-----BEGIN PGP SIGNED MESSAGE-----
FreeBSD-SA-96:12 Security Advisory
Topic: security compromise from perl (suidperl) utility
Category: core and ports
Affects: FreeBSD 2.0, 2.0.5, 2.1, 2.1-stable, and 2.2-current
Corrected: 2.1-stable and 2.2-current as of 1996-06-03
FreeBSD only: no
FreeBSD ships perl version 4 as part of the base level system,
in addition, a port for perl version 5 is also provided with
a similar vulnerability. The vulnerability is specific to the
suidperl flavors of perl installed on the system.
This problem is present in all source code and binary
distributions of FreeBSD version 2.0.5 and later released
before 1996-05-21. This problem is not present in FreeBSD
2.0 and earlier versions of FreeBSD.
II. Problem Description
The authors of perl provide a "suidperl" program for proper
processing of setuid perl scripts on systems where race
conditions where setuid scripts could be exploited to gain
unauthorized access. FreeBSD installs this suidperl program
(and a link) as part of the standard installation. However,
privilege processing done by this program does not take into
account recent functionality extensions in the seteuid/setegid
This vulnerability can only be exploited by users with a valid
account on the local system to easily obtain superuser access.
This vulnerability is present on all systems with the
_POSIX_SAVED_IDS functionality extension where suidperl
has been installed.
One may simply disable the setuid bit on all copies of the setuid
version of perl. This will close the vulnerability but render
inoperable setuid perl scripts. No software currently shipping
as part of FreeBSD relies on this functionality so the impact is
only to third party software.
As root, execute the commands:
# chmod 111 /usr/bin/suidperl
# chmod 111 /usr/bin/sperl4.036
In addition, if you have installed the perl5 port:
# chmod 111 /usr/local/bin/suidperl
# chmod 111 /usr/local/bin/sperl5.001
then verify that the setuid permissions of the files have been
removed. The permissions array should read "-r-xr-xr-x" as
# ls -l /usr/bin/s*perl*
---x--x--x 2 root bin 307200 Jun 1 17:16 /usr/bin/sperl4.036
---x--x--x 2 root bin 307200 Jun 1 17:16 /usr/bin/suidperl
and for the perl5 port:
# ls -l /usr/local/bin/s*perl*
---x--x--x 2 root bin 397312 Jan 22 15:15 /usr/local/bin/sperl5.001
---x--x--x 2 root bin 397312 Jan 22 15:15 /usr/local/bin/suidperl
*NOTE* A patch for perl is available directly from Larry Wall
(the author of perl) which solves this vulnerability in a
different fashion than the FreeBSD patches. You may apply
either the FreeBSD patches, or Larry's patches, or both.
The patches solve the problem via two different mechanisms.
Patches are available which eliminate this vulnerability.
The following patch should be applied to the system sources and
suidperl should be rebuilt and reinstalled.
Apply the patch, then:
# cd /usr/src/gnu/usr.bin/perl/sperl
# make depend
# make all
# make install
A similar patch is also available for the perl5 port.
Apply the following patch by moving it into the patch
directory for the port distribution and rebuilding and
# cd /usr/ports/lang/perl5
# cp <location of new patches>/patch-a[ab] patches
# make all
# make install
NOTE: These patches do NOT solve the vulnerability for FreeBSD 2.0
or 2.0.5. These only solve the problem for 2.1 and later.
Patches specific to FreeBSD 2.0 and 2.0.5 are available at
the URL listed at the top of this file.
Web Site: http://www.freebsd.org/
Confidential contacts: email@example.com
PGP Key: ftp://freebsd.org/pub/CERT/public_key.asc
Security notifications: firstname.lastname@example.org
Security public discussion: email@example.com
Notice: Any patches in this document may not apply cleanly due to
modifications caused by digital signature or mailer software.
Please reference the URL listed at the top of this document
for original copies of all patches if necessary.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----