Red Hat Linux UTF-8 interaction between perl-Digest-MD5 and Perl could result in incorrect MD5 sums

linux-utf8-incorrect-md5 (9051) The risk level is classified as LowLow Risk

Description:

The perl-Digest-MD5 package in Red Hat Linux incorrectly handles UTF-8 encoded strings. This could result in the calculation of incorrect MD5 sums on certain input strings, which would result in weaker than expected security on systems that utilize the perl-Digest-MD5 package to verify the integrity of data.


Consequences:

Configuration

Remedy:

Upgrade to the latest perl-Digest-MD5 package (2.20-1 or later), as listed in Red Hat Linux Errata Advisory RHSA-2002:081-06. See References.

For Mandrake Linux 8.2:
Upgrade to the latest version of perl-Digest-MD5 (2.20-1.1mdk or later), as listed in MandrakeSoft Security Advisory MDKSA-2002:035 : perl-Digest-MD5. See References.

For other distributions:
Contact your vendor for upgrade or patch information.

References:

  • BID-4716: Gisle Aas Digest-MD5 UTF-8 Incorrect Digest Calculation Threat
  • CVE-2002-0703: An interaction between the Perl MD5 module (perl-Digest-MD5) and Perl could produce incorrect MD5 checksums for UTF-8 data, which could prevent a system from properly verifying the integrity of the data.
  • MDKSA-2002:035: Updated perl-Digest-MD5 packages fix improper MD5 digest generation
  • OSVDB ID: 5131: Perl MD5 Module (perl-Digest-MD5) Invalid Checksum Integrity Loss
  • RHSA-2002-081: perl-Digest-MD5 UTF8 bug results in incorrect MD5 sums

Platforms Affected:

  • MandrakeSoft Mandrake Linux 8.2
  • RedHat Linux 7
  • RedHat Linux 7.1
  • RedHat Linux 7.2
  • RedHat Linux 7.3

Reported:

May 10, 2002

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email ignore thisxforceignore this@ignore thisus.ignore thisibm.comignore this

Return to the main page