Andy Lester, wearing his Perl Foundation PR hat writes "The Perl community has updated the core module Sys::Syslog to help alleviate a security hole in the Webmin web administration package. All Webmin users should update immediately to the updated version of Sys::Syslog."
"Dyad Security released
a security advisory
explaining how arbitrary, untrusted data can get passed by Webmin
into Perl's Sys::Syslog module as a sprintf format string.
This allows an attack to create arbitrarily large strings, overwhelming
server resources and causing a denial of service.
However, Dyad Security's
other security advisory,
detailing an integer overflow bug in Perl's sprintf, meant that the
Webmin bug could potentially mean arbitrary code execution with the
permissions of the web server process, not just a denial of service.
The release of the
updated Sys::Syslog
handles the specific coding problem presented by Webmin, and perhaps
other packages, of passing format strings to the syslog()
function when the programer does not realize that syslog()
acts as a proxy for sprintf. The new syslog()
function now notes the special case of only passing one message
parameter, and does what the programmer intended: treats the parameter
as a single message string and does not call sprintf.
The other issue, with the sprintf integer overflow, is still
being worked on. Fixes have been made, and patches for older versions
of Perl are being created. The Perl 5 Porters are taking the time to
make sure that the patches work for as many existing Perl 5 installations
as possible. Watch
news.perlfoundation.org
for information on the patches as they become available.
Further queries may be sent to pr at perlfoundation.org."
