December 15, 2005 - Patches fix sprintf buffer overflow

The Perl community has released a fix to the sprintf function that was recently discovered to have a buffer overflow in very specific cases. All Perl users should consider updating immediately.

Dyad Security recently released a security advisory explaining how in certain cases, a carefully crafted format string passed to sprintf can cause a buffer overflow. This buffer overflow can then be used by an attacker to execute code on the machine. This was discovered in the context of a design problem with the Webmin administration package that allowed a malicious user to pass unchecked data into sprintf. A related fix for Sys::Syslog has already been released.

The Perl 5 Porters team have solved this sprintf overflow problem, and have released a set of patches, specific to four different versions of Perl.

  • For Perl 5.8.0

ftp://ftp.cpan.org/pub/CPAN/authors/id/N/NW/NWCLARK/sprintf-5.8.0.patch

  • For Perl 5.8.1 and 5.8.2

ftp://ftp.cpan.org/pub/CPAN/authors/id/N/NW/NWCLARK/sprintf-5.8.2.patch

  • For Perl 5.8.3

ftp://ftp.cpan.org/pub/CPAN/authors/id/N/NW/NWCLARK/sprintf-5.8.3.patch

  • For Perl 5.8.4 through 5.8.7

ftp://ftp.cpan.org/pub/CPAN/authors/id/N/NW/NWCLARK/sprintf-5.8.7.patch

While this specific patch fixes a buffer overflow, and thus prevents malicious code execution, programmers must still be careful. Patched or not, sprintf can still be used as the basis of a denial-of-service attack. It will create huge, memory-eating blocks of data if passed malicious format strings from an attacker. It's best if no unchecked data from outside sources get passed to sprintf, either directly or through a function such as syslog.

For further information, or information about The Perl Foundation, please email pr at perlfoundation.org.


When can we expect a patch for windows 2003?

contributed by Nitin on April 21, 2006 2:40 PM


The patches are already available on the CPAN if you build from source. If you're using ActiveState's builds, that's something to direct to ActiveState.

contributed by Andy Lester on April 21, 2006 7:58 PM

Tags:

  • Perl 5 Development
  • The Perl community has released a fix to the sprintf function that was recently discovered to have a buffer overflow in very specific cases. All Perl users should consider updating immediately.

    Dyad Security recently released a security advisory explaining how in certain cases, a carefully crafted format string passed to sprintf can cause a buffer overflow. This buffer overflow can then be used by an attacker to execute code on the machine. This was discovered in the context of a design problem with the Webmin administration package that allowed a malicious user to pass unchecked data into sprintf. A related fix for Sys::Syslog has already been released.

    The Perl 5 Porters team have solved this sprintf overflow problem, and have released a set of patches, specific to four different versions of Perl.

    • For Perl 5.8.0

    ftp://ftp.cpan.org/pub/CPAN/authors/id/N/NW/NWCLARK/sprintf-5.8.0.patch

    • For Perl 5.8.1 and 5.8.2

    ftp://ftp.cpan.org/pub/CPAN/authors/id/N/NW/NWCLARK/sprintf-5.8.2.patch

    • For Perl 5.8.3

    ftp://ftp.cpan.org/pub/CPAN/authors/id/N/NW/NWCLARK/sprintf-5.8.3.patch

    • For Perl 5.8.4 through 5.8.7

    ftp://ftp.cpan.org/pub/CPAN/authors/id/N/NW/NWCLARK/sprintf-5.8.7.patch

    While this specific patch fixes a buffer overflow, and thus prevents malicious code execution, programmers must still be careful. Patched or not, sprintf can still be used as the basis of a denial-of-service attack. It will create huge, memory-eating blocks of data if passed malicious format strings from an attacker. It's best if no unchecked data from outside sources get passed to sprintf, either directly or through a function such as syslog.

    For further information, or information about The Perl Foundation, please email pr at perlfoundation.org.


    When can we expect a patch for windows 2003?

    contributed by Nitin on April 21, 2006 2:40 PM


    The patches are already available on the CPAN if you build from source. If you're using ActiveState's builds, that's something to direct to ActiveState.

    contributed by Andy Lester on April 21, 2006 7:58 PM

    Post a comment

    If you have an OpenId URL, you can enter it here to post comments on this site.

    Category

    This page contains a single entry from the blog posted on December 15, 2005.

    Many more entries can be found on the main index page or by looking through the archives.

    Powered by
    Socialtext