Bug#487718: libdevel-stacktrace-perl: Security vulnerability in RT 3.0 and up

Niko Tyni ntyni at debian.org
Mon Jun 23 19:29:55 UTC 2008 

Package: libdevel-stacktrace-perl
Version: 1.11-1
Severity: important
Tags: security etch
X-Debbugs-Cc: team at security.debian.org, request-tracker3.6 at packages.debian.org, request-tracker3.4 at packages.debian.org

Quoting <http://lists.bestpractical.com/pipermail/rt-announce/2008-June/000158.html>:

> All versions of RT from 3.0.0 to 3.6.6 (including some, but not all RT
> 3.7 development releases) are vulnerable to a potential remote denial
> of service attack which could exhaust virtual memory or consume all
> available CPU resources.  After a detailed analysis, we believe that
> an attacker would need to be a 'Privileged' RT user in order to
> perform an attack.

> We recommend that you install version 1.19 or newer of the Perl module
> Devel::StackTrace from CPAN, which will close the vulnerability.  Two
> methods for doing this are:

[...]

> Installing this newer version of the module is a complete fix, and
> will close the vulnerability.  However, we suggest that you upgrade to
> RT 3.6.7, released last Monday, which provides additional safeguards
> against this type of attack.

The fix can be seen here:

 http://search.cpan.org/diff?from=Devel-StackTrace-1.18&to=Devel-StackTrace-1.19#lib/Devel/StackTrace.pm

and a fixed version is two days away from entering lenny.

Etch has libdevel-stacktrace-perl 1.11-1, which most probably has the
same bug too, so reporting at that version.

The RT packages concerned are request-tracker3.4 (Etch only) and
request-tracker3.6 (both Etch and lenny/sid). Cc'ing the maintainer
addresses.

I don't understand the issue fully yet, particularly the 'exhaust virtual
memory or consume all available CPU resources' part. I'll get back to
this, but it may take a while. Help would be welcome.

The big question is whether this needs an Etch update. I'm leaving the
severity at 'important' for now, as the security impact seems to be
quite low.

Cc'ing the security team as a heads-up.
-- 
Niko Tyni   ntyni at debian.org

More information about the pkg-perl-maintainers mailing list