Package name
Advisory ID
Affected versions
6.1 i586 , 6.0 i586 , 7.0 i586 , 7.1 i586

Problem description

There is a vulnerability that exists when using setuidperl together with the mailx program. In some cases, setuidperl will warn root that something has going on. The setuidperl program uses /bin/mail to send the message, as root, with the environment preserved. An undocumented feature of /bin/mail consists of it interpretting the ~! sequence even if it is not running on the terminal, and the message also contains the script name, taken from argv[1]. With all of this combined, it is possible to execute a command using ~! passed in the script name to create a suid shell. The instance of setuidperl sending such a message can only be reached if you try to fool perl into forcing the execution of one file instead of another. This vulnerability may not be limited to just the mailx program, which is why an upgrade for perl is provided as opposed to an upgrade for mailx.

Updated packages

6.1 i586

 cfdba31ce88d7a72f00ae2f27d4596db  6.1/RPMS/perl-5.00503-5mdk.i586.rpm
3c0d7424d519fc616ce6c902dbbbf760  6.1/SRPMS/perl-5.00503-5mdk.src.rpm

6.0 i586

 1c42a4a20c7c042f78ae846cc9bfdc81  6.0/RPMS/perl-5.00503-5mdk.i586.rpm
3c0d7424d519fc616ce6c902dbbbf760  6.0/SRPMS/perl-5.00503-5mdk.src.rpm

7.0 i586

 054c9b11a79651d742a465f8ca15a0e8  7.0/RPMS/perl-5.00503-11mdk.i586.rpm
7b699435cc912993d21f4b35f780b366  7.0/RPMS/perl-base-5.00503-11mdk.i586.rpm
86eb8dea7b0ed397cb145a9cc118843e  7.0/SRPMS/perl-5.00503-11mdk.src.rpm

7.1 i586

 39a43d7f8449a692e11fa384343dc939  7.1/RPMS/perl-5.600-5mdk.i586.rpm
025428ebc98430c138979f9cd3f1bdb8  7.1/RPMS/perl-base-5.600-5mdk.i586.rpm
332ef51a58f9946b5c834fd1acc681bd  7.1/SRPMS/perl-5.600-5mdk.src.rpm