Caldera Systems Security Advisory: sperl vulnerability | Linux Today

Caldera Systems Security Advisory: sperl vulnerability

Written By
Web Webster
Web Webster
Aug 10, 2000

Date: Wed, 9 Aug 2000 08:56:47 -0600
From: Technical Support support@PHOENIX.CALDERASYSTEMS.COM

To: BUGTRAQ@SECURITYFOCUS.COM
Subject: Security Update: sperl vulnerability

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                   Caldera Systems, Inc.  Security Advisory

Subject:                sperl vulnerability
Advisory number:        CSSA-2000-026.0
Issue date:             2000 August, 7
Cross reference:

1. Problem Description

sperl is a setuid copy of the perl interpreter that can be used
to execute perl scripts with the privilege of the file’s owner. In
order to be able to do so, sperl must be setuid root.

When sperl detects that an attacker is trying to spoof it, it
sends a mail message to the super user account using /bin/mail. By
exploiting a flaw in the way sperl interacts with /bin/mail, any
local user is able to obtain root privilege on the local
machine.

An exploit for this vulnerability has been published widely.

2. Vulnerable Versions

   System                       Package

   OpenLinux Desktop 2.3        not vulnerable

   OpenLinux eServer 2.3        All packages previous to
   and OpenLinux eBuilder       perl-5.005_03-6S

   OpenLinux eDesktop 2.4       All packages previous to
                                perl-5.005_03-6

3. Solution

Workaround:

none

We recommend our users to upgrade to the new packages.

4. OpenLinux Desktop 2.3

not vulnerable

5. OpenLinux eServer 2.3 and OpenLinux eBuilder for ECential
3.0

5.1 Location of Fixed Packages

The upgrade packages can be found on Caldera’s FTP site at:


ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/RPMS/

The corresponding source code package can be found at:


ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/SRPMS

   5.2 Verification

55bf850e54e8ddd91a00f67b528d831d perl-5.005_03-6S.i386.rpm
bf1f56c565c512a8dbf970d04304d22c perl-5.005_03-6S.src.rpm
76f2238063b94983591ae10ad3715eb3 perl-add-5.005_03-6S.i386.rpm
94bc4d6e0963391c4d100e8d2a2c73d1 perl-examples-5.005_03-6S.i386.rpm
eca239c5b0c9cb7cc98d4254304a6e3d perl-man-5.005_03-6S.i386.rpm
18c76ed983ff45fd8dc5442cee2e6f4e perl-pod-5.005_03-6S.i386.rpm

5.3 Installing Fixed Packages

Upgrade the affected packages with the following commands:

rpm -Fhv perl-*.i386.rpm

Please ignore the “directory not empty” messages

6. OpenLinux eDesktop 2.4

6.1 Location of Fixed Packages

The upgrade packages can be found on Caldera’s FTP site at:


ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/RPMS/

The corresponding source code package can be found at:


ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/SRPMS

   6.2 Verification

7542698bece734cccc30c8ef83c5af87 perl-5.005_03-6.i386.rpm
0b6e1a7e1615a5400e07c10cfd924203 perl-5.005_03-6.src.rpm
42356e924d6e6a1d5507c0951b5b5c78 perl-add-5.005_03-6.i386.rpm
49ab8a7f2e3a9f96f51ade1510405331 perl-examples-5.005_03-6.i386.rpm
2ec837db5f8bf0af5610748e2a7793a2 perl-man-5.005_03-6.i386.rpm
64cc98b972e8f9297933ac74fd547386 perl-pod-5.005_03-6.i386.rpm

6.3 Installing Fixed Packages

Upgrade the affected packages with the following commands:

rpm -Fhv perl-*.i386.rpm

7. References

This and other Caldera security resources are located at:

http://www.calderasystems.com/support/security/index.html

This security fix closes Caldera’s internal Problem Report
7347.

8. Disclaimer

Caldera Systems, Inc. is not responsible for the misuse of any
of the information we provide on this website and/or through our
security advisories. Our advisories are a service to our customers
intended to promote secure installation and use of Caldera
OpenLinux.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.0 (GNU/Linux)
Comment: For info see http://www.gnupg.org 

iD8DBQE5jtvO18sy83A/qfwRAjtyAJ99lp4/lcXN6kS6U4he6cY8Gl0dlACdGiDA
SLbjCa/O3Icn0127HXoaqEg=
=KR/d
-----END PGP SIGNATURE-----
Web Webster

Web Webster

Web Webster has more than 20 years of writing and editorial experience in the tech sector. He’s written and edited news, demand generation, user-focused, and thought leadership content for business software solutions, consumer tech, and Linux Today, he edits and writes for a portfolio of tech industry news and analysis websites including webopedia.com, and DatabaseJournal.com.

Linux Today Logo

LinuxToday is a trusted, contributor-driven news resource supporting all types of Linux users. Our thriving international community engages with us through social media and frequent content contributions aimed at solving problems ranging from personal computing to enterprise-level IT operations. LinuxToday serves as a home for a community that struggles to find comparable information elsewhere on the web.

Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.