Re: CERT Advisory CA-96.12 - Vulnerability in suidperl

Theodore Ts'o (tytso@rsts-11.mit.edu)
Wed, 26 Jun 1996 21:45:43 -0400


-----BEGIN PGP SIGNED MESSAGE-----

Date: Wed, 26 Jun 1996 11:39:12 -0400
From: CERT Advisory <cert-advisory@cert.org>

CERT(sm) Advisory CA-96.12
June 26, 1996

Topic: Vulnerability in suidperl

Linux
=====
Linux 1.2 and 2.0 support saved set-user-id.

Most distributions of Linux provide suidperl and sperl.

The fixsperl script works on linux, and it is recommended that this
fix be applied until a new Perl release is made.

Note that to the best of my knowledge and understanding, Linux is *not*
vulnerable due to how we handle the setreuid() system call ---
setreuid() sets the saved set-user-id under certain circumstances,
including those which perl uses. So people don't need to panic; I don't
believe we need to disable suidperl under Linux.

- Ted

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
Comment: Processed by Mailcrypt 3.2, an Emacs/PGP interface

iQCVAwUBMdGH+kQVcM1Ga0KJAQHJNQQAgrl/EjJ6mtG1j9pGwR0yAq4CGnt1xRCk
lG/0yy+XRFcpxTmXTm140ZYgiimj+neJ3PkgGRP3mA720DhqLv/ZuXpgmnxl7bzQ
LSJjsXEuFaw0aSmg2smFHzUpN5GCjf6JvGWcClMyPio9JaIB5eNmq6TvqoYrXssB
B7/5Gw+P9jQ=
=BaEo
-----END PGP SIGNATURE-----