• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: Perl Perl_sv_vcatpvfn Format String Integer Wrap Vulnerability

Severity: CRITICAL

Description:

Perl is prone to a format-string vulnerability because the programming language fails to properly handle format specifiers in formatted-printing functions.

Perl implements the 'printf()' family of formatted-printing functions as wrappers to the C library versions. Traditionally, the C library versions of these functions are prone to format-string vulnerabilities due to improper input sanitization where attacker-supplied input is used in the format-specification argument. This allows attackers to read and write to arbitrary memory locations, facilitating the compromise of affected computers.

Since Perl is an interpreted language, extra sanity checks are in place to prevent similar issues from propagating to the underlying C functions. Reportedly, Perl's implementation of these functions is vulnerable to exploitation.

An attacker-supplied value of over INT_MAX(value of I) inside the '%I$n' explicit parameter causes an integer wrap in the 'efix' variable. This issue arises in the 'Perl_sv_vcatpvfn' function in 'sv.c'. This may be exploited to overwrite values in memory with attacker-specified data.

An attacker may leverage this issue to write to arbitrary process memory, facilitating code execution in the context of the Perl interpreter process. This can result in unauthorized remote access.

The Perl formatted-printing functions are also prone to some additional security issues that are related to how externally supplied format specifiers are interpreted. Exploitation methods include:

- Using format specifiers similar to '%99999s' to consume memory and disk resources
- Using '%n' to modify scalar variables, potentially bypassing security checks or altering the normal flow of script execution
- Using '%p' to consume arguments for the formatted-printing function, causing unindented arguments to be used for further processing
- Using '%p' to bypass input-validation checks, as the string '%p' evaluates to 0, but will produce a large integer value when used as a format specifier
- Using format specifiers similar to '%2s' to bypass input sanitization that checks for space characters

Other exploitation methods are also likely present.

Developers should treat the formatted-printing functions in Perl as equivalently vulnerable to exploitation as the C library versions and should properly sanitize all data passed in the format-specifier argument.

All applications that use formatted-printing functions in an unsafe manner should be considered exploitable.

Affected Products:

• Apple Mac OS X 10.3.9
• Apple Mac OS X 10.4.8
• Apple Mac OS X Server 10.3.9
• Apple Mac OS X Server 10.4.8
• Caldera OpenLinux Server 3.1.0
• Caldera OpenLinux Server 3.1.1
• Caldera OpenLinux Workstation 3.1.0
• Caldera OpenLinux Workstation 3.1.1
• Conectiva Linux 10.0.0
• Curtis Hawthorne TN3270RG 1.0.0 .0
• Curtis Hawthorne TN3270RG 1.0.1
• Curtis Hawthorne TN3270RG 1.1.0 .0
• Debian Linux 2.1.0
• Debian Linux 2.1.0 68k
• Debian Linux 2.1.0 alpha
• Debian Linux 2.1.0 sparc
• Debian Linux 2.2.0
• Debian Linux 2.2.0 alpha
• Debian Linux 2.2.0 arm
• Debian Linux 2.2.0 powerpc
• Debian Linux 2.2.0 sparc
• Debian Linux 3.0.0
• Debian Linux 3.0.0 alpha
• Debian Linux 3.0.0 arm
• Debian Linux 3.0.0 hppa
• Debian Linux 3.0.0 ia-32
• Debian Linux 3.0.0 ia-64
• Debian Linux 3.0.0 m68k
• Debian Linux 3.0.0 mips
• Debian Linux 3.0.0 mipsel
• Debian Linux 3.0.0 ppc
• Debian Linux 3.0.0 s/390
• Debian Linux 3.0.0 sparc
• Debian Linux 3.1.0
• Debian Linux 3.1.0 alpha
• Debian Linux 3.1.0 amd64
• Debian Linux 3.1.0 arm
• Debian Linux 3.1.0 hppa
• Debian Linux 3.1.0 ia-32
• Debian Linux 3.1.0 ia-64
• Debian Linux 3.1.0 m68k
• Debian Linux 3.1.0 mips
• Debian Linux 3.1.0 mipsel
• Debian Linux 3.1.0 ppc
• Debian Linux 3.1.0 s/390
• Debian Linux 3.1.0 sparc
• Easy Software Products CUPS 1.1.20
• Gentoo Linux
• HP Apache-Based Web Server 1.3.27 .00
• HP Apache-Based Web Server 1.3.27 .01
• HP Apache-Based Web Server 2.0.43 .00
• HP Internet Express 6.3
• HP Internet Express 6.4
• HP Tru64 5.1.0 A PK6
• HP Tru64 5.1.0 A PK6 (BL24)
• HP Tru64 5.1.0 B-2 PK4
• HP Tru64 5.1.0 B-2 PK4 (BL25)
• HP Tru64 5.1.0 B-3
• HP Webmin-Based Admin 1.0.0 .01
• HP Webmin-Based Admin 1.0.1.01
• IPCop IPCop 1.4.20
• Larry Wall Perl 5.0.0 03
• Larry Wall Perl 5.0.0 04
• Larry Wall Perl 5.0.0 04_04
• Larry Wall Perl 5.0.0 04_05
• Larry Wall Perl 5.0.0 05
• Larry Wall Perl 5.0.0 05_003
• Larry Wall Perl 5.6.0
• Larry Wall Perl 5.6.1
• Larry Wall Perl 5.8.0
• Larry Wall Perl 5.8.0 .0-88.3
• Larry Wall Perl 5.8.1
• Larry Wall Perl 5.8.3
• Larry Wall Perl 5.8.4
• Larry Wall Perl 5.8.4 -1
• Larry Wall Perl 5.8.4 -2
• Larry Wall Perl 5.8.4 -2.3
• Larry Wall Perl 5.8.4 -3
• Larry Wall Perl 5.8.4 -4
• Larry Wall Perl 5.8.4 -5
• Larry Wall Perl 5.8.5
• Larry Wall Perl 5.8.6
• Larry Wall Perl 5.8.7
• Larry Wall Perl 5.9.2
• Linux kernel 2.4.19
• Linux kernel 2.4.21
• Linux kernel 2.6.5
• MandrakeSoft Corporate Server 2.1.0
• MandrakeSoft Corporate Server 2.1.0 x86_64
• MandrakeSoft Corporate Server 3.0.0
• MandrakeSoft Corporate Server 3.0.0 x86_64
• MandrakeSoft Linux Mandrake 10.0.0
• MandrakeSoft Linux Mandrake 10.0.0 amd64
• MandrakeSoft Linux Mandrake 10.1.0
• MandrakeSoft Linux Mandrake 10.1.0 x86_64
• MandrakeSoft Linux Mandrake 10.2.0
• MandrakeSoft Linux Mandrake 10.2.0 x86_64
• MandrakeSoft Linux Mandrake 2006.0.0
• MandrakeSoft Linux Mandrake 2006.0.0 x86_64
• MandrakeSoft Linux Mandrake 6.0.0
• MandrakeSoft Linux Mandrake 6.1.0
• MandrakeSoft Linux Mandrake 7.0.0
• MandrakeSoft Linux Mandrake 7.1.0
• MandrakeSoft Linux Mandrake 7.2.0
• MandrakeSoft Linux Mandrake 8.0.0
• MandrakeSoft Linux Mandrake 8.0.0 ppc
• MandrakeSoft Linux Mandrake 8.1.0
• MandrakeSoft Linux Mandrake 8.1.0 ia64
• MandrakeSoft Linux Mandrake 8.2.0
• MandrakeSoft Linux Mandrake 8.2.0 ppc
• MandrakeSoft Linux Mandrake 9.0.0
• MandrakeSoft Linux Mandrake 9.2.0
• MandrakeSoft Linux Mandrake 9.2.0 amd64
• MandrakeSoft Multi Network Firewall 2.0.0
• MandrakeSoft Single Network Firewall 7.2.0
• OpenBSD OpenBSD 3.7
• OpenBSD OpenBSD 3.8
• OpenPKG OpenPKG 2.3.0
• OpenPKG OpenPKG 2.4.0
• OpenPKG OpenPKG 2.5.0
• OpenPKG OpenPKG Current
• RedHat Desktop 4.0.0
• RedHat Enterprise Linux AS 4
• RedHat Enterprise Linux ES 4
• RedHat Enterprise Linux WS 4
• RedHat Fedora Core1
• RedHat Fedora Core2
• RedHat Fedora Core3
• RedHat Fedora Core4
• RedHat Linux 5.0.0
• RedHat Linux 5.1.0
• RedHat Linux 5.2.0 alpha
• RedHat Linux 5.2.0 i386
• RedHat Linux 5.2.0 sparc
• RedHat Linux 6.0.0
• RedHat Linux 6.0.0 alpha
• RedHat Linux 6.0.0 sparc
• RedHat Linux 6.1.0 alpha
• RedHat Linux 6.1.0 i386
• RedHat Linux 6.1.0 sparc
• RedHat Linux 6.2.0 E alpha
• RedHat Linux 6.2.0 E i386
• RedHat Linux 6.2.0 E sparc
• RedHat Linux 6.2.0 alpha
• RedHat Linux 6.2.0 i386
• RedHat Linux 6.2.0 sparc
• RedHat Linux 7.0.0
• RedHat Linux 9.0.0 i386
• S.u.S.E. Linux Desktop 1.0.0
• S.u.S.E. Linux Enterprise Server 8
• S.u.S.E. Linux Enterprise Server 9
• S.u.S.E. Linux Personal 10.0.0 OSS
• S.u.S.E. Linux Personal 8.2.0
• S.u.S.E. Linux Personal 9.0.0
• S.u.S.E. Linux Personal 9.0.0 x86_64
• S.u.S.E. Linux Personal 9.1.0
• S.u.S.E. Linux Personal 9.1.0 x86_64
• S.u.S.E. Linux Personal 9.2.0
• S.u.S.E. Linux Personal 9.2.0 x86_64
• S.u.S.E. Linux Personal 9.3.0
• S.u.S.E. Linux Personal 9.3.0 x86_64
• S.u.S.E. Linux Professional 10.0.0
• S.u.S.E. Linux Professional 10.0.0 OSS
• S.u.S.E. Linux Professional 8.2.0
• S.u.S.E. Linux Professional 9.0.0
• S.u.S.E. Linux Professional 9.0.0 x86_64
• S.u.S.E. Linux Professional 9.1.0
• S.u.S.E. Linux Professional 9.1.0 x86_64
• S.u.S.E. Linux Professional 9.2.0
• S.u.S.E. Linux Professional 9.2.0 x86_64
• S.u.S.E. Linux Professional 9.3.0
• S.u.S.E. Linux Professional 9.3.0 x86_64
• S.u.S.E. Novell Linux Desktop 9.0.0
• S.u.S.E. Open-Enterprise-Server 9.0.0
• S.u.S.E. SUSE LINUX Retail Solution 8.0.0
• S.u.S.E. SuSE Linux Openexchange Server 4.0.0
• S.u.S.E. SuSE Linux School Server for i386
• S.u.S.E. SuSE Linux Standard Server 8.0.0
• S.u.S.E. UnitedLinux 1.0.0
• SCO eDesktop 2.4.0
• SCO eServer 2.3.0
• Sun Solaris 10
• Sun Solaris 10.0_x86
• Trustix Secure Enterprise Linux 2.0.0
• Trustix Secure Linux 2.0.0
• Trustix Secure Linux 2.1.0
• Trustix Secure Linux 2.2.0
• Trustix Secure Linux 3.0.0
• Trustix Trustix Secure Linux 1.1.0
• Turbolinux Home
• Turbolinux Turbolinux 4.0.0
• Turbolinux Turbolinux 4.2.0
• Turbolinux Turbolinux 4.4.0
• Turbolinux Turbolinux 6.0.0
• Turbolinux Turbolinux 6.0.1
• Turbolinux Turbolinux 6.0.2
• Turbolinux Turbolinux 6.0.3
• Turbolinux Turbolinux 6.0.4
• Turbolinux Turbolinux Desktop 10.0.0
• Turbolinux Turbolinux Server 10.0.0
• Turbolinux Turbolinux Server 7.0.0
• Turbolinux Turbolinux Server 8.0.0
• Turbolinux Turbolinux Workstation 7.0.0
• Turbolinux Turbolinux Workstation 8.0.0
• Ubuntu Ubuntu Linux 4.1.0 ia32
• Ubuntu Ubuntu Linux 4.1.0 ia64
• Ubuntu Ubuntu Linux 4.1.0 ppc
• Ubuntu Ubuntu Linux 5.0.0 4 amd64
• Ubuntu Ubuntu Linux 5.0.0 4 i386
• Ubuntu Ubuntu Linux 5.0.0 4 powerpc
• Ubuntu Ubuntu Linux 5.10.0 amd64
• Ubuntu Ubuntu Linux 5.10.0 i386
• Ubuntu Ubuntu Linux 5.10.0 powerpc
• Webmin Usermin 0.4.0
• Webmin Usermin 0.5.0
• Webmin Usermin 0.6.0
• Webmin Usermin 0.7.0
• Webmin Usermin 0.8.0
• Webmin Usermin 0.9.0
• Webmin Usermin 0.91.0
• Webmin Usermin 0.92.0
• Webmin Usermin 0.93.0
• Webmin Usermin 0.94.0
• Webmin Usermin 0.95.0
• Webmin Usermin 0.96.0
• Webmin Usermin 0.97.0
• Webmin Usermin 0.98.0
• Webmin Usermin 0.99.0
• Webmin Usermin 1.0.0
• Webmin Usermin 1.0.0
• Webmin Usermin 1.110.0
• Webmin Usermin 1.120.0
• Webmin Usermin 1.130.0
• Webmin Usermin 1.140.0
• Webmin Usermin 1.150.0
• Webmin Usermin 1.160.0
• Webmin Usermin 1.170.0
• Webmin Webmin 0.1.0
• Webmin Webmin 0.2.0
• Webmin Webmin 0.21.0
• Webmin Webmin 0.22.0
• Webmin Webmin 0.3.0
• Webmin Webmin 0.31.0
• Webmin Webmin 0.4.0
• Webmin Webmin 0.41.0
• Webmin Webmin 0.42.0
• Webmin Webmin 0.5.0
• Webmin Webmin 0.5.0x
• Webmin Webmin 0.51.0
• Webmin Webmin 0.6.0
• Webmin Webmin 0.7.0
• Webmin Webmin 0.76.0
• Webmin Webmin 0.77.0
• Webmin Webmin 0.78.0
• Webmin Webmin 0.79.0
• Webmin Webmin 0.8.3
• Webmin Webmin 0.8.4
• Webmin Webmin 0.8.5 Red Hat
• Webmin Webmin 0.80.0
• Webmin Webmin 0.85.0
• Webmin Webmin 0.88.0
• Webmin Webmin 0.89.0
• Webmin Webmin 0.91.0
• Webmin Webmin 0.92.0
• Webmin Webmin 0.92.0-1
• Webmin Webmin 0.93.0
• Webmin Webmin 0.94.0
• Webmin Webmin 0.950.0
• Webmin Webmin 0.960.0
• Webmin Webmin 0.970.0
• Webmin Webmin 0.980.0
• Webmin Webmin 0.990.0
• Webmin Webmin 1.0.0 80
• Webmin Webmin 1.0.0 90
• Webmin Webmin 1.0.000
• Webmin Webmin 1.0.020
• Webmin Webmin 1.0.050
• Webmin Webmin 1.0.060
• Webmin Webmin 1.0.070
• Webmin Webmin 1.100.0
• Webmin Webmin 1.110.0
• Webmin Webmin 1.121.0
• Webmin Webmin 1.130.0
• Webmin Webmin 1.140.0
• Webmin Webmin 1.150.0
• Webmin Webmin 1.160.0
• Webmin Webmin 1.170.0
• Webmin Webmin 1.180.0
• Webmin Webmin 1.190.0
• Webmin Webmin 1.200.0
• Webmin Webmin 1.210.0
• Webmin Webmin 1.220.0
• Webmin Webmin 1.230.0
• Webmin Webmin 1.240.0
• Xpdf Xpdf 3.0.0 0
• libpng libpng 1.0.15
• libpng libpng3 1.2.5

References:

• Bas Alberts <bas.alberts@immunitysec.com>: [Dailydave] Webmin miniserv.pl format string vulnerability
• Curtis Hawthorne: TN3270RG - Release Name: 1.1.1
• Curtis Hawthorne: TN3270RG Project Page
• Dave Aitel <dave@immunitysec.com>: [Dailydave] Webmin miniserv.pl format string vulnerability
• IPCop: IPCop 1.4.21 Release Notes
• IPCop: IPCop Homepage
• OpenBSD: 001: SECURITY FIX: January 5, 2006 All architectures
• OpenBSD: 007: SECURITY FIX: January 5, 2006 All architectures
• Perl: Perl Home Page
• RedHat: RHSA-2005:880-8 - perl security update
• Steven M. Christey <coley@mitre.org>: [Dailydave] Format string vulnerabilities in Perl programs
• Steven M. Christey <coley@mitre.org>: [perl #17698] Consultation required on possible Perl security issue
• Sun: Sun Alert ID: 102192
• Webmin: Usermin Change Log
• Webmin: Webmin Change Log
• Webmin: Webmin Homepage

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.