OpenPKG Security Advisory
OpenPKG-SA-2003.039
Publisher Name: OpenPKG GmbH Publisher Home: http://openpkg.com/ Advisory Id (public): OpenPKG-SA-2003.039 Advisory Type: OpenPKG Security Advisory (SA) Advisory Directory: http://openpkg.com/go/OpenPKG-SA Advisory Document: http://openpkg.com/go/OpenPKG-SA-2003.039 Advisory Published: 2010-09-03 22:30 UTC Issue Id (internal): OpenPKG-SI-20030915.02 Issue First Created: 2003-09-15 Issue Last Modified: 2006-11-28 Issue Revision: 05
Subject Name: Perl CGI.pm Subject Summary: Practical Extraction and Reporting Language Subject Home: http://www.perl.com/ Subject Versions: * <= 5.8.0 Vulnerability Id: CVE-2003-0615 Vulnerability Scope: local (OpenPKG specific only) Attack Feasibility: run-time Attack Vector: remote network Attack Impact: identity fraud Description: This message is a continuation of OpenPKG-SA-2003.036 [0]. This document also outlines an important problematic regarding the native load order of Perl modules. The CGI.pm module not only comes with the "perl-www" package but an ancient version 2.81 is also embedded into the "perl" package. The corrected packages mentioned above have the official fix backported to the embedded version. Be aware that all releases of OpenPKG up to and including 1.3 use Perl's native load order for modules where embedded modules are preferred over additional modules. This means that the CGI.pm embedded into the "perl" package is loaded before the sibling from the additional "perl-www" package is found. This inhibits the use and correction of additional modules with same name as embedded ones. It should be noted that beginning with perl-5.8.0-20030903 the load order is adjusted to prefer additional modules over embedded ones [2]. There are no plans modifiying the module load order of the "perl" package in existing releases. Although more intuitive, it would change existing behaviour and is likely to break existing installations. During the support lifecycle, security advisories and corrected packages will be issued for both embedded and additional packages. References: [0] http://www.openpkg.org/security/OpenPKG-SA-2003.036-perl-www.html [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0615 [2] http://cvs.openpkg.org/chngview?cn=11997 [3] http://www.openpkg.org/tutorial.html#regular-source [4] http://www.openpkg.org/tutorial.html#regular-binary [5] ftp://ftp.openpkg.org/release/1.2/UPD/perl-5.8.0-1.2.1.src.rpm [6] ftp://ftp.openpkg.org/release/1.3/UPD/perl-5.8.0-1.3.1.src.rpm [7] ftp://ftp.openpkg.org/release/1.2/UPD/ [8] ftp://ftp.openpkg.org/release/1.3/UPD/ [9] http://www.openpkg.org/security.html#signature
Primary Package Name: perl Primary Package Home: http://openpkg.org/go/package/perl Affected Distribution: Affected Branch: Affected Package: OpenPKG Community 1.2-SOLID perl-5.8.0-1.2.0 OpenPKG Community 1.3-SOLID perl-5.8.0-1.3.0 OpenPKG Community CURRENT perl-5.8.0-20030903 Corrected Distribution: Corrected Branch: Corrected Package: OpenPKG Community 1.2-SOLID perl-5.8.0-1.2.1 OpenPKG Community 1.3-SOLID perl-5.8.0-1.3.1 OpenPKG Community CURRENT perl-5.8.0-20030915
