SB2024051430 - SUSE update for perl

Description

This security bulletin contains information about 4 secuirty vulnerabilities.

1) Race condition (CVE-ID: CVE-2017-6512)

The vulnerability allows a local user to bypass certain security restrictions.

the vulnerability exists due to a race condition in rmtree() and remove_tree() functions within the File-Path module for Perl. A local user can set a mode on arbitrary files via vectors involving directory-permission loosening logic.

Successful exploitation of the vulnerability may allow an attacker to escalate privileges on the system.

2) Heap-based buffer over-read (CVE-ID: CVE-2018-6798)

The vulnerability allows a local attacker to obtain potentially sensitive information or execute arbitrary code on the target system.

The weakness exists due to heap-based buffer over-read. A local attacker can exploit a specially crafted locale dependent regular expression, trigger memory corruption and gain access to potentially sensitive information or run Perl code.

Successful exploitation of the vulnerability may result in system compromise.

3) Heap-based buffer overflow (CVE-ID: CVE-2018-6913)

The vulnerability allows a local attacker to cause DoS condition or execute arbitrary code on the target system.

The weakness exists due to heap-based buffer overflow. A local attacker can exploit a specially crafted pack() function, trigger memory corruption and cause the service to crash or run Perl code.

Successful exploitation of the vulnerability may result in system compromise.

4) Improper Certificate Validation (CVE-ID: CVE-2023-31484)

The vulnerability allows a remote attacker to perform MitM attack.

The vulnerability exists due to missing verification of the TLS certificate when downloading distributions. A remote attacker can perform MitM attack and trick the application into downloading a malicious file.

Remediation

Install update from vendor's website.

References

• https://www.suse.com/support/update/announcement/2024/suse-su-20241630-1/