Debian Bug report logs - #622817
perl: CVE-2011-1487: taint laundering in lc, uc

version graph

Package: perl; Maintainer for perl is Niko Tyni <ntyni@debian.org>; Source for perl is src:perl.

Reported by: Dominic Hargreaves <dom@earth.li>

Date: Thu, 14 Apr 2011 21:12:02 UTC

Severity: important

Tags: fixed-upstream, patch, security, upstream

Found in versions perl/5.10.0-19lenny3, perl/5.12.3-3, perl/5.10.1-19, perl/5.10.1-17

Fixed in versions perl/5.10.1-20, perl/5.12.3-4, perl/5.10.1-17squeeze1

Done: Niko Tyni <ntyni@debian.org>

Bug is archived. No further changes may be made.

Forwarded to http://rt.perl.org/rt3/Public/Bug/Display.html?id=87336

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Niko Tyni <ntyni@debian.org>:
Bug#622817; Package perl. (Thu, 14 Apr 2011 21:12:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Dominic Hargreaves <dom@earth.li>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Niko Tyni <ntyni@debian.org>. (Thu, 14 Apr 2011 21:12:12 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Dominic Hargreaves <dom@earth.li>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: perl: CVE-2011-1487: taint laundering in lc, uc
Date: Thu, 14 Apr 2011 21:45:55 +0100
Package: perl
Version: 5.10.1-19
Severity: grave
Tags: security
Justification: user security hole

CVE description:

The (1) lc, (2) lcfirst, (3) uc, and (4) ucfirst functions in Perl
5.10.x, 5.11.x, and 5.12.x through 5.12.3, and 5.13.x through 5.13.11,
do not apply the taint attribute to the return value upon processing
tainted input, which might allow context-dependent attackers to bypass
the taint protection mechanism via a crafted string. 

Upstream report: <http://rt.perl.org/rt3/Public/Bug/Display.html?id=87336>
Redhat bug: <https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-1487>
Fix from bleadperl: <http://perl5.git.perl.org/perl.git/commitdiff/539689e74a3bcb04d29e4cd9396de91a81045b99>
Fedora fix in 5.12: <https://bugzilla.redhat.com/show_bug.cgi?id=692900>




Bug Marked as found in versions perl/5.12.3-3. Request was from Dominic Hargreaves <dom@earth.li> to control@bugs.debian.org. (Thu, 14 Apr 2011 21:57:04 GMT) Full text and rfc822 format available.

Set Bug forwarded-to-address to 'http://rt.perl.org/rt3/Public/Bug/Display.html?id=87336'. Request was from Dominic Hargreaves <dom@earth.li> to control@bugs.debian.org. (Thu, 14 Apr 2011 21:57:07 GMT) Full text and rfc822 format available.

Added tag(s) upstream and fixed-upstream. Request was from Dominic Hargreaves <dom@earth.li> to control@bugs.debian.org. (Thu, 14 Apr 2011 21:57:07 GMT) Full text and rfc822 format available.

Bug Marked as found in versions perl/5.10.1-17. Request was from Dominic Hargreaves <dom@earth.li> to control@bugs.debian.org. (Thu, 14 Apr 2011 21:57:09 GMT) Full text and rfc822 format available.

Bug Marked as found in versions perl/5.10.0-19lenny3. Request was from Dominic Hargreaves <dom@earth.li> to control@bugs.debian.org. (Thu, 14 Apr 2011 21:57:10 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Niko Tyni <ntyni@debian.org>:
Bug#622817; Package perl. (Fri, 15 Apr 2011 18:57:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Dominic Hargreaves <dom@earth.li>:
Extra info received and forwarded to list. Copy sent to Niko Tyni <ntyni@debian.org>. (Fri, 15 Apr 2011 18:57:05 GMT) Full text and rfc822 format available.

Message #20 received at 622817@bugs.debian.org (full text, mbox):

From: Dominic Hargreaves <dom@earth.li>
To: 622817@bugs.debian.org
Subject: [dom@earth.li: Re: [perl #87336] Function lc() is laundering tainted data in newer perls, contrary to docs]
Date: Fri, 15 Apr 2011 19:25:01 +0100
----- Forwarded message from Dominic Hargreaves <dom@earth.li> -----

Date: Fri, 15 Apr 2011 19:12:24 +0100
From: Dominic Hargreaves <dom@earth.li>
To: Father Chrysostomos via RT <perlbug-comment@perl.org>
Cc: perl5-porters@perl.org
Subject: Re: [perl #87336] Function lc() is laundering tainted data in
	newer perls, contrary to docs
User-Agent: Mutt/1.5.20 (2009-06-14)

On Thu, Mar 31, 2011 at 06:29:59AM -0700, Father Chrysostomos via RT wrote:
> On Thu Mar 31 05:54:26 2011, jesse wrote:
> > At least for now, I've made it a 5.14 blocker, so a fix for it is 100%
> > ok. :)
> > 
> 
> I’ve just fixed it with commit 539689e74a.

Are there any plans to push this update to maint-5.12 or maint-5.10
(although the latter is probably dead already in practice)?
It looks like it would be worth applying.

For context, I'm looking at fixing this in the Debian perl packages:
<http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=622817>. It looks
like Redhat have already pushed out an update for 5.12 in Fedora 14.

I've attached the patch extracted from
<http://mirror.ox.ac.uk/sites/download.fedora.redhat.com/pub/fedora/linux/updates/14/SRPMS/perl-5.12.3-143.fc14.src.rpm>
(thanks Marcela!) and would appreciate any comments. That file applies
cleanly to our perl 5.10 tree, although I haven't tested it yet.

Thanks,
Dominic.

-- 
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)

----- End forwarded message -----

-- 
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)




Added tag(s) patch. Request was from Niko Tyni <ntyni@debian.org> to control@bugs.debian.org. (Fri, 15 Apr 2011 20:45:04 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#622817; Package perl. (Fri, 15 Apr 2011 22:03:51 GMT) Full text and rfc822 format available.

Acknowledgement sent to Niko Tyni <ntyni@debian.org>:
Extra info received and forwarded to list. (Fri, 15 Apr 2011 22:03:51 GMT) Full text and rfc822 format available.

Message #27 received at 622817@bugs.debian.org (full text, mbox):

From: Niko Tyni <ntyni@debian.org>
To: 622817@bugs.debian.org
Cc: team@security.debian.org
Subject: Re: Bug#622817: perl: CVE-2011-1487: taint laundering in lc, uc
Date: Fri, 15 Apr 2011 23:41:02 +0300
[Message part 1 (text/plain, inline)]
tag 622817 patch fixed-upstream
forwarded 622817 http://rt.perl.org/rt3/Public/Bug/Display.html?id=87336
thanks

On Thu, Apr 14, 2011 at 09:45:55PM +0100, Dominic Hargreaves wrote:
> Package: perl
> Version: 5.10.1-19
> Severity: grave
> Tags: security
> Justification: user security hole
> 
> CVE description:
> 
> The (1) lc, (2) lcfirst, (3) uc, and (4) ucfirst functions in Perl
> 5.10.x, 5.11.x, and 5.12.x through 5.12.3, and 5.13.x through 5.13.11,
> do not apply the taint attribute to the return value upon processing
> tainted input, which might allow context-dependent attackers to bypass
> the taint protection mechanism via a crafted string. 
> 
> Upstream report: <http://rt.perl.org/rt3/Public/Bug/Display.html?id=87336>
> Redhat bug: <https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-1487>
> Fix from bleadperl: <http://perl5.git.perl.org/perl.git/commitdiff/539689e74a3bcb04d29e4cd9396de91a81045b99>
> Fedora fix in 5.12: <https://bugzilla.redhat.com/show_bug.cgi?id=692900>

Security team, I assume this is going to be fixed through a DSA?

I've pushed a fix for sid (5.10.1) into our git repository and I'm
attaching the actual patch. It's slightly modified from the Fedora one
because their test script update has a glitch and doesn't actually fail
without the fix.

This is to be applied after the fixes/tainted-errno patch, so
the test counts and context differ a bit from upstream.

It should be trivial to port this to squeeze and lenny. I'll try to
prepare the debdiffs on Sunday, but if somebody else wants to do that,
feel free.

Please note that the sid fix can't currently be uploaded on its own
because of a db4.7 related problem (just filed as #622916).
-- 
Niko Tyni   ntyni@debian.org
[0002-CVE-2011-1487-lc-uc-first-fail-to-taint-the-returned.patch (text/x-diff, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#622817; Package perl. (Sat, 16 Apr 2011 07:21:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to Niko Tyni <ntyni@debian.org>:
Extra info received and forwarded to list. (Sat, 16 Apr 2011 07:21:08 GMT) Full text and rfc822 format available.

Message #32 received at 622817@bugs.debian.org (full text, mbox):

From: Niko Tyni <ntyni@debian.org>
To: 622817@bugs.debian.org
Cc: team@security.debian.org
Subject: Re: Bug#622817: perl: CVE-2011-1487: taint laundering in lc, uc
Date: Sat, 16 Apr 2011 10:20:00 +0300
[Message part 1 (text/plain, inline)]
On Fri, Apr 15, 2011 at 11:41:02PM +0300, Niko Tyni wrote:
> On Thu, Apr 14, 2011 at 09:45:55PM +0100, Dominic Hargreaves wrote:
> > Package: perl
> > Version: 5.10.1-19
> > Severity: grave
> > Tags: security
> > Justification: user security hole
> > 
> > CVE description:
> > 
> > The (1) lc, (2) lcfirst, (3) uc, and (4) ucfirst functions in Perl
> > 5.10.x, 5.11.x, and 5.12.x through 5.12.3, and 5.13.x through 5.13.11,
> > do not apply the taint attribute to the return value upon processing
> > tainted input, which might allow context-dependent attackers to bypass
> > the taint protection mechanism via a crafted string. 

> Security team, I assume this is going to be fixed through a DSA?

> It should be trivial to port this to squeeze and lenny. I'll try to
> prepare the debdiffs on Sunday, but if somebody else wants to do that,
> feel free.

I'm attaching the proposed debdiffs. I've verified that they fix
the issue and pass the test suite.

 perl -Te 'use Scalar::Util qw(tainted); $t=$0; $u=lc lcfirst uc ucfirst $t; printf("%d,%d\n",tainted($t),tainted($u))'

gives 1,0 without the fix and 1,1 with the fix.

> Please note that the sid fix can't currently be uploaded on its own
> because of a db4.7 related problem (just filed as #622916).

I'm waiting to see how this turns out. Not sure if we should wait
with the stable and oldstable updates until the fix is in unstable.
Not much risk for regressions AFAICS.

Security team, please let me know if I can upload these or if they
should go via spu instead
-- 
Niko Tyni   ntyni@debian.org
[622817.lenny.debdiff (text/plain, attachment)]
[622817.squeeze.debdiff (text/plain, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Niko Tyni <ntyni@debian.org>:
Bug#622817; Package perl. (Sun, 17 Apr 2011 15:15:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Dominic Hargreaves <dom@earth.li>:
Extra info received and forwarded to list. Copy sent to Niko Tyni <ntyni@debian.org>. (Sun, 17 Apr 2011 15:15:03 GMT) Full text and rfc822 format available.

Message #37 received at 622817@bugs.debian.org (full text, mbox):

From: Dominic Hargreaves <dom@earth.li>
To: Niko Tyni <ntyni@debian.org>, 622817@bugs.debian.org
Subject: Re: Bug#622817: perl: CVE-2011-1487: taint laundering in lc, uc
Date: Sun, 17 Apr 2011 16:13:53 +0100
On Fri, Apr 15, 2011 at 11:41:02PM +0300, Niko Tyni wrote:

> Please note that the sid fix can't currently be uploaded on its own
> because of a db4.7 related problem (just filed as #622916).

Partly as a reminder to myself: I plan to merge this into experimental
once the upload to sid has been completed; this will also include a
build-dep fix for sparc.

Cheers,
Dominic.

-- 
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)




Information forwarded to debian-bugs-dist@lists.debian.org, Niko Tyni <ntyni@debian.org>:
Bug#622817; Package perl. (Tue, 19 Apr 2011 14:51:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Florian Weimer <fw@deneb.enyo.de>:
Extra info received and forwarded to list. Copy sent to Niko Tyni <ntyni@debian.org>. (Tue, 19 Apr 2011 14:51:04 GMT) Full text and rfc822 format available.

Message #42 received at 622817@bugs.debian.org (full text, mbox):

From: Florian Weimer <fw@deneb.enyo.de>
To: Niko Tyni <ntyni@debian.org>
Cc: 622817@bugs.debian.org, team@security.debian.org
Subject: Re: Bug#622817: perl: CVE-2011-1487: taint laundering in lc, uc
Date: Tue, 19 Apr 2011 16:18:36 +0200
* Niko Tyni:

> Security team, I assume this is going to be fixed through a DSA?

I don't think this is a security bug on its own.

> It should be trivial to port this to squeeze and lenny. I'll try to
> prepare the debdiffs on Sunday, but if somebody else wants to do that,
> feel free.

If this bug fixes any actual vulnerabilities, such a backport will
break applications, hard.  Therefore, I would prefer to let it soak in
unstable/testing for some time, to see what happens.




Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#622817; Package perl. (Wed, 20 Apr 2011 05:54:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Niko Tyni <ntyni@debian.org>:
Extra info received and forwarded to list. (Wed, 20 Apr 2011 05:54:05 GMT) Full text and rfc822 format available.

Message #47 received at 622817@bugs.debian.org (full text, mbox):

From: Niko Tyni <ntyni@debian.org>
To: team@security.debian.org
Cc: 622817@bugs.debian.org
Subject: Re: Bug#622817: perl: CVE-2011-1487: taint laundering in lc, uc
Date: Wed, 20 Apr 2011 08:52:31 +0300
severity 622817 important
thanks

On Tue, Apr 19, 2011 at 04:18:36PM +0200, Florian Weimer wrote:
> * Niko Tyni:
> 
> > Security team, I assume this is going to be fixed through a DSA?
> 
> I don't think this is a security bug on its own.

Yes, turns out upstream thinks similarly.

 http://nntp.perl.org/group/perl.perl5.porters/171010

I'm therefore downgrading the severity.

> If this bug fixes any actual vulnerabilities, such a backport will
> break applications, hard.  Therefore, I would prefer to let it soak in
> unstable/testing for some time, to see what happens.

OK, let's do that. Thanks and sorry for rushing things a bit.
-- 
Niko Tyni   ntyni@debian.org




Severity set to 'important' from 'grave' Request was from Niko Tyni <ntyni@debian.org> to control@bugs.debian.org. (Wed, 20 Apr 2011 05:54:10 GMT) Full text and rfc822 format available.

Reply sent to Dominic Hargreaves <dom@earth.li>:
You have taken responsibility. (Fri, 22 Apr 2011 10:39:22 GMT) Full text and rfc822 format available.

Notification sent to Dominic Hargreaves <dom@earth.li>:
Bug acknowledged by developer. (Fri, 22 Apr 2011 10:39:25 GMT) Full text and rfc822 format available.

Message #54 received at 622817-close@bugs.debian.org (full text, mbox):

From: Dominic Hargreaves <dom@earth.li>
To: 622817-close@bugs.debian.org
Subject: Bug#622817: fixed in perl 5.10.1-20
Date: Fri, 22 Apr 2011 10:34:33 +0000
Source: perl
Source-Version: 5.10.1-20

We believe that the bug you reported is fixed in the latest version of
perl, which is due to be installed in the Debian FTP archive:

libcgi-fast-perl_5.10.1-20_all.deb
  to main/p/perl/libcgi-fast-perl_5.10.1-20_all.deb
libperl-dev_5.10.1-20_i386.deb
  to main/p/perl/libperl-dev_5.10.1-20_i386.deb
libperl5.10_5.10.1-20_i386.deb
  to main/p/perl/libperl5.10_5.10.1-20_i386.deb
perl-base_5.10.1-20_i386.deb
  to main/p/perl/perl-base_5.10.1-20_i386.deb
perl-debug_5.10.1-20_i386.deb
  to main/p/perl/perl-debug_5.10.1-20_i386.deb
perl-doc_5.10.1-20_all.deb
  to main/p/perl/perl-doc_5.10.1-20_all.deb
perl-modules_5.10.1-20_all.deb
  to main/p/perl/perl-modules_5.10.1-20_all.deb
perl-suid_5.10.1-20_i386.deb
  to main/p/perl/perl-suid_5.10.1-20_i386.deb
perl_5.10.1-20.debian.tar.gz
  to main/p/perl/perl_5.10.1-20.debian.tar.gz
perl_5.10.1-20.dsc
  to main/p/perl/perl_5.10.1-20.dsc
perl_5.10.1-20_i386.deb
  to main/p/perl/perl_5.10.1-20_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 622817@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Dominic Hargreaves <dom@earth.li> (supplier of updated perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 22 Apr 2011 10:29:41 +0100
Source: perl
Binary: perl-base libcgi-fast-perl perl-doc perl-modules perl-debug perl-suid libperl5.10 libperl-dev perl
Architecture: source all i386
Version: 5.10.1-20
Distribution: unstable
Urgency: medium
Maintainer: Niko Tyni <ntyni@debian.org>
Changed-By: Dominic Hargreaves <dom@earth.li>
Description: 
 libcgi-fast-perl - CGI::Fast Perl module
 libperl-dev - Perl library: development files
 libperl5.10 - shared Perl library
 perl       - Larry Wall's Practical Extraction and Report Language
 perl-base  - minimal Perl system
 perl-debug - debug-enabled Perl interpreter
 perl-doc   - Perl documentation
 perl-modules - Core Perl modules
 perl-suid  - runs setuid Perl scripts
Closes: 622817
Changes: 
 perl (5.10.1-20) unstable; urgency=medium
 .
   [ Niko Tyni ]
   * [SECURITY] CVE-2011-1487: taint laundering in lc, uc, et al.
     (Closes: #622817)
   * Make the package fail to build instead of silently dropping the
     DB_File module if -ldb doesn't work. (See #622916)
 .
   [ Dominic Hargreaves ]
   * debian/config.debian: never use <libutil.h>, even if libbsd-dev is
     installed. Inspired by a similar Ubuntu change and merged from
     perl 5.12.3-3.
Checksums-Sha1: 
 8596eca34c4a4545682c4e5920e6143d9b478e12 1374 perl_5.10.1-20.dsc
 568f23ebf3bc03b4894a8037e1b7ba62a332728a 118132 perl_5.10.1-20.debian.tar.gz
 9a1c55227800bf82d8f229f588afd6ec7c858aae 53578 libcgi-fast-perl_5.10.1-20_all.deb
 de2fe80d039d606d0c5a172dd507b11d99191f46 7189272 perl-doc_5.10.1-20_all.deb
 5dc488d5439cda88a677cd2dd596896254ee1dbc 3491584 perl-modules_5.10.1-20_all.deb
 87b2e8cd4c188ab8dd98fc932c486cbaa06a6845 980338 perl-base_5.10.1-20_i386.deb
 cbf5ccc306f973459fb7db61f9f58f99e2a85455 7448072 perl-debug_5.10.1-20_i386.deb
 1c6c4fabab2db31e9505818f3ec5c31e67963778 33162 perl-suid_5.10.1-20_i386.deb
 f54ff00a6385825eebeb6663a98b65d340f5875d 631848 libperl5.10_5.10.1-20_i386.deb
 a6f4a4fd128c4dba6e405b9daea86c9f374e223a 2503246 libperl-dev_5.10.1-20_i386.deb
 1ce31169dfff241c0c7f46a033a2667d2bd5d35e 3780278 perl_5.10.1-20_i386.deb
Checksums-Sha256: 
 f12db39af00c818afbebf36e16ae50d0481edf9e12e105b1d34373b5b51f69bd 1374 perl_5.10.1-20.dsc
 3d2b60dbea4b2efa089ad4decfd2f98f5c1a36b5ae93b57aabc6e94e1f34f4c4 118132 perl_5.10.1-20.debian.tar.gz
 fbcd99d10230ea2217d2353644b1569be672e42b1259cec98f079f6e595702ba 53578 libcgi-fast-perl_5.10.1-20_all.deb
 cfdb4685fa3b82a46751aca1f5c73af9970f3927ae994f1f3b748b2af257607f 7189272 perl-doc_5.10.1-20_all.deb
 d35a808f6a73af93245672f79ba9453022b53f6f5281a4cce0766320fa1cf196 3491584 perl-modules_5.10.1-20_all.deb
 54afee56b2fe08447f6ce78d54efa03ef5d811b1d84820131bbf8df69212015f 980338 perl-base_5.10.1-20_i386.deb
 7c79c35ca7869d6c079a1466f652865e13a057f0f1b87b35301690cd28a2ee0e 7448072 perl-debug_5.10.1-20_i386.deb
 a88378e21705cf119aaa6a872debed347f2a7dcc5ca40e6cd55c36c98e32bfce 33162 perl-suid_5.10.1-20_i386.deb
 31239e0157f06ef5a154353a5739429031ee5d3644477e22131f249ef462278c 631848 libperl5.10_5.10.1-20_i386.deb
 4e54cff5eaef649b121f27123d2bef7e8edfcdaae5e832914e6522f439488797 2503246 libperl-dev_5.10.1-20_i386.deb
 6e9ecea2e74c1631343082467215b4cfb59a37d45195ebc7d532e2418b46c1b2 3780278 perl_5.10.1-20_i386.deb
Files: 
 f92a9886861718542e897336ed205011 1374 perl standard perl_5.10.1-20.dsc
 ab8210ebf5bd1ff6602560649db0d3f7 118132 perl standard perl_5.10.1-20.debian.tar.gz
 6630b3f5f7fa79b8eff2f212e5f0ba01 53578 perl optional libcgi-fast-perl_5.10.1-20_all.deb
 8347f9a6333d0b485e3d0ca94c54d6dd 7189272 doc optional perl-doc_5.10.1-20_all.deb
 069c1c66a463425296869508a45ba295 3491584 perl standard perl-modules_5.10.1-20_all.deb
 c7988ce3a646aec1d1e42bd551534a94 980338 perl required perl-base_5.10.1-20_i386.deb
 a8f70bf91df7be1bdb0043a95478ddac 7448072 debug extra perl-debug_5.10.1-20_i386.deb
 32593147501c0475875a28ceaf8a88ff 33162 perl optional perl-suid_5.10.1-20_i386.deb
 7d6ac6807bc9c69e00df4d86d531bfde 631848 libs optional libperl5.10_5.10.1-20_i386.deb
 f46c6aaf3b5ad04c3fc226ae6a6f9515 2503246 libdevel optional libperl-dev_5.10.1-20_i386.deb
 c09cec4b6376b5b8d1526b2a956f957f 3780278 perl standard perl_5.10.1-20_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iD8DBQFNsVQtYzuFKFF44qURAl4rAJ0e8c/KGKnwhqykYo1A7lMp6G+/RQCdGAkk
thJ9vEg5LRVCXNzNOC+damk=
=V4+P
-----END PGP SIGNATURE-----





Information forwarded to debian-bugs-dist@lists.debian.org, Niko Tyni <ntyni@debian.org>:
Bug#622817; Package perl. (Fri, 22 Apr 2011 11:33:13 GMT) Full text and rfc822 format available.

Acknowledgement sent to Dominic Hargreaves <dom@earth.li>:
Extra info received and forwarded to list. Copy sent to Niko Tyni <ntyni@debian.org>. (Fri, 22 Apr 2011 11:33:19 GMT) Full text and rfc822 format available.

Message #59 received at 622817@bugs.debian.org (full text, mbox):

From: Dominic Hargreaves <dom@earth.li>
To: Niko Tyni <ntyni@debian.org>, 622817@bugs.debian.org
Cc: team@security.debian.org, debian-release@lists.debian.org
Subject: Re: Bug#622817: perl: CVE-2011-1487: taint laundering in lc, uc
Date: Fri, 22 Apr 2011 12:29:19 +0100
On Wed, Apr 20, 2011 at 08:52:31AM +0300, Niko Tyni wrote:
> severity 622817 important
> thanks
> 
> On Tue, Apr 19, 2011 at 04:18:36PM +0200, Florian Weimer wrote:
> > * Niko Tyni:
> > 
> > > Security team, I assume this is going to be fixed through a DSA?
> > 
> > I don't think this is a security bug on its own.
> 
> Yes, turns out upstream thinks similarly.
> 
>  http://nntp.perl.org/group/perl.perl5.porters/171010
> 
> I'm therefore downgrading the severity.
> 
> > If this bug fixes any actual vulnerabilities, such a backport will
> > break applications, hard.  Therefore, I would prefer to let it soak in
> > unstable/testing for some time, to see what happens.
> 
> OK, let's do that. Thanks and sorry for rushing things a bit.

Perhaps it would make sense to upload this fix to s-p-u and o-p-u
instead (after a suitable soak period). Release team, any thoughts?

-- 
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)




Reply sent to Dominic Hargreaves <dom@earth.li>:
You have taken responsibility. (Fri, 22 Apr 2011 12:21:03 GMT) Full text and rfc822 format available.

Notification sent to Dominic Hargreaves <dom@earth.li>:
Bug acknowledged by developer. (Fri, 22 Apr 2011 12:21:32 GMT) Full text and rfc822 format available.

Message #64 received at 622817-close@bugs.debian.org (full text, mbox):

From: Dominic Hargreaves <dom@earth.li>
To: 622817-close@bugs.debian.org
Subject: Bug#622817: fixed in perl 5.12.3-4
Date: Fri, 22 Apr 2011 12:18:10 +0000
Source: perl
Source-Version: 5.12.3-4

We believe that the bug you reported is fixed in the latest version of
perl, which is due to be installed in the Debian FTP archive:

libcgi-fast-perl_5.12.3-4_all.deb
  to main/p/perl/libcgi-fast-perl_5.12.3-4_all.deb
libperl-dev_5.12.3-4_i386.deb
  to main/p/perl/libperl-dev_5.12.3-4_i386.deb
libperl5.12_5.12.3-4_i386.deb
  to main/p/perl/libperl5.12_5.12.3-4_i386.deb
perl-base_5.12.3-4_i386.deb
  to main/p/perl/perl-base_5.12.3-4_i386.deb
perl-debug_5.12.3-4_i386.deb
  to main/p/perl/perl-debug_5.12.3-4_i386.deb
perl-doc_5.12.3-4_all.deb
  to main/p/perl/perl-doc_5.12.3-4_all.deb
perl-modules_5.12.3-4_all.deb
  to main/p/perl/perl-modules_5.12.3-4_all.deb
perl_5.12.3-4.debian.tar.gz
  to main/p/perl/perl_5.12.3-4.debian.tar.gz
perl_5.12.3-4.dsc
  to main/p/perl/perl_5.12.3-4.dsc
perl_5.12.3-4_i386.deb
  to main/p/perl/perl_5.12.3-4_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 622817@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Dominic Hargreaves <dom@earth.li> (supplier of updated perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 22 Apr 2011 12:04:32 +0100
Source: perl
Binary: perl-base libcgi-fast-perl perl-doc perl-modules perl-debug libperl5.12 libperl-dev perl
Architecture: source all i386
Version: 5.12.3-4
Distribution: experimental
Urgency: low
Maintainer: Niko Tyni <ntyni@debian.org>
Changed-By: Dominic Hargreaves <dom@earth.li>
Description: 
 libcgi-fast-perl - CGI::Fast Perl module
 libperl-dev - Perl library: development files
 libperl5.12 - shared Perl library
 perl       - Larry Wall's Practical Extraction and Report Language
 perl-base  - minimal Perl system
 perl-debug - debug-enabled Perl interpreter
 perl-doc   - Perl documentation
 perl-modules - Core Perl modules
Closes: 622817
Changes: 
 perl (5.12.3-4) experimental; urgency=low
 .
   * Revert gcc-4.3 on sparc workaround for #577016 which turned out to
     be a kernel bug, now fixed (#581571). gcc-4.3 is no longer available
     in sid.
   * Build-depend on unversioned libdb-dev (see #621383)
   * Merge 5.10.1-20 from unstable:
     + [SECURITY] CVE-2011-1487: taint laundering in lc, uc, et al.
       (Closes: #622817)
     + Make the package fail to build instead of silently dropping the
       DB_File module if -ldb doesn't work. (See #622916)
Checksums-Sha1: 
 9fd8b948abedd83522aad16ef262c6955dda2414 1389 perl_5.12.3-4.dsc
 5c0887915a50884c28af150e060fe72b106982c7 90027 perl_5.12.3-4.debian.tar.gz
 ec7e6eaa3d4014d7a1f9ace23167fad905910a0d 55280 libcgi-fast-perl_5.12.3-4_all.deb
 ae3ede1fe98ab13c506f16218bb2bcb11ba9aeb4 7515260 perl-doc_5.12.3-4_all.deb
 094913816617ed1fc4a18853979b1b83172d9a68 4776444 perl-modules_5.12.3-4_all.deb
 3dde59f8ee9bc476bd5542d29e24c7b20f74ed93 1418910 perl-base_5.12.3-4_i386.deb
 0c27792e8a418af631c16ebf743f3ad421470692 7665174 perl-debug_5.12.3-4_i386.deb
 c9dc5fa73f8817409859a82679960806f2c75f60 674758 libperl5.12_5.12.3-4_i386.deb
 320c997fcb3d39ec3d2d4f2618f6639669faf734 2572196 libperl-dev_5.12.3-4_i386.deb
 9c003142a851ccf3cde970dcf7b04eda177d2a24 3535430 perl_5.12.3-4_i386.deb
Checksums-Sha256: 
 21432530c6539eb58598810de9b4b4c157ba0bb79eb6ff2d4038cdf173d15350 1389 perl_5.12.3-4.dsc
 e4ee6b13657a1b53580a569446cb8d88f1769254e8b44698c432d2eb2e08aeaf 90027 perl_5.12.3-4.debian.tar.gz
 7a8f981d2745a1f9a90b18f4a447b681f3d7e1986138b01b9863f8cc24e56bcf 55280 libcgi-fast-perl_5.12.3-4_all.deb
 2144fe8b76be104eb56915de96a669419626390953190cae752dcdd6cd81b56b 7515260 perl-doc_5.12.3-4_all.deb
 a62addcfbc325def26df45e2a74acdf4ee7034f99c5c6aa89623b1e805e5c8b1 4776444 perl-modules_5.12.3-4_all.deb
 9b5ef3f3ea6417de278bd5dd8a3f805236f1cf3da072a13735f52030507f3fb4 1418910 perl-base_5.12.3-4_i386.deb
 8c1721c0eb5b4ff5c631d3c87d3050aab6a3792d874780daa79b3f6b5c81ed10 7665174 perl-debug_5.12.3-4_i386.deb
 82fd0e9461eceb3b328ff080470895cda2758828d9cac6ae281177b0f519da56 674758 libperl5.12_5.12.3-4_i386.deb
 74f383ce1b3189ffb152872311e9ae337948664d63db79de5a6e6921ee6d8709 2572196 libperl-dev_5.12.3-4_i386.deb
 808b36e7a7381973191d43862b798a64e1b04a68d138daa196624a7b8e181e45 3535430 perl_5.12.3-4_i386.deb
Files: 
 d3514a6bfafa969b2e0fd966693a9696 1389 perl standard perl_5.12.3-4.dsc
 91451afed6f64e05c5866f5ccb5b92b9 90027 perl standard perl_5.12.3-4.debian.tar.gz
 a97180f96749943f06d66d5f98bc2dca 55280 perl optional libcgi-fast-perl_5.12.3-4_all.deb
 120bf8b0c3ba792aeb9492626a089cd3 7515260 doc optional perl-doc_5.12.3-4_all.deb
 df1315b8725bf268a1fba9bad255ee4d 4776444 perl standard perl-modules_5.12.3-4_all.deb
 3802c9b5923346d14df10bcdf4ceeed9 1418910 perl required perl-base_5.12.3-4_i386.deb
 32138bd9ace9916f8cc6445f4a1edeb8 7665174 debug extra perl-debug_5.12.3-4_i386.deb
 d6eaa8bd6be1b6dd21d30f459c0138e0 674758 libs optional libperl5.12_5.12.3-4_i386.deb
 5c9e1721100a65ac416ac30a13c558e6 2572196 libdevel optional libperl-dev_5.12.3-4_i386.deb
 bebdc1b4b12fd037de5f19cd058cf9b7 3535430 perl standard perl_5.12.3-4_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iD8DBQFNsW1cYzuFKFF44qURAp9QAJ0W3Hif342jza/WvRGHi7lrykkklwCfawtb
B7RITOJbALyv1hevE/H9owU=
=ueLz
-----END PGP SIGNATURE-----





Information forwarded to debian-bugs-dist@lists.debian.org, Niko Tyni <ntyni@debian.org>:
Bug#622817; Package perl. (Mon, 25 Apr 2011 10:57:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Adam D. Barratt" <adam@adam-barratt.org.uk>:
Extra info received and forwarded to list. Copy sent to Niko Tyni <ntyni@debian.org>. (Mon, 25 Apr 2011 10:57:10 GMT) Full text and rfc822 format available.

Message #69 received at 622817@bugs.debian.org (full text, mbox):

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
To: Dominic Hargreaves <dom@earth.li>
Cc: Niko Tyni <ntyni@debian.org>, 622817@bugs.debian.org, team@security.debian.org, debian-release@lists.debian.org
Subject: Re: Bug#622817: perl: CVE-2011-1487: taint laundering in lc, uc
Date: Mon, 25 Apr 2011 11:53:53 +0100
On Fri, 2011-04-22 at 12:29 +0100, Dominic Hargreaves wrote:
> On Wed, Apr 20, 2011 at 08:52:31AM +0300, Niko Tyni wrote:
>  
> > On Tue, Apr 19, 2011 at 04:18:36PM +0200, Florian Weimer wrote:
> >  http://nntp.perl.org/group/perl.perl5.porters/171010
> > 
> > I'm therefore downgrading the severity.
> > 
> > > If this bug fixes any actual vulnerabilities, such a backport will
> > > break applications, hard.  Therefore, I would prefer to let it soak in
> > > unstable/testing for some time, to see what happens.
> > 
> > OK, let's do that. Thanks and sorry for rushing things a bit.
> 
> Perhaps it would make sense to upload this fix to s-p-u and o-p-u
> instead (after a suitable soak period). Release team, any thoughts?

If the security team aren't going to be issuing a DSA for it then we
could certainly look at a stable update.

I do share Florian's concern about the potential breakage as a result of
the change.  Do we have any idea how many packages in {old,}stable would
be affected and to what degree?  Particularly in the case of oldstable,
with its four month update cycle, fixing packages broken by the change
could be somewhat painful.

Regards,

Adam





Information forwarded to debian-bugs-dist@lists.debian.org, Niko Tyni <ntyni@debian.org>:
Bug#622817; Package perl. (Sat, 30 Apr 2011 16:30:10 GMT) Full text and rfc822 format available.

Acknowledgement sent to Florian Weimer <fw@deneb.enyo.de>:
Extra info received and forwarded to list. Copy sent to Niko Tyni <ntyni@debian.org>. (Sat, 30 Apr 2011 16:30:10 GMT) Full text and rfc822 format available.

Message #74 received at 622817@bugs.debian.org (full text, mbox):

From: Florian Weimer <fw@deneb.enyo.de>
To: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Cc: 622817@bugs.debian.org, Dominic Hargreaves <dom@earth.li>, Niko Tyni <ntyni@debian.org>, team@security.debian.org, debian-release@lists.debian.org
Subject: Re: Bug#622817: perl: CVE-2011-1487: taint laundering in lc, uc
Date: Sat, 30 Apr 2011 18:26:51 +0200
* Adam D. Barratt:

> I do share Florian's concern about the potential breakage as a result of
> the change.  Do we have any idea how many packages in {old,}stable would
> be affected and to what degree?  Particularly in the case of oldstable,
> with its four month update cycle, fixing packages broken by the change
> could be somewhat painful.

Okay, then we should release a DSA for it, so that the breakage is
more easily blamed on this particular change, and that it's less
confusing if we have to issue follow-up DSAs.  Perhaps late May or
early June would be a convenient release date?




Information forwarded to debian-bugs-dist@lists.debian.org, Niko Tyni <ntyni@debian.org>:
Bug#622817; Package perl. (Sat, 30 Apr 2011 20:21:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Dominic Hargreaves <dom@earth.li>:
Extra info received and forwarded to list. Copy sent to Niko Tyni <ntyni@debian.org>. (Sat, 30 Apr 2011 20:21:03 GMT) Full text and rfc822 format available.

Message #79 received at 622817@bugs.debian.org (full text, mbox):

From: Dominic Hargreaves <dom@earth.li>
To: Florian Weimer <fw@deneb.enyo.de>
Cc: "Adam D. Barratt" <adam@adam-barratt.org.uk>, 622817@bugs.debian.org, Niko Tyni <ntyni@debian.org>, team@security.debian.org, debian-release@lists.debian.org
Subject: Re: Bug#622817: perl: CVE-2011-1487: taint laundering in lc, uc
Date: Sat, 30 Apr 2011 21:19:03 +0100
On Sat, Apr 30, 2011 at 06:26:51PM +0200, Florian Weimer wrote:
> * Adam D. Barratt:
> 
> > I do share Florian's concern about the potential breakage as a result of
> > the change.  Do we have any idea how many packages in {old,}stable would
> > be affected and to what degree?

I don't think we have any reports of breakage -- I'm not sure how we'd
undertake a comprehensive analysis.

> Particularly in the case of oldstable,
> > with its four month update cycle, fixing packages broken by the change
> > could be somewhat painful.
> 
> Okay, then we should release a DSA for it, so that the breakage is
> more easily blamed on this particular change, and that it's less
> confusing if we have to issue follow-up DSAs.  Perhaps late May or
> early June would be a convenient release date?

I'd be happy with that. The fix has been in unstable since 2011-04-22
(and now in testing). Bear in mind that once perl 5.12 has been
uploaded to unstable, it's quite likely that any breakage caused by this
bug will be more difficult to detect in isolation.

-- 
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)




Information forwarded to debian-bugs-dist@lists.debian.org, Niko Tyni <ntyni@debian.org>:
Bug#622817; Package perl. (Sun, 01 May 2011 20:36:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Mühlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Niko Tyni <ntyni@debian.org>. (Sun, 01 May 2011 20:36:06 GMT) Full text and rfc822 format available.

Message #84 received at 622817@bugs.debian.org (full text, mbox):

From: Moritz Mühlenhoff <jmm@inutil.org>
To: Florian Weimer <fw@deneb.enyo.de>
Cc: "Adam D. Barratt" <adam@adam-barratt.org.uk>, 622817@bugs.debian.org, Dominic Hargreaves <dom@earth.li>, Niko Tyni <ntyni@debian.org>, team@security.debian.org, debian-release@lists.debian.org
Subject: Re: Bug#622817: perl: CVE-2011-1487: taint laundering in lc, uc
Date: Sun, 1 May 2011 22:33:35 +0200
On Sat, Apr 30, 2011 at 06:26:51PM +0200, Florian Weimer wrote:
> * Adam D. Barratt:
> 
> > I do share Florian's concern about the potential breakage as a result of
> > the change.  Do we have any idea how many packages in {old,}stable would
> > be affected and to what degree?  Particularly in the case of oldstable,
> > with its four month update cycle, fixing packages broken by the change
> > could be somewhat painful.
> 
> Okay, then we should release a DSA for it, so that the breakage is
> more easily blamed on this particular change, and that it's less
> confusing if we have to issue follow-up DSAs.  Perhaps late May or
> early June would be a convenient release date?

Wasn't the earlier consensus that this only affects Perl scripts, which
are already insecure?

Cheers,
        Moritz 




Information forwarded to debian-bugs-dist@lists.debian.org, Niko Tyni <ntyni@debian.org>:
Bug#622817; Package perl. (Mon, 02 May 2011 12:30:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Dominic Hargreaves <dom@earth.li>:
Extra info received and forwarded to list. Copy sent to Niko Tyni <ntyni@debian.org>. (Mon, 02 May 2011 12:30:05 GMT) Full text and rfc822 format available.

Message #89 received at 622817@bugs.debian.org (full text, mbox):

From: Dominic Hargreaves <dom@earth.li>
To: Moritz Mühlenhoff <jmm@inutil.org>, 622817@bugs.debian.org
Cc: Florian Weimer <fw@deneb.enyo.de>, team@security.debian.org, "Adam D. Barratt" <adam@adam-barratt.org.uk>, debian-release@lists.debian.org, Niko Tyni <ntyni@debian.org>
Subject: Re: Bug#622817: perl: CVE-2011-1487: taint laundering in lc, uc
Date: Mon, 2 May 2011 13:28:09 +0100
On Sun, May 01, 2011 at 10:33:35PM +0200, Moritz Mühlenhoff wrote:
> On Sat, Apr 30, 2011 at 06:26:51PM +0200, Florian Weimer wrote:
> > * Adam D. Barratt:
> > 
> > > I do share Florian's concern about the potential breakage as a result of
> > > the change.  Do we have any idea how many packages in {old,}stable would
> > > be affected and to what degree?  Particularly in the case of oldstable,
> > > with its four month update cycle, fixing packages broken by the change
> > > could be somewhat painful.
> > 
> > Okay, then we should release a DSA for it, so that the breakage is
> > more easily blamed on this particular change, and that it's less
> > confusing if we have to issue follow-up DSAs.  Perhaps late May or
> > early June would be a convenient release date?
> 
> Wasn't the earlier consensus that this only affects Perl scripts, which
> are already insecure?

I don't think we've seen any discussion of this; could you elaborate?

Dominic.

-- 
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 31 May 2011 07:32:25 GMT) Full text and rfc822 format available.

Bug unarchived. Request was from Niko Tyni <ntyni@debian.org> to control@bugs.debian.org. (Thu, 16 Jun 2011 20:45:10 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Niko Tyni <ntyni@debian.org>:
Bug#622817; Package perl. (Thu, 16 Jun 2011 20:51:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Florian Weimer <fw@deneb.enyo.de>:
Extra info received and forwarded to list. Copy sent to Niko Tyni <ntyni@debian.org>. (Thu, 16 Jun 2011 20:51:03 GMT) Full text and rfc822 format available.

Message #98 received at 622817@bugs.debian.org (full text, mbox):

From: Florian Weimer <fw@deneb.enyo.de>
To: Dominic Hargreaves <dom@earth.li>
Cc: Moritz Mühlenhoff <jmm@inutil.org>, 622817@bugs.debian.org, team@security.debian.org, "Adam D. Barratt" <adam@adam-barratt.org.uk>, debian-release@lists.debian.org, Niko Tyni <ntyni@debian.org>
Subject: Re: Bug#622817: perl: CVE-2011-1487: taint laundering in lc, uc
Date: Thu, 16 Jun 2011 22:11:09 +0200
* Dominic Hargreaves:

>> > Okay, then we should release a DSA for it, so that the breakage is
>> > more easily blamed on this particular change, and that it's less
>> > confusing if we have to issue follow-up DSAs.  Perhaps late May or
>> > early June would be a convenient release date?
>> 
>> Wasn't the earlier consensus that this only affects Perl scripts, which
>> are already insecure?
>
> I don't think we've seen any discussion of this; could you elaborate?

There was some discussion prior to filing the bug report, sorry.

Anyway, we should probably push the fix to lenny and squeeze at this
point.  (See above for part of my rationale for that.)

I can grab
0002-CVE-2011-1487-lc-uc-first-fail-to-taint-the-returned.patch and
apply it to squeeze & lenny if you want me to.  Are there any other
pending changes I should pick up?




Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#622817; Package perl. (Fri, 17 Jun 2011 06:51:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Niko Tyni <ntyni@debian.org>:
Extra info received and forwarded to list. (Fri, 17 Jun 2011 06:51:03 GMT) Full text and rfc822 format available.

Message #103 received at 622817@bugs.debian.org (full text, mbox):

From: Niko Tyni <ntyni@debian.org>
To: Florian Weimer <fw@deneb.enyo.de>
Cc: Dominic Hargreaves <dom@earth.li>, Moritz Mühlenhoff <jmm@inutil.org>, 622817@bugs.debian.org, team@security.debian.org, "Adam D. Barratt" <adam@adam-barratt.org.uk>, debian-release@lists.debian.org
Subject: Re: Bug#622817: perl: CVE-2011-1487: taint laundering in lc, uc
Date: Fri, 17 Jun 2011 09:48:28 +0300
On Thu, Jun 16, 2011 at 10:11:09PM +0200, Florian Weimer wrote:

> >> > Okay, then we should release a DSA for it, so that the breakage is
> >> > more easily blamed on this particular change, and that it's less
> >> > confusing if we have to issue follow-up DSAs.  Perhaps late May or
> >> > early June would be a convenient release date?

> Anyway, we should probably push the fix to lenny and squeeze at this
> point.  (See above for part of my rationale for that.)

Fine by me.

> I can grab
> 0002-CVE-2011-1487-lc-uc-first-fail-to-taint-the-returned.patch and
> apply it to squeeze & lenny if you want me to.

I'm short on time and I believe Dominic is also, so I'd be glad if you
could handle this.

FWIW, I already prepared full debdiffs for lenny and squeeze earlier, see
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=622817#32

Feel free to use those if you like, modified or unmodified.

> Are there any other pending changes I should pick up?

I don't think so.

We have two other CVE issues open:

#628836 perl-debug: CVE-2010-4777 perl: assertion failure with certain regular expressions
  applies to perl-debug only, not fixed in unstable yet

#628817 perl NULL pointer dereference CVE-2011-0761
  (at least symptoms) fixed in unstable by a newer upstream version

These are low to medium severity bugs, and neither currently has a
clearly correct patch available for 5.10.x, so I don't think they are
candidates at this time.

#629363 perl consumes all the memory on: open FILE, '<', \*STDIN or die; <FILE>;

is a recent candidate for a stable update but it's not even fixed in
unstable yet so we'll have to leave it for later too.

Thanks for looking at this,
-- 
Niko Tyni   ntyni@debian.org




Reply sent to Niko Tyni <ntyni@debian.org>:
You have taken responsibility. (Mon, 20 Jun 2011 19:57:14 GMT) Full text and rfc822 format available.

Notification sent to Dominic Hargreaves <dom@earth.li>:
Bug acknowledged by developer. (Mon, 20 Jun 2011 19:57:14 GMT) Full text and rfc822 format available.

Message #108 received at 622817-close@bugs.debian.org (full text, mbox):

From: Niko Tyni <ntyni@debian.org>
To: 622817-close@bugs.debian.org
Subject: Bug#622817: fixed in perl 5.10.1-17squeeze1
Date: Mon, 20 Jun 2011 19:55:19 +0000
Source: perl
Source-Version: 5.10.1-17squeeze1

We believe that the bug you reported is fixed in the latest version of
perl, which is due to be installed in the Debian FTP archive:

libcgi-fast-perl_5.10.1-17squeeze1_all.deb
  to main/p/perl/libcgi-fast-perl_5.10.1-17squeeze1_all.deb
libperl-dev_5.10.1-17squeeze1_amd64.deb
  to main/p/perl/libperl-dev_5.10.1-17squeeze1_amd64.deb
libperl5.10_5.10.1-17squeeze1_amd64.deb
  to main/p/perl/libperl5.10_5.10.1-17squeeze1_amd64.deb
perl-base_5.10.1-17squeeze1_amd64.deb
  to main/p/perl/perl-base_5.10.1-17squeeze1_amd64.deb
perl-debug_5.10.1-17squeeze1_amd64.deb
  to main/p/perl/perl-debug_5.10.1-17squeeze1_amd64.deb
perl-doc_5.10.1-17squeeze1_all.deb
  to main/p/perl/perl-doc_5.10.1-17squeeze1_all.deb
perl-modules_5.10.1-17squeeze1_all.deb
  to main/p/perl/perl-modules_5.10.1-17squeeze1_all.deb
perl-suid_5.10.1-17squeeze1_amd64.deb
  to main/p/perl/perl-suid_5.10.1-17squeeze1_amd64.deb
perl_5.10.1-17squeeze1.debian.tar.gz
  to main/p/perl/perl_5.10.1-17squeeze1.debian.tar.gz
perl_5.10.1-17squeeze1.dsc
  to main/p/perl/perl_5.10.1-17squeeze1.dsc
perl_5.10.1-17squeeze1_amd64.deb
  to main/p/perl/perl_5.10.1-17squeeze1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 622817@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Niko Tyni <ntyni@debian.org> (supplier of updated perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 16 Apr 2011 09:02:05 +0300
Source: perl
Binary: perl-base libcgi-fast-perl perl-doc perl-modules perl-debug perl-suid libperl5.10 libperl-dev perl
Architecture: source all amd64
Version: 5.10.1-17squeeze1
Distribution: stable-security
Urgency: low
Maintainer: Niko Tyni <ntyni@debian.org>
Changed-By: Niko Tyni <ntyni@debian.org>
Description: 
 libcgi-fast-perl - CGI::Fast Perl module
 libperl-dev - Perl library: development files
 libperl5.10 - shared Perl library
 perl       - Larry Wall's Practical Extraction and Report Language
 perl-base  - minimal Perl system
 perl-debug - debug-enabled Perl interpreter
 perl-doc   - Perl documentation
 perl-modules - Core Perl modules
 perl-suid  - runs setuid Perl scripts
Closes: 622817
Changes: 
 perl (5.10.1-17squeeze1) stable-security; urgency=low
 .
   * [SECURITY] CVE-2011-1487: taint laundering in lc, uc, et al.
     (Closes: #622817)
Checksums-Sha1: 
 4aa4ad90b2ba3e2ba371b08ea69f3aeeba55b9c6 1721 perl_5.10.1-17squeeze1.dsc
 8536ed1c14444d1efea069525a816fbc7be7109f 14117518 perl_5.10.1.orig.tar.gz
 b3d4bfd99c44309fe9df758db80ff1e08987b703 116767 perl_5.10.1-17squeeze1.debian.tar.gz
 b10039098fc946ba9784155f4bc768f3f5a7069f 52554 libcgi-fast-perl_5.10.1-17squeeze1_all.deb
 be76317389a8c5ae5259af3d209b62f91fbe089f 7150160 perl-doc_5.10.1-17squeeze1_all.deb
 d5873b09de484a1f23d229ab2a457b80dbd51b39 3482816 perl-modules_5.10.1-17squeeze1_all.deb
 98d11eaebe023b7cdcfc92cbd49ff3da3704d83e 1059124 perl-base_5.10.1-17squeeze1_amd64.deb
 ac8de5e2c103ef8e9d32e36190ffbe9aa31636b9 5836074 perl-debug_5.10.1-17squeeze1_amd64.deb
 1f8a17bdcd9e4eff342f33dcd03aa4e9834b686c 35014 perl-suid_5.10.1-17squeeze1_amd64.deb
 5f1ee8964e686e8ec308279128f18d13fe927148 1158 libperl5.10_5.10.1-17squeeze1_amd64.deb
 4736d882228ceddd49255582be10d1405dd9a105 2562656 libperl-dev_5.10.1-17squeeze1_amd64.deb
 9e2b01cb1e919c734b312014cc783375f0e06deb 4442152 perl_5.10.1-17squeeze1_amd64.deb
Checksums-Sha256: 
 b032414942939725c6f86e38e75ec1e32763869fe4d531b0fa62edbd14b8ee5a 1721 perl_5.10.1-17squeeze1.dsc
 cb7f26ea4b2b28d6644354d87a269d01cac1b635287dae64e88eeafa24b44f35 14117518 perl_5.10.1.orig.tar.gz
 309d990cccee04e29d004eaea445355df295c76137ddf0cb20b65d3a1b647199 116767 perl_5.10.1-17squeeze1.debian.tar.gz
 844b45f51dd34e264677e78cb9d72709b20fe7a78570f9ee2f55e493551371cd 52554 libcgi-fast-perl_5.10.1-17squeeze1_all.deb
 b58da70a1cbec2843c46b8d856f63f25b2db213357a05761e8db9741835f4abb 7150160 perl-doc_5.10.1-17squeeze1_all.deb
 c4da792f81b93088fd6298dbc9a72f1a4819645d3e43ea7eb967808dc9c5f689 3482816 perl-modules_5.10.1-17squeeze1_all.deb
 bb6095903ba0b82fefd62b13d65836010659c5579a07d587e8cb8de103370862 1059124 perl-base_5.10.1-17squeeze1_amd64.deb
 e02a36be2dbc4884c342280d5de3dc9eadd104244e224b92293fb6c56ec4e2d2 5836074 perl-debug_5.10.1-17squeeze1_amd64.deb
 44704e41307eb69b9b25efbabb155522a278e5a3736007783d5dfb9a158639e7 35014 perl-suid_5.10.1-17squeeze1_amd64.deb
 aad47a790e4fd5c4bb468f35df67a71ab56a438174647cf73e117dc62e279837 1158 libperl5.10_5.10.1-17squeeze1_amd64.deb
 b720068285ad7b08b2e43e09c7e9ed8a8213a700d020eba385ea889a7ea2e2ef 2562656 libperl-dev_5.10.1-17squeeze1_amd64.deb
 27828a3b36a882a7df67db6a4e2a6b3fa00ca6b3454962090dc723daeda7b9d7 4442152 perl_5.10.1-17squeeze1_amd64.deb
Files: 
 3764facb0cb21cc4b522186811d8ad0d 1721 perl standard perl_5.10.1-17squeeze1.dsc
 b9b2fdb957f50ada62d73f43ee75d044 14117518 perl standard perl_5.10.1.orig.tar.gz
 a9401fa43e1b93a1f6bd54c530a4b5f4 116767 perl standard perl_5.10.1-17squeeze1.debian.tar.gz
 760d14ffa4033f8ac764c3948c2aa19a 52554 perl optional libcgi-fast-perl_5.10.1-17squeeze1_all.deb
 2a10e477a57ac4799bcea04f8e932e4b 7150160 doc optional perl-doc_5.10.1-17squeeze1_all.deb
 1bdb1df88ca4de0c30fc2b4b3b1ffcb2 3482816 perl standard perl-modules_5.10.1-17squeeze1_all.deb
 e0b30c84a9918dc1a6b08e4f3285cedb 1059124 perl required perl-base_5.10.1-17squeeze1_amd64.deb
 7475aec3cfb34a67eb89544828b157d0 5836074 debug extra perl-debug_5.10.1-17squeeze1_amd64.deb
 a46096f5942ffeb07e348aa95287b85c 35014 perl optional perl-suid_5.10.1-17squeeze1_amd64.deb
 f8fe78988a97cf8c0f9618aca8818373 1158 libs optional libperl5.10_5.10.1-17squeeze1_amd64.deb
 817f41e75aa0fa1510ebabbabca110cb 2562656 libdevel optional libperl-dev_5.10.1-17squeeze1_amd64.deb
 c2b1d9d235203cd97012e50a2f6bbd81 4442152 perl standard perl_5.10.1-17squeeze1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iQEcBAEBAgAGBQJN/PcxAAoJEL97/wQC1SS+4z0H/3dINhDxDpLn6vooLYj+zh6R
d+70olH6SxQV+NYUpLEczyO0fyfAcHQIIcG4bcq/Sr+0piyx1UuBrFcVevk0qzxp
kOgk2fskzwH+kMqFN8SytbCcQ9wxeiSca/SBrjnhiC6RbJS/LGqFk96zcV3KKetN
aeqrSYG3an/1SixgpYF/riQ4FLcpbNsvw0dgKhd+BsLzxCrAL7D01shGel3GpYP/
+JAlnESjLxZ4+3hxFrPnnQujVMWi/j2lumVgsDUcVnUcly7WuZeeY9FlguTyOXui
VeXdTsCbZ5hdPVC+0uH0Z9kcYK5VPf0ap0tMv6isYpYGr/QRn5qbA/13hYU3z2w=
=Ii2p
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 19 Jul 2011 07:32:39 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 24 03:59:09 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.