copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
Search this site

On this site

 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login


ESB-2007.0873 -- [Debian] -- New perl packages fix arbitrary code execution

Date: 07 November 2007
References: ESB-2007.0866  

Click here for printable version
Click here for PGP verifiable version
Hash: SHA1

             AUSCERT External Security Bulletin Redistribution

                         ESB-2007.0873 -- [Debian]
              New perl packages fix arbitrary code execution
                              7 November 2007


        AusCERT Security Bulletin Summary

Product:              perl
Publisher:            Debian
Operating System:     Debian GNU/Linux 4.0
                      Debian GNU/Linux 3.1
Impact:               Execute Arbitrary Code/Commands
                      Increased Privileges
Access:               Existing Account
CVE Names:            CVE-2007-5116

Ref:                  ESB-2007.0866

Original Bulletin:

- --------------------------BEGIN INCLUDED TEXT--------------------

Hash: SHA1

- - ------------------------------------------------------------------------
Debian Security Advisory DSA-1400-1                                   Florian Weimer
November 6th, 2007          
- - ------------------------------------------------------------------------

Package        : perl
Vulnerability  : heap overflow
Problem type   : local (remote)
Debian-specific: no
CVE Id(s)      : CVE-2007-5116

Will Drewry and Tavis Ormandy of the Google Security Team have
discovered a UTF-8 related heap overflow in Perl's regular expression
compiler, probably allowing attackers to execute arbitrary code by
compiling specially crafted regular expressions.

For the stable distribution (etch), this problem has been fixed in
version 5.8.8-7etch1.

For the old stable distribution (sarge), this problem has been fixed in
version 5.8.4-8sarge6.

For the unstable distribution (sid), this problem will be fixed soon.

Some architectures are missing from this DSA; these updates will be
released once they are available.

We recommend that you upgrade your perl package.

Upgrade instructions
- - --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 3.1 alias sarge
- - --------------------------------

  Source archives:
      Size/MD5 checksum:     1031 653d1eaa085e027d325a520653e9785c
      Size/MD5 checksum:   103931 b8c617d86f3baa2cd35bde936c0a76d5
      Size/MD5 checksum: 12094233 912050a9cb6b0f415b76ba56052fb4cf

  Architecture independent components:
      Size/MD5 checksum:    38810 ff950bde09387a4023efff595fcb7b80
      Size/MD5 checksum:  7049010 803d0a25ddd6d3a75769b39fd44c1b21
      Size/MD5 checksum:  2178698 8f6bbe7db6414444fd5dbfb7786e6b76

  Alpha architecture:
      Size/MD5 checksum:   804866 47b0bbfc0d2544132ac23e7bbd6fd81f
      Size/MD5 checksum:     1008 dddcaa51b3b5b67c881b49a996e83944
      Size/MD5 checksum:  3902134 e2170d1b691a118df3a3277e6f4b0af9
      Size/MD5 checksum:   874688 bdb3fc1c1e0bed8bc37292f12ec9e803
      Size/MD5 checksum:  4132780 e2539f2b62fd1a394f5424a534e9a51d
      Size/MD5 checksum:    37086 dd82f2321b96bc531e16857848bece42

  AMD64 architecture:
      Size/MD5 checksum:   605148 b613969a68e576543f18f56b1956e78e
      Size/MD5 checksum:     1000 613477a3ba3f93013fa7a7776022d8e9
      Size/MD5 checksum:  3834172 7f354043d2e7bbee72c710982e4f9074
      Size/MD5 checksum:   791816 3541cf654fc59dd564c7af6642fae4df
      Size/MD5 checksum:  3935362 38fb00c40a25985bf22cfe9805543349
      Size/MD5 checksum:    32846 2f8cd32f087f60c61457f73f75fe3781

  ARM architecture:
      Size/MD5 checksum:   613158 30cd5528198d49208274e50e60611b0a
      Size/MD5 checksum:     1026 fc64aa8b67f46fcccb6d85db7cb242ad
      Size/MD5 checksum:  3132808 226a69d4fa30d1e0a40f4d761826c230
      Size/MD5 checksum:   737524 b4aaf84bd60fef147d1131c5ffbc6a0a
      Size/MD5 checksum:  3719460 8e8d12058f9f7fb9e153d4c3ff79d0f4
      Size/MD5 checksum:    29880 faa9dc0401eb667e202e12f2d2cf9643

  HP Precision architecture:
      Size/MD5 checksum:   654704 4efe04a8f2a81c81860148da029a88a8
      Size/MD5 checksum:     1006 5081a0e11c583460919427c5b0c99a0d
      Size/MD5 checksum:  3922234 a2b4f6549b23dd3a6c11ff97b6377d3d
      Size/MD5 checksum:   867856 0955f80a504eb620dbab22129fe96dd3
      Size/MD5 checksum:  3910388 59e8e003f4d65c3e42785226c90d5466
      Size/MD5 checksum:    34496 46aee518b3411566edf62ea822e0edfd

  Intel IA-32 architecture:
      Size/MD5 checksum:   567034 2edc13b9a19f6291bb300bcc28b815bd
      Size/MD5 checksum:   508698 9f275f4137b40e5cd465e3073527ad34
      Size/MD5 checksum:  3239308 bd4934402fadbd7c6c6c00260a4ecb88
      Size/MD5 checksum:   753218 4f70cd1586e664189be02a84247efe5d
      Size/MD5 checksum:  3736626 8710f57842322a711abf6161f57e9bc1
      Size/MD5 checksum:    31706 d4e08f75b79d3bb75b4bdea55d668b6f

  Intel IA-64 architecture:
      Size/MD5 checksum:   866526 1f01d28dbc0d3fac81fbf120d048896a
      Size/MD5 checksum:     1000 07c5c9823c9ff29b96ce76c63e4dfd16
      Size/MD5 checksum:  4027978 0919c0c823170c46578a52df90f69cfc
      Size/MD5 checksum:  1046706 7f724a26677aa52c39182a5109bd3bf9
      Size/MD5 checksum:  4534722 9a16fed74de4e2e0c43b1135c15df9d3
      Size/MD5 checksum:    50106 e73b65a4b267ca99ba48ef64de4dfdc1

  Motorola 680x0 architecture:
      Size/MD5 checksum:   457778 f25f1ebbbb4a5ce7b7a4a79c6256987e
      Size/MD5 checksum:     1040 9882ea5db94e569a35209a66c74bb390
      Size/MD5 checksum:  3815032 321dd2b80abad424b678f260d18f323a
      Size/MD5 checksum:   692196 733bfa10857d842bd907f408b03a8b3d
      Size/MD5 checksum:  3008672 81a0d0613ebe7b9affcd56174e1f955c
      Size/MD5 checksum:    27934 68de12bace4cf3de7a339b25119b1611

  Big endian MIPS architecture:
      Size/MD5 checksum:   657066 7e2c9980c630b3aa1e60348a4998665a
      Size/MD5 checksum:     1032 3da5c1e82b6194beac8fe7020a38d7a3
      Size/MD5 checksum:  3384320 edfa53822abb7626b2bfd6ac4d5923df
      Size/MD5 checksum:   781078 f4a7b2e1bbd95c9381503b382d35ba58
      Size/MD5 checksum:  4017490 ddca3a084b7c9f1b841bd3f93e39a1d0
      Size/MD5 checksum:    32314 51f707f1c1d3df1c3ad05dc545512c10

  Little endian MIPS architecture:
      Size/MD5 checksum:   653134 bbb4600b3f9f2512fe9a9233bd06370e
      Size/MD5 checksum:     1008 42770abda5e92de95a180097e8588304
      Size/MD5 checksum:  3125468 db2214e0762dab59ebe7237fbe8d80b2
      Size/MD5 checksum:   781866 c3b6aa7d16d60fc0a083601801d57cdd
      Size/MD5 checksum:  3967958 2d941edd8a70f1461f4bc7ec9b97a396
      Size/MD5 checksum:    32426 c16e24f77488ab690b9c73d33e9fd7be

  PowerPC architecture:
      Size/MD5 checksum:   624852 fc0e31770a095b3180e8d29daac7ccc7
      Size/MD5 checksum:      988 5668a4e4abcab40b924c2855c4c34f62
      Size/MD5 checksum:  3509282 9e72e0a6a0d0108d701e9071e0ed4c3b
      Size/MD5 checksum:   790186 fa6005f52c5a101e053dc24e5247f025
      Size/MD5 checksum:  3700840 fe73cfba8f036b63839141d4a0564d49
      Size/MD5 checksum:    33564 e6d5ea2116ea4f5332c1ce887aa9b727

  IBM S/390 architecture:
      Size/MD5 checksum:   604302 92d8311292f70764bafc0b015818d39d
      Size/MD5 checksum:      996 8870e77ca4719c8cc1c67f6ac15ee36c
      Size/MD5 checksum:  3819836 84eed51f2f162825d3bda29af8ddb203
      Size/MD5 checksum:   800590 ee302b41b1d011e089cb43db508415ef
      Size/MD5 checksum:  4235554 367b0ca68cd88842507c781cbb0e1f84
      Size/MD5 checksum:    33240 54ef9ae270587bb4c88f0e2b25d73347

  Sun Sparc architecture:
      Size/MD5 checksum:   582166 027797bd12344393503ebae3344dfd43
      Size/MD5 checksum:     1006 4183b345e38cd2dcbca8c24cf3d02918
      Size/MD5 checksum:  3547444 716f93769b9aa9c442044f9fe96c77c7
      Size/MD5 checksum:   775850 6ef7c40ecdd6e08dbb37d0c02f8c89a2
      Size/MD5 checksum:  3840628 e665c9ff077083f5719b7574e24fae05
      Size/MD5 checksum:    31038 64fcafc906130c016eb45f2394c5b4a8

Debian GNU/Linux 4.0 alias etch
- - -------------------------------

  Source archives:
      Size/MD5 checksum:     1033 92799d6842afb4c5a9cbf483591b2c36
      Size/MD5 checksum:    93005 caec226784d13b4108af359206f4dfe9
      Size/MD5 checksum: 12829188 b8c118d4360846829beb30b02a6b91a7

  Architecture independent components:
      Size/MD5 checksum:    40906 ac1a3065102a3bb7920a976833f1d3cc
      Size/MD5 checksum:  7348690 c36b83c80b2c35515f3e6dec6451fda1
      Size/MD5 checksum:  2313532 915e64aecc9e15678125def5267ea809

  Alpha architecture:
      Size/MD5 checksum:   821314 682e53e9c6736c48e31ea26e8697c870
      Size/MD5 checksum:     1016 252a644a15275db90c1a9273e6f3b854
      Size/MD5 checksum:  4135606 4925efac08f96859a7c8b47b886e0533
      Size/MD5 checksum:   877900 03dce75ac1f4c9765a24f6f25ba01251
      Size/MD5 checksum:  2928420 1a9ab7809416b7cfc068180646414576
      Size/MD5 checksum:    36248 927d991a17103561f701fb56d512279d

  AMD64 architecture:
      Size/MD5 checksum:   630480 cdfbd258b8ee105250f389c3adfdc16e
      Size/MD5 checksum:     1010 101f7c5357740b63a670ae874a3a498a
      Size/MD5 checksum:  4238220 a2a9c0db784cc91e249f23e5564207bd
      Size/MD5 checksum:   808804 469c3fd8e358d917225dd49f987bbf8d
      Size/MD5 checksum:  2734912 d34da61c02d263e230b55f911d2dc748
      Size/MD5 checksum:    32798 afac9013d139c7ab1276f50cc35f4512

  ARM architecture:
      Size/MD5 checksum:   561934 9739f475931e29fb26e23873df727e04
      Size/MD5 checksum:     1018 77926e3d601fe1ed9bd75ef5a854d4e4
      Size/MD5 checksum:  3412144 73c5f41073926ea641d06032b0c5d228
      Size/MD5 checksum:   760246 574a68af0f13bc1a80d97c0eaa9ca4fc
      Size/MD5 checksum:  2545942 7fb21c951bfd70b24e9b63a4025059f4
      Size/MD5 checksum:    30358 ed5a223824e775a2e37b8e492e25abcb

  HP Precision architecture:
      Size/MD5 checksum:   693944 441ce7894fc9d46c3a285b8681097a24
      Size/MD5 checksum:     1014 068b7030ce2e74328a567f560690e208
      Size/MD5 checksum:  4192184 916514f48c2d5ab511aac0c9d878d133
      Size/MD5 checksum:   868288 7eb4c3e38c25285bc6a0ab6dc5a1d770
      Size/MD5 checksum:  2735540 ff004f914a26621775d0247834e78cae
      Size/MD5 checksum:    33210 c035eeb23dc4a1e04444065ae75f7b24

  Intel IA-32 architecture:
      Size/MD5 checksum:   585382 a27a344126f78b50c6874887ba8a7dec
      Size/MD5 checksum:   526956 2ae05903f4a08189e5319c4ca869828a
      Size/MD5 checksum:  3578468 e6a886c21a58d96083d0385ef602df75
      Size/MD5 checksum:   762180 e7d2c75b547db6c71e77395461c62e82
      Size/MD5 checksum:  2491880 f01678cc32a118929a22ee765ccd4768
      Size/MD5 checksum:    32094 56c5c6dded2172596d6bbea68d94068e

  Intel IA-64 architecture:
      Size/MD5 checksum:   977484 94fd1bb72f48559786abedc8b0ea6107
      Size/MD5 checksum:     1006 9272b8f38e0b68c7143401bbe0dd10b3
      Size/MD5 checksum:  4335608 4caae66d357b7c8f6a9d3b6ec1b98ac1
      Size/MD5 checksum:  1153272 e61d597589339745c714ada2fa54d397
      Size/MD5 checksum:  3364174 d31a368b96392b89af59fbb529c81d20
      Size/MD5 checksum:    51270 84b6fde3b7ed1898b59267b994efb4ff

  Little endian MIPS architecture:
      Size/MD5 checksum:   687114 8973b906567dd752c73039a89dcb14ee
      Size/MD5 checksum:     1012 47029166d1e495ad05a251d4946fbdc2
      Size/MD5 checksum:  3413386 5ff0e279c6934b01d4bf163a5b171584
      Size/MD5 checksum:   784352 dece00126cd1cf8c07ec673bd8043e6d
      Size/MD5 checksum:  2729528 194373b4343008cc33b345744b7935fa
      Size/MD5 checksum:    32336 98092e70a5ea30153ec32f1d87cde1e4

  PowerPC architecture:
      Size/MD5 checksum:   653158 7b39e1fb1a940e19ebe4e9df9f6c1abb
      Size/MD5 checksum:     1010 4f68cd00058bfe50e5353cc2f1027e30
      Size/MD5 checksum:  3824518 514b283d68bdb8ab5f8211b86fba6dd7
      Size/MD5 checksum:   810514 54511356fc749a7518d6339d4832ab3e
      Size/MD5 checksum:  2709230 f62606ee2641c529eed8d6f2aff8489e
      Size/MD5 checksum:    32902 de438d275e8c95f5dba5096386f3bdbd

  Sun Sparc architecture:
      Size/MD5 checksum:   594254 32f78d47a9fdb90ac99363642330cea5
      Size/MD5 checksum:     1012 b4cdde1e439f59c484701a503271f3ba
      Size/MD5 checksum:  3796708 d85383c57b38d1da74f5d4fed6e33c02
      Size/MD5 checksum:   783042 675e8693a697b670936108a3baeded7f
      Size/MD5 checksum:  2565704 7419d49d4b7ac54b849d432177a3ff36
      Size/MD5 checksum:    31072 40d9e6abb0fd11019912c4877c8bf3ac

  These files will probably be moved into the stable distribution on
  its next update.

- - ---------------------------------------------------------------------------------
For apt-get: deb stable/updates main
For dpkg-ftp: dists/stable/updates/main
Mailing list:
Package info: `apt-cache show <pkg>' and<pkg>

Version: GnuPG v1.4.6 (GNU/Linux)


- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email:
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.