ID CVE-2005-3962
Summary Integer overflow in the format string functionality (Perl_sv_vcatpvfn) in Perl 5.9.2 and 5.8.6 Perl allows attackers to overwrite arbitrary memory and possibly execute arbitrary code via format string specifiers with large values, which causes an integer wrap and leads to a buffer overflow, as demonstrated using format string vulnerabilities in Perl applications.
References
Vulnerable Configurations
  • Perl 5.8.6
    cpe:2.3:a:perl:perl:5.8.6
  • Perl 5.9.2
    cpe:2.3:a:perl:perl:5.9.2
CVSS
Base: 4.6 (as of 01-12-2005 - 12:21)
Impact:
Exploitability:
CWE CWE-189
CAPEC
Access
VectorComplexityAuthentication
LOCAL LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
nessus via4
  • NASL family Solaris Local Security Checks
    NASL id SOLARIS10_X86_122082-01.NASL
    description SunOS 5.10_x86: perl format string patch. Date this patch was last updated by Sun : Feb/23/06
    last seen 2019-01-19
    modified 2019-01-18
    plugin id 107879
    published 2018-03-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=107879
    title Solaris 10 (x86) : 122082-01
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-222-2.NASL
    description USN-222-1 fixed a vulnerability in the Perl interpreter. It was discovered that the version of USN-222-1 was not sufficient to handle all possible cases of malformed input that could lead to arbitrary code execution, so another update is necessary. Original advisory : Jack Louis of Dyad Security discovered that Perl did not sufficiently check the explicit length argument in format strings. Specially crafted format strings with overly large length arguments led to a crash of the Perl interpreter or even to execution of arbitrary attacker-defined code with the privileges of the user running the Perl program. However, this attack was only possible in insecure Perl programs which use variables with user-defined values in string interpolations without checking their validity. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 20765
    published 2006-01-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=20765
    title Ubuntu 4.10 / 5.04 / 5.10 : perl vulnerability (USN-222-2)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRAKE_MDKSA-2005-225.NASL
    description Jack Louis discovered a new way to exploit format string errors in the Perl programming language that could lead to the execution of arbitrary code. The updated packages are patched to close the particular exploit vector in Perl itself, to mitigate the risk of format string programming errors, however it does not fix problems that may exist in particular pieces of software written in Perl.
    last seen 2019-02-21
    modified 2018-12-05
    plugin id 20456
    published 2006-01-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=20456
    title Mandrake Linux Security Advisory : perl (MDKSA-2005:225)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2005-880.NASL
    description Updated Perl packages that fix security issues and bugs are now available for Red Hat Enterprise Linux 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. Perl is a high-level programming language commonly used for system administration utilities and Web programming. An integer overflow bug was found in Perl's format string processor. It is possible for an attacker to cause perl to crash or execute arbitrary code if the attacker is able to process a malicious format string. This issue is only exploitable through a script which passes arbitrary untrusted strings to the format string processor. The Common Vulnerabilities and Exposures project assigned the name CVE-2005-3962 to this issue. Users of Perl are advised to upgrade to these updated packages, which contain backported patches to correct these issues as well as fixes for several bugs.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 21974
    published 2006-07-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=21974
    title CentOS 4 : perl (CESA-2005:880)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-943.NASL
    description Jack Louis discovered an integer overflow in Perl, Larry Wall's Practical Extraction and Report Language, that allows attackers to overwrite arbitrary memory and possibly execute arbitrary code via specially crafted content that is passed to vulnerable format strings of third-party software. The old stable distribution (woody) does not seem to be affected by this problem.
    last seen 2019-02-21
    modified 2018-08-10
    plugin id 22809
    published 2006-10-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=22809
    title Debian DSA-943-1 : perl - integer overflow
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-200512-01.NASL
    description The remote host is affected by the vulnerability described in GLSA-200512-01 (Perl: Format string errors can lead to code execution) Jack Louis discovered a new way to exploit format string errors in Perl that could lead to the execution of arbitrary code. This is perfomed by causing an integer wrap overflow in the efix variable inside the function Perl_sv_vcatpvfn. The proposed fix closes that specific exploitation vector to mitigate the risk of format string programming errors in Perl. This fix does not remove the need to fix such errors in Perl code. Impact : Perl applications making improper use of printf functions (or derived functions) using untrusted data may be vulnerable to the already-known forms of Perl format string exploits and also to the execution of arbitrary code. Workaround : Fix all misbehaving Perl applications so that they make proper use of the printf and derived Perl functions.
    last seen 2019-02-21
    modified 2018-11-19
    plugin id 20280
    published 2005-12-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=20280
    title GLSA-200512-01 : Perl: Format string errors can lead to code execution
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-222-1.NASL
    description Jack Louis of Dyad Security discovered that Perl did not sufficiently check the explicit length argument in format strings. Specially crafted format strings with overly large length arguments led to a crash of the Perl interpreter or even to execution of arbitrary attacker-defined code with the privileges of the user running the Perl program. However, this attack was only possible in insecure Perl programs which use variables with user-defined values in string interpolations without checking their validity. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 20764
    published 2006-01-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=20764
    title Ubuntu 4.10 / 5.04 / 5.10 : perl vulnerability (USN-222-1)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2005-880.NASL
    description Updated Perl packages that fix security issues and bugs are now available for Red Hat Enterprise Linux 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. Perl is a high-level programming language commonly used for system administration utilities and Web programming. An integer overflow bug was found in Perl's format string processor. It is possible for an attacker to cause perl to crash or execute arbitrary code if the attacker is able to process a malicious format string. This issue is only exploitable through a script which passes arbitrary untrusted strings to the format string processor. The Common Vulnerabilities and Exposures project assigned the name CVE-2005-3962 to this issue. Users of Perl are advised to upgrade to these updated packages, which contain backported patches to correct these issues as well as fixes for several bugs.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 20366
    published 2005-12-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=20366
    title RHEL 4 : perl (RHSA-2005:880)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2005-881.NASL
    description Updated Perl packages that fix security issues and bugs are now available for Red Hat Enterprise Linux 3. This update has been rated as having moderate security impact by the Red Hat Security Response Team. Perl is a high-level programming language commonly used for system administration utilities and Web programming. An integer overflow bug was found in Perl's format string processor. It is possible for an attacker to cause perl to crash or execute arbitrary code if the attacker is able to process a malicious format string. This issue is only exploitable through a script wich passes arbitrary untrusted strings to the format string processor. The Common Vulnerabilities and Exposures project assigned the name CVE-2005-3962 to this issue. Paul Szabo discovered a bug in the way Perl's File::Path::rmtree module removed directory trees. If a local user has write permissions to a subdirectory within the tree being removed by File::Path::rmtree, it is possible for them to create setuid binary files. (CVE-2005-0448) Solar Designer discovered several temporary file bugs in various Perl modules. A local attacker could overwrite or create files as the user running a Perl script that uses a vulnerable module. (CVE-2004-0976) Users of Perl are advised to upgrade to these updated packages, which contain backported patches to correct these issues as well as fixes for several bugs.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 20367
    published 2005-12-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=20367
    title RHEL 3 : perl (RHSA-2005:881)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2005-881.NASL
    description Updated Perl packages that fix security issues and bugs are now available for Red Hat Enterprise Linux 3. This update has been rated as having moderate security impact by the Red Hat Security Response Team. Perl is a high-level programming language commonly used for system administration utilities and Web programming. An integer overflow bug was found in Perl's format string processor. It is possible for an attacker to cause perl to crash or execute arbitrary code if the attacker is able to process a malicious format string. This issue is only exploitable through a script wich passes arbitrary untrusted strings to the format string processor. The Common Vulnerabilities and Exposures project assigned the name CVE-2005-3962 to this issue. Paul Szabo discovered a bug in the way Perl's File::Path::rmtree module removed directory trees. If a local user has write permissions to a subdirectory within the tree being removed by File::Path::rmtree, it is possible for them to create setuid binary files. (CVE-2005-0448) Solar Designer discovered several temporary file bugs in various Perl modules. A local attacker could overwrite or create files as the user running a Perl script that uses a vulnerable module. (CVE-2004-0976) Users of Perl are advised to upgrade to these updated packages, which contain backported patches to correct these issues as well as fixes for several bugs.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 21877
    published 2006-07-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=21877
    title CentOS 3 : perl (CESA-2005:881)
  • NASL family Solaris Local Security Checks
    NASL id SOLARIS10_119985-02.NASL
    description SunOS 5.10: perl patch. Date this patch was last updated by Sun : Feb/27/06
    last seen 2018-11-13
    modified 2018-11-10
    plugin id 107352
    published 2018-03-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=107352
    title Solaris 10 (sparc) : 119985-02
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_BB33981A7AC611DABF7200123F589060.NASL
    description The Perl Development page reports : Dyad Security recently released a security advisory explaining how in certain cases, a carefully crafted format string passed to sprintf can cause a buffer overflow. This buffer overflow can then be used by an attacker to execute code on the machine. This was discovered in the context of a design problem with the Webmin administration package that allowed a malicious user to pass unchecked data into sprintf.
    last seen 2019-02-21
    modified 2018-12-05
    plugin id 21504
    published 2006-05-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=21504
    title FreeBSD : perl, webmin, usermin -- perl format string integer wrap vulnerability (bb33981a-7ac6-11da-bf72-00123f589060)
  • NASL family Solaris Local Security Checks
    NASL id SOLARIS10_119985.NASL
    description SunOS 5.10: perl patch. Date this patch was last updated by Sun : Feb/27/06
    last seen 2018-09-01
    modified 2018-08-13
    plugin id 21006
    published 2006-03-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=21006
    title Solaris 10 (sparc) : 119985-02
  • NASL family Solaris Local Security Checks
    NASL id SOLARIS10_X86_122082.NASL
    description SunOS 5.10_x86: perl format string patch. Date this patch was last updated by Sun : Feb/23/06
    last seen 2018-09-01
    modified 2018-08-13
    plugin id 21008
    published 2006-03-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=21008
    title Solaris 10 (x86) : 122082-01
oval via4
  • accepted 2013-04-29T04:06:59.152-04:00
    class vulnerability
    contributors
    • name Aharon Chernin
      organization SCAP.com, LLC
    • name Dragos Prisaca
      organization G2, Inc.
    definition_extensions
    • comment The operating system installed on the system is Red Hat Enterprise Linux 3
      oval oval:org.mitre.oval:def:11782
    • comment CentOS Linux 3.x
      oval oval:org.mitre.oval:def:16651
    • comment The operating system installed on the system is Red Hat Enterprise Linux 4
      oval oval:org.mitre.oval:def:11831
    • comment CentOS Linux 4.x
      oval oval:org.mitre.oval:def:16636
    • comment Oracle Linux 4.x
      oval oval:org.mitre.oval:def:15990
    description Integer overflow in the format string functionality (Perl_sv_vcatpvfn) in Perl 5.9.2 and 5.8.6 Perl allows attackers to overwrite arbitrary memory and possibly execute arbitrary code via format string specifiers with large values, which causes an integer wrap and leads to a buffer overflow, as demonstrated using format string vulnerabilities in Perl applications.
    family unix
    id oval:org.mitre.oval:def:10598
    status accepted
    submitted 2010-07-09T03:56:16-04:00
    title Integer overflow in the format string functionality (Perl_sv_vcatpvfn) in Perl 5.9.2 and 5.8.6 Perl allows attackers to overwrite arbitrary memory and possibly execute arbitrary code via format string specifiers with large values, which causes an integer wrap and leads to a buffer overflow, as demonstrated using format string vulnerabilities in Perl applications.
    version 23
  • accepted 2006-05-03T10:06:00.000-04:00
    class vulnerability
    contributors
    name Robert L. Hollis
    organization ThreatGuard, Inc.
    description Integer overflow in the format string functionality (Perl_sv_vcatpvfn) in Perl 5.9.2 and 5.8.6 Perl allows attackers to overwrite arbitrary memory and possibly execute arbitrary code via format string specifiers with large values, which causes an integer wrap and leads to a buffer overflow, as demonstrated using format string vulnerabilities in Perl applications.
    family unix
    id oval:org.mitre.oval:def:1074
    status accepted
    submitted 2006-03-02T02:05:00.000-04:00
    title Perl Format String Integer Overflow Vulnerability
    version 32
redhat via4
advisories
  • rhsa
    id RHSA-2005:880
  • rhsa
    id RHSA-2005:881
refmap via4
apple APPLE-SA-2006-11-28
bid 15629
bugtraq 20051201 Perl format string integer wrap vulnerability
cert TA06-333A
cert-vn VU#948385
conectiva CLSA-2006:1056
confirm
debian DSA-943
fedora FLSA-2006:176731
fulldisc 20051201 Perl format string integer wrap vulnerability
gentoo GLSA-200512-01
hp
  • HPSBTU02125
  • SSRT061105
mandrake MDKSA-2005:225
misc http://www.dyadsecurity.com/perl-0002.html
openbsd [3.7] 20060105 007: SECURITY FIX: January 5, 2006
openpkg OpenPKG-SA-2005.025
osvdb
  • 21345
  • 22255
secunia
  • 17762
  • 17802
  • 17844
  • 17941
  • 17952
  • 17993
  • 18075
  • 18183
  • 18187
  • 18295
  • 18413
  • 18517
  • 19041
  • 20894
  • 23155
  • 31208
sgi 20060101-01-U
sunalert 102192
suse
  • SUSE-SA:2005:071
  • SUSE-SR:2005:029
trustix TSLSA-2005-0070
ubuntu USN-222-1
vupen
  • ADV-2005-2688
  • ADV-2006-0771
  • ADV-2006-2613
  • ADV-2006-4750
Last major update 17-10-2016 - 23:37
Published 01-12-2005 - 12:03
Last modified 19-10-2018 - 11:39
Back to Top