*'
will install corrected packages
PLD Linux 1.0 alias ra
- --------------------
Source archives:
ftp://ftp.pld.org.pl/dists/ra/updates/security/SRPMS/perl-CGI-Lite-2.001-1.=
src.rpm
MD5 checksum: d39087a05988777cf08e18b7c91dc5cd
I386 Architecture components:
ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/perl-CGI-Lite-2.001-1.n=
oarch.rpm
MD5 checksum: 3f021b77200bb26e7994e5d296688231
I586 Architecture components:
ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/perl-CGI-Lite-2.001-1.n=
oarch.rpm
MD5 checksum: f0917cb4e0ab2153cc1edbc69aed44eb
I686 Architecture components:
ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/perl-CGI-Lite-2.001-1.n=
oarch.rpm
MD5 checksum: ed9e8a0c295c9558a40c575cbfdf4cac
PowerPC Architecture components:
ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/perl-CGI-Lite-2.001-1.no=
arch.rpm
MD5 checksum: 5693e6249d3e88fb3d64bff373d1374b
-
---------------------------------------------------------------------------=
-----
-
If you are using poldek add this line to poldek.conf.
If you are using apt-get add this line to sources.list.
For i386 architecture
poldek: source =3D ra-updates-security ftp://ftp.pld.org.pl/dists/r=
a/updates/security/i386/
apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/i386 base updates-sec=
urity
For i586 architecture
poldek: source =3D ra-updates-security ftp://ftp.pld.org.pl/dists/r=
a/updates/security/i586/
apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/i586 base updates-sec=
urity
For i686 architecture
poldek: source =3D ra-updates-security ftp://ftp.pld.org.pl/dists/r=
a/updates/security/i686/
apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/i686 base updates-sec=
urity
For ppc architecture
poldek: source =3D ra-updates-security ftp://ftp.pld.org.pl/dists/r=
a/updates/security/ppc/
apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/ppc base updates-secu=
rity
More information about the pld-security-announce
mailing list