use Perl Log In
Patch to sprintf() Fixes Buffer Overflow
Andy Lester writes "Perl 5 Porters have released a fix to the sprintf function
that was recently discovered to have a buffer overflow in very specific
cases. All Perl users should consider updating immediately.
Dyad Security recently released
a security advisory explaining how in certain cases, a carefully crafted format string passed to sprintf can cause a buffer overflow. This buffer overflow can then be used by an attacker to execute code on the machine. This was discovered in the context of a design problem with the Webmin
administration package that allowed a malicious user to pass unchecked data into sprintf. A related fix for Sys::Syslog
has already been released."
"The Perl 5 Porters team have solved this sprintf overflow
problem, and have released a set of patches, specific to four different
versions of Perl.
For further information, or information about The Perl Foundation, please email pr at perlfoundation.org."
- For Perl 5.8.0
ftp://ftp.cpan.org/pub/CPAN/authors/id/N/NW/NWCLARK/sprintf-5.8.0.patch - For Perl 5.8.1 and 5.8.2
ftp://ftp.cpan.org/pub/CPAN/authors/id/N/NW/NWCLARK/sprintf-5.8.2.patch - For Perl 5.8.3
ftp://ftp.cpan.org/pub/CPAN/authors/id/N/NW/NWCLARK/sprintf-5.8.3.patch - For Perl 5.8.4 to 5.8.7
ftp://ftp.cpan.org/pub/CPAN/authors/id/N/NW/NWCLARK/sprintf-5.8.7.patch
For further information, or information about The Perl Foundation, please email pr at perlfoundation.org."
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Full
Abbreviated
Hidden
Loading... please wait.
Intermediate Versions are Covered (Score:1)
Those version numbers are incomplete: it looks from your list that some versions (such as 5.8.6) aren't covered, but actually some patches cover a range of versions.
Specifically, sprintf-5.8.2.patch is for both 5.8.1 and 5.8.2, and sprintf-5.8.7.patch is for all of 5.8.4 to 5.8.7.
Smylers
Re:Intermediate Versions are Covered (Score:2)
--
xoa