FreeBSD : perl -- vulnerabilities in PERLIO_DEBUG handling (a5eb760a-753c-11d9-a36f-000a95bc6fae)
Medium Nessus Plugin ID 19062
SynopsisThe remote FreeBSD host is missing one or more security-related updates.
DescriptionKevin Finisterre discovered bugs in perl's I/O debug support :
- The environmental variable PERLIO_DEBUG is honored even by the set-user-ID perl command (usually named sperl or suidperl). As a result, a local attacker may be able to gain elevated privileges.
- A buffer overflow may occur in threaded versions of perl when the full pathname of the script being executed is very long.
Note: By default, no set-user-ID perl binary is installed. An administrator must enable it manually at build time with the ENABLE_SUIDPERL port flag.
SolutionUpdate the affected packages.