Re: [SECURITY] [DSA 2267-1] perl security update
Wolfgang Jeltsch wrote, On 08/23/2011 09:43 AM:
> is there any way to find out which Debian packages use Perl’s Safe
> module? What damage could a local attacker have caused by exploiting the
> Safe modules’s security flaw?
Wolfgang,
# Debian Package File Search
$ dpfs() { lynx -dump -nolist -width=999 "http://packages.debian.org/search?searchon=contents&keywords=${1}&mode=filename&suite=stable&arch=any" | sed -ne '/File[[:space:]]*Packages/,/ _________/{x;p}' ;}
$ dpfs Safe.pm
File Packages
/usr/lib/interchange/Vend/Safe.pm interchange
>> /usr/share/perl/5.10.1/Safe.pm perl-modules
/usr/share/perl5/DBIx/Safe.pm libdbix-safe-perl
/usr/share/perl5/MIME/Base64/URLSafe.pm libmime-base64-urlsafe-perl
/usr/share/perl5/Mail/SpamAssassin/Locker/UnixNFSSafe.pm spamassassin
/usr/share/perl5/Test/Trap/Builder/SystemSafe.pm libtest-trap-perl
/usr/share/perl5/Text/MicroMason/Safe.pm libtext-micromason-perl
Safe.pm appears to be delivered (in squeeze at least) in 'perl-modules'
(unless i'm looking at the wrong thing)
Do a dependency search on anything you have installed that uses that:
$ aptitude search '~i~DDepends:perl-modules'
leave out the '~i' if you don't want to limit to just what you currently
have installed.
Of course that only tells you packages that have metadata indicating that
they depend on 'perl-modules', there could be other things that use it
without notification. (then you're into running global finds looking
for 'use' and 'require' statements, whee!)
--stephen
--
Stephen Dowdy - Systems Administrator - NCAR/RAL
303.497.2869 - sdowdy@ucar.edu - http://www.ral.ucar.edu/~sdowdy/
Reply to: