Re: [SECURITY] [DSA 2267-1] perl security update

[Stephen Dowdy <sdowdy@ucar.edu>]

Wolfgang Jeltsch wrote, On 08/23/2011 09:43 AM:

> is there any way to find out which Debian packages use Perl’s Safe
> module? What damage could a local attacker have caused by exploiting the
> Safe modules’s security flaw?

Wolfgang,

# Debian Package File Search
$ dpfs() { lynx -dump -nolist -width=999 "http://packages.debian.org/search?searchon=contents&keywords=${1}&mode=filename&suite=stable&arch=any"; | sed -ne '/File[[:space:]]*Packages/,/     _________/{x;p}' ;}
$ dpfs Safe.pm

                             File                                     Packages
   /usr/lib/interchange/Vend/Safe.pm                        interchange
>> /usr/share/perl/5.10.1/Safe.pm                           perl-modules
   /usr/share/perl5/DBIx/Safe.pm                            libdbix-safe-perl
   /usr/share/perl5/MIME/Base64/URLSafe.pm                  libmime-base64-urlsafe-perl
   /usr/share/perl5/Mail/SpamAssassin/Locker/UnixNFSSafe.pm spamassassin
   /usr/share/perl5/Test/Trap/Builder/SystemSafe.pm         libtest-trap-perl
   /usr/share/perl5/Text/MicroMason/Safe.pm                 libtext-micromason-perl

Safe.pm appears to be delivered (in squeeze at least) in 'perl-modules'
(unless i'm looking at the wrong thing)

Do a dependency search on anything you have installed that uses that:

  $ aptitude search '~i~DDepends:perl-modules'

leave out the '~i' if you don't want to limit to just what you currently
have installed.

Of course that only tells you packages that have metadata indicating that
they depend on 'perl-modules', there could be other things that use it
without notification.  (then you're into running global finds looking
for 'use' and 'require' statements, whee!)

--stephen

-- 
Stephen Dowdy  -  Systems Administrator  -  NCAR/RAL
303.497.2869   -  sdowdy@ucar.edu        -  http://www.ral.ucar.edu/~sdowdy/