Related link: http://www.perlfoundation.org/news/2005/sprintf_patch_released.html
The Perl community has released a fix to the sprintf function
that was recently discovered to have a buffer overflow in very specific
cases. All Perl users should consider updating immediately.
Dyad Security recently released
a security advisory
explaining how in certain cases, a carefully crafted format string
passed to sprintf can cause a buffer overflow. This buffer
overflow can then be used by an attacker to execute code on the machine.
This was discovered in the context of a design problem with the Webmin
administration package that allowed a malicious user to pass unchecked
data into sprintf. A related fix for Sys::Syslog
>has already been released.
The Perl 5 Porters team have solved this sprintf overflow
problem, and have released a set of patches, specific to four different
versions of Perl.
- For Perl 5.8.0
>ftp://ftp.cpan.org/pub/CPAN/authors/id/N/NW/NWCLARK/sprintf-5.8.0.patch - For Perl 5.8.1 and 5.8.2
>ftp://ftp.cpan.org/pub/CPAN/authors/id/N/NW/NWCLARK/sprintf-5.8.2.patch - For Perl 5.8.3
>ftp://ftp.cpan.org/pub/CPAN/authors/id/N/NW/NWCLARK/sprintf-5.8.3.patch - For Perl 5.8.4 through 5.8.7
>ftp://ftp.cpan.org/pub/CPAN/authors/id/N/NW/NWCLARK/sprintf-5.8.7.patch
While this specific patch fixes a buffer overflow, and thus prevents
malicious code execution, programmers must still be careful.
Patched or not, sprintf can still be used as the basis of a
denial-of-service attack. It will create huge, memory-eating blocks of
data if passed malicious format strings from an attacker. It’s best if
no unchecked data from outside sources get passed to sprintf,
either directly or through a function such as syslog.
For further information, or information about The Perl Foundation, please email
Andy Lester at pr at perlfoundation.org.
