Patches fix Perl sprintf buffer overflow

by Andy Lester

Related link: http://www.perlfoundation.org/news/2005/sprintf_patch_released.html




The Perl community has released a fix to the sprintf function
that was recently discovered to have a buffer overflow in very specific
cases. All Perl users should consider updating immediately.





Dyad Security recently released
a security advisory
explaining how in certain cases, a carefully crafted format string
passed to sprintf can cause a buffer overflow. This buffer
overflow can then be used by an attacker to execute code on the machine.
This was discovered in the context of a design problem with the Webmin
administration package that allowed a malicious user to pass unchecked
data into sprintf. A related fix for Sys::Syslog
>has already been released.




The Perl 5 Porters team have solved this sprintf overflow
problem, and have released a set of patches, specific to four different
versions of Perl.






While this specific patch fixes a buffer overflow, and thus prevents
malicious code execution, programmers must still be careful.
Patched or not, sprintf can still be used as the basis of a
denial-of-service attack. It will create huge, memory-eating blocks of
data if passed malicious format strings from an attacker. It's best if
no unchecked data from outside sources get passed to sprintf,
either directly or through a function such as syslog.




For further information, or information about The Perl Foundation, please email
Andy Lester at pr at perlfoundation.org.