-----BEGIN PGP SIGNED MESSAGE----- NOTE: THIS ADVISORY (SA-1997.08) HAS BEEN SUPERSEDED BY SA-1997.25! Subject: Caldera Security Advisory SA-1997.08: Vulnerability in perl package Caldera Security Advisory SA-1997.08 Original issue date: 6-July-1997 Last revised: 13-Oct-1997 Topic: Vulnerability in perl I. Problem Description A vulnerability exists within sperl that will allow local users gain root access, if SUID root. II. Impact On systems such as Caldera OpenLinux 1.0 and 1.1, an unprivileged user can gain root access. III. Solution As a temporary solution, You can disable the exploits for this bug with the following command: chmod u-s /usr/bin/sperl* Obtain the new perl-5.003-5.i386.rpm, perl-add-5.003-5.i386.rpm, perl-eg-5.003-5.i386.rpm, perl-man-5.003-5.i386.rpm, and perl-pod-5.003-5.i386.rpm files and install according to the instructions found in the README file which is one directory up from the actual rpm files. These packages are located on Caldera's FTP server (ftp.caldera.com): /pub/openlinux/updates/1.0/current/RPMS /pub/openlinux/updates/1.1/current/RPMS (Both are the same) The MD5 checksum (from the "md5sum" command) for these package are: e5ffce472926da6e7f6be29eba137388 perl-5.003-5.i386.rpm 8c6f96116c02853e9344b3e5514f5e49 perl-add-5.003-5.i386.rpm bd0a2d596ba9c202940a8c4283c62b26 perl-eg-5.003-5.i386.rpm 54eb01649a08e76a4a9046ad8e71ee1a perl-man-5.003-5.i386.rpm c8de577f03edc326316ea30a435ada00 perl-pod-5.003-5.i386.rpm Please follow the instructions from the README file precisely to update any older version of perl that may be on your system: IV. References / Credits This and other Caldera security resources are located at: http://www.caldera.com/tech-ref/security/ This advisory is based on a security upgrade announced to the Bugtraq list: Subject: Buffer overflow in sperl5.003 Message-ID: Willy Tarreau CERT Advisory CA-97.17: ftp://info.cert.org/pub/cert_advisories/CA-97.17.sperl V. PGP Signature This message was signed with the PGP key for . This key can be obtained from: ftp://ftp.caldera.com/pub/pgp-keys/ Or on an OpenLinux CDROM under: /OpenLinux/pgp-keys/ NOTE: THIS ADVISORY (SA-1997.08) HAS BEEN SUPERSEDED BY SA-1997.25! $Id: SA-1997.08,v 1.2 1997/10/13 18:03:10 ron Exp $ -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBNEJjJOn+9R4958LpAQF+jQQAgYWb7vaaz9yZzitbnAMIb0qFqXpnJWGx hBJgiUtEDAswfwCJDZo918TlT8pdXlMaV0HgTGINjX7MuQzyprP4MfykNSzQ27c2 mFMttNBI3FS9tH4PxWI3Dp9DKeDV8SxuPORSUB4ZD4REpdDlNruJMvdrpJL9vCCf RGZEWtTkmVs= =uz3I -----END PGP SIGNATURE-----