Debian Bug report logs - #637376
perl: [CVE-2011-2939] Encode security: Unicode.xs!decode_xs n-byte heap-overflow

version graph

Package: perl; Maintainer for perl is Niko Tyni <ntyni@debian.org>; Source for perl is src:perl.

Reported by: Dominic Hargreaves <dom@earth.li>

Date: Wed, 10 Aug 2011 17:57:02 UTC

Severity: important

Tags: security

Found in versions 5.10.0-19lenny5, perl/5.12.4-3, perl/5.14.1-1, perl/5.10.1-17squeeze2, perl/5.12.4-2

Fixed in versions perl/5.14.1-2, perl/5.12.4-4, perl/5.10.1-17squeeze3

Done: Dominic Hargreaves <dom@earth.li>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Niko Tyni <ntyni@debian.org>:
Bug#637376; Package perl. (Wed, 10 Aug 2011 17:57:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Dominic Hargreaves <dom@earth.li>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Niko Tyni <ntyni@debian.org>. (Wed, 10 Aug 2011 17:57:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Dominic Hargreaves <dom@earth.li>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: perl: Encode security: Unicode.xs!decode_xs n-byte heap-overflow
Date: Wed, 10 Aug 2011 18:52:43 +0100
Package: perl
Version: 5.12.4-3
Severity: grave
Tags: security
Justification: user security hole

Encode 2.44 has been released with the following change:

! Unicode/Unicode.xs
  Addressed the following:
    Date: Fri, 22 Jul 2011 13:58:43 +0200
    From: Robert Zacek <zacek@avast.com>
    To: perl5-security-report@perl.org
    Subject: Unicode.xs!decode_xs n-byte heap-overflow

This has been fixed in libencode-perl 2.44-1; it probably also needs
fixing in perl.

The relevant patch appears to be

<http://perl5.git.perl.org/perl.git/commitdiff/e46d973584785af1f445c4dedbee4243419cb860#patch5>

I haven't seen any further details about this one, but setting severity
to grave for now.




Reply sent to Dominic Hargreaves <dom@earth.li>:
You have taken responsibility. (Wed, 10 Aug 2011 22:00:37 GMT) Full text and rfc822 format available.

Notification sent to Dominic Hargreaves <dom@earth.li>:
Bug acknowledged by developer. (Wed, 10 Aug 2011 22:00:37 GMT) Full text and rfc822 format available.

Message #10 received at 637376-close@bugs.debian.org (full text, mbox):

From: Dominic Hargreaves <dom@earth.li>
To: 637376-close@bugs.debian.org
Subject: Bug#637376: fixed in perl 5.12.4-4
Date: Wed, 10 Aug 2011 21:49:32 +0000
Source: perl
Source-Version: 5.12.4-4

We believe that the bug you reported is fixed in the latest version of
perl, which is due to be installed in the Debian FTP archive:

libcgi-fast-perl_5.12.4-4_all.deb
  to main/p/perl/libcgi-fast-perl_5.12.4-4_all.deb
libperl-dev_5.12.4-4_i386.deb
  to main/p/perl/libperl-dev_5.12.4-4_i386.deb
libperl5.12_5.12.4-4_i386.deb
  to main/p/perl/libperl5.12_5.12.4-4_i386.deb
perl-base_5.12.4-4_i386.deb
  to main/p/perl/perl-base_5.12.4-4_i386.deb
perl-debug_5.12.4-4_i386.deb
  to main/p/perl/perl-debug_5.12.4-4_i386.deb
perl-doc_5.12.4-4_all.deb
  to main/p/perl/perl-doc_5.12.4-4_all.deb
perl-modules_5.12.4-4_all.deb
  to main/p/perl/perl-modules_5.12.4-4_all.deb
perl_5.12.4-4.debian.tar.gz
  to main/p/perl/perl_5.12.4-4.debian.tar.gz
perl_5.12.4-4.dsc
  to main/p/perl/perl_5.12.4-4.dsc
perl_5.12.4-4_i386.deb
  to main/p/perl/perl_5.12.4-4_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 637376@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Dominic Hargreaves <dom@earth.li> (supplier of updated perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 10 Aug 2011 19:25:23 +0100
Source: perl
Binary: perl-base libcgi-fast-perl perl-doc perl-modules perl-debug libperl5.12 libperl-dev perl
Architecture: source all i386
Version: 5.12.4-4
Distribution: unstable
Urgency: medium
Maintainer: Niko Tyni <ntyni@debian.org>
Changed-By: Dominic Hargreaves <dom@earth.li>
Description: 
 libcgi-fast-perl - CGI::Fast Perl module
 libperl-dev - Perl library: development files
 libperl5.12 - shared Perl library
 perl       - Larry Wall's Practical Extraction and Report Language
 perl-base  - minimal Perl system
 perl-debug - debug-enabled Perl interpreter
 perl-doc   - Perl documentation
 perl-modules - Core Perl modules
Closes: 637376
Changes: 
 perl (5.12.4-4) unstable; urgency=medium
 .
   * Fix decode_xs n-byte heap-overflow security bug in Unicode.xs
     (Closes: #637376)
Checksums-Sha1: 
 a11fa2b5b75dbccb6087cded59df092166843de3 1416 perl_5.12.4-4.dsc
 c58658e76d3f70e071888fe52712a8606e444159 99712 perl_5.12.4-4.debian.tar.gz
 410b164938f9981e3f93db511d77f7adfd7d42c0 56450 libcgi-fast-perl_5.12.4-4_all.deb
 811e5b0c6c78df55f66a9f1bba1d8c16da19dfdc 7520174 perl-doc_5.12.4-4_all.deb
 1e8496f7816dcf1970c6e19098342d8d7caac2bd 4786020 perl-modules_5.12.4-4_all.deb
 1025a3858c6de4aebaa0c2213c0e94953cc5419d 1455362 perl-base_5.12.4-4_i386.deb
 0a8cfab7982f3ceaaccb9486cd9bed9edd03515c 7508158 perl-debug_5.12.4-4_i386.deb
 02d06b08505ab12be28ade1dfae7e4e2a3b7aa5f 705360 libperl5.12_5.12.4-4_i386.deb
 422537a89a300ef0640af8bfb188fac1a7b0328a 2593000 libperl-dev_5.12.4-4_i386.deb
 79a4eb70c9a8d37b79746322e55a374773698428 3564074 perl_5.12.4-4_i386.deb
Checksums-Sha256: 
 38cd5dc53c1025ea0fa0cf064678de4ab16299a750f02d1d4c37426d230c03fd 1416 perl_5.12.4-4.dsc
 52d8c2fd11706f41f62065b80e0f7d72a4a16be90f651d9b1718264539b73b1f 99712 perl_5.12.4-4.debian.tar.gz
 1d62398e22f33900f09f58b57f34924dd47d7ca58c3afa7fca81b9640a3bb7c8 56450 libcgi-fast-perl_5.12.4-4_all.deb
 cb392e83aa3c0cd4ebaeb9a4bb8abc2a48ba2f569226fbdc67cf39a43314f8c9 7520174 perl-doc_5.12.4-4_all.deb
 eb12b268632f6f8455067d5dcf6b6ef64026f0eaf3572c302a91e4b6c90c3440 4786020 perl-modules_5.12.4-4_all.deb
 a9a99a1818afa18d91ff80159a82cf2df9b42b5ee511fca7b1d562fc8a85cf6a 1455362 perl-base_5.12.4-4_i386.deb
 bcfa627a6ad775bb8a9dbde5e2adbcad09e9fb067b231bf535c0e8a6e293e5c7 7508158 perl-debug_5.12.4-4_i386.deb
 f2b7606af98d4c3b6798a637ac3c8ccce72c59d126ccea14aba35e7d9c3367f1 705360 libperl5.12_5.12.4-4_i386.deb
 fa07f9bfac02eb80213b2620e0f30ba4c3d9b6d0a8345bf1435abff0d2eccb8d 2593000 libperl-dev_5.12.4-4_i386.deb
 ebdc03a0ba2de9062e9cfb30a5919dd3f3ecf27ef944237c85dd9a5f68aef016 3564074 perl_5.12.4-4_i386.deb
Files: 
 3ca2388e59359ed7222c451c9cc0d202 1416 perl standard perl_5.12.4-4.dsc
 38e4f94e61f10076d02ba344021ef98d 99712 perl standard perl_5.12.4-4.debian.tar.gz
 98f1b7794b101885aaf0c51c26d7b0c1 56450 perl optional libcgi-fast-perl_5.12.4-4_all.deb
 13b7707fc381fa3696881abe76448c74 7520174 doc optional perl-doc_5.12.4-4_all.deb
 8d4373c1dd767471ebc42c49bd720eaa 4786020 perl standard perl-modules_5.12.4-4_all.deb
 0a6c1543dfbd439c90212db346fb6d5e 1455362 perl required perl-base_5.12.4-4_i386.deb
 153f6cdbab1beafc795a19054fc2bfeb 7508158 debug extra perl-debug_5.12.4-4_i386.deb
 7bc8e5e5dbe0f7138b243e45e5e6e3f1 705360 libs optional libperl5.12_5.12.4-4_i386.deb
 da2663bbb6bb0b9bb77e894e838eb100 2593000 libdevel optional libperl-dev_5.12.4-4_i386.deb
 bc1117fa8704e17dee02b10c1e35a339 3564074 perl standard perl_5.12.4-4_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iD8DBQFOQvaFYzuFKFF44qURArXeAJ9ArycvseNcwFbzyRhf2ziE4KmIigCgmcip
TTyNiBm9c30K6zK1i0qHqX8=
=YXuX
-----END PGP SIGNATURE-----





Bug Marked as found in versions perl/5.10.1-17squeeze2. Request was from Dominic Hargreaves <dom@earth.li> to control@bugs.debian.org. (Thu, 11 Aug 2011 08:42:05 GMT) Full text and rfc822 format available.

Bug Marked as found in versions 5.10.0-19lenny5. Request was from Dominic Hargreaves <dom@earth.li> to control@bugs.debian.org. (Thu, 11 Aug 2011 08:42:06 GMT) Full text and rfc822 format available.

Bug Marked as found in versions perl/5.14.1-1 and reopened. Request was from Dominic Hargreaves <dom@earth.li> to control@bugs.debian.org. (Thu, 11 Aug 2011 08:45:14 GMT) Full text and rfc822 format available.

Bug Marked as found in versions perl/5.12.4-2. Request was from Dominic Hargreaves <dom@earth.li> to control@bugs.debian.org. (Thu, 11 Aug 2011 08:48:03 GMT) Full text and rfc822 format available.

Reply sent to Dominic Hargreaves <dom@earth.li>:
You have taken responsibility. (Thu, 11 Aug 2011 19:06:10 GMT) Full text and rfc822 format available.

Notification sent to Dominic Hargreaves <dom@earth.li>:
Bug acknowledged by developer. (Thu, 11 Aug 2011 19:06:10 GMT) Full text and rfc822 format available.

Message #23 received at 637376-close@bugs.debian.org (full text, mbox):

From: Dominic Hargreaves <dom@earth.li>
To: 637376-close@bugs.debian.org
Subject: Bug#637376: fixed in perl 5.14.1-2
Date: Thu, 11 Aug 2011 19:03:47 +0000
Source: perl
Source-Version: 5.14.1-2

We believe that the bug you reported is fixed in the latest version of
perl, which is due to be installed in the Debian FTP archive:

libcgi-fast-perl_5.14.1-2_all.deb
  to main/p/perl/libcgi-fast-perl_5.14.1-2_all.deb
libperl-dev_5.14.1-2_i386.deb
  to main/p/perl/libperl-dev_5.14.1-2_i386.deb
libperl5.14_5.14.1-2_i386.deb
  to main/p/perl/libperl5.14_5.14.1-2_i386.deb
perl-base_5.14.1-2_i386.deb
  to main/p/perl/perl-base_5.14.1-2_i386.deb
perl-debug_5.14.1-2_i386.deb
  to main/p/perl/perl-debug_5.14.1-2_i386.deb
perl-doc_5.14.1-2_all.deb
  to main/p/perl/perl-doc_5.14.1-2_all.deb
perl-modules_5.14.1-2_all.deb
  to main/p/perl/perl-modules_5.14.1-2_all.deb
perl_5.14.1-2.debian.tar.gz
  to main/p/perl/perl_5.14.1-2.debian.tar.gz
perl_5.14.1-2.dsc
  to main/p/perl/perl_5.14.1-2.dsc
perl_5.14.1-2_i386.deb
  to main/p/perl/perl_5.14.1-2_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 637376@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Dominic Hargreaves <dom@earth.li> (supplier of updated perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 11 Aug 2011 18:28:44 +0100
Source: perl
Binary: perl-base libcgi-fast-perl perl-doc perl-modules perl-debug libperl5.14 libperl-dev perl
Architecture: source all i386
Version: 5.14.1-2
Distribution: experimental
Urgency: low
Maintainer: Niko Tyni <ntyni@debian.org>
Changed-By: Dominic Hargreaves <dom@earth.li>
Description: 
 libcgi-fast-perl - CGI::Fast Perl module
 libperl-dev - Perl library: development files
 libperl5.14 - shared Perl library
 perl       - Larry Wall's Practical Extraction and Report Language
 perl-base  - minimal Perl system
 perl-debug - debug-enabled Perl interpreter
 perl-doc   - Perl documentation
 perl-modules - Core Perl modules
Closes: 627821 635647 636609 637376
Changes: 
 perl (5.14.1-2) experimental; urgency=low
 .
   * Promote libclass-isa-perl and libswitch-perl from Recommends to
     Depends, to improve partial upgrades from squeeze to wheezy
     (see: #629472)
   * Demote libpod-plainer-perl from Recommends to Suggests, based on
     analysis of its usage in Debian (see: #629472)
   * Skip a crashing test case in t/op/threads.t on GNU/kFreeBSD
     (see: #628493, thanks Niko)
   * Apply patch from Niko documenting the correct use of CCFLAGS in
     ExtUtils::MakeMaker (see: #628522)
   * Use a socket timeout on GNU/kFreeBSD to catch ICMP port unreachable
     messages (thanks, Niko) (Closes: #627821)
   * Fix decode_xs n-byte heap-overflow security bug in Unicode.xs
     (Closes: #637376)
   * Improve general GNU hints, fixing build failures on GNU/Hurd. Patch by
     Pino Toscano. (Closes: #636609)
   * Merge 5.12.4-3 and 5.12.4-4 from unstable
   * Fix lintian error by build-depending on procps [!hurd-any] rather
     than procps | hurd (and adjust existing [!hurd-i386] to
     [!hurd-any]) (Closes: #635647)
Checksums-Sha1: 
 b5994cbb4ec01e2f2bfe8270902ea43079c27699 1419 perl_5.14.1-2.dsc
 23ee15c1502aa6324a1ee6ca69068d0b0ce62808 117035 perl_5.14.1-2.debian.tar.gz
 8742d9b38c485ac92082dc9b713d939730bd06fe 71658 libcgi-fast-perl_5.14.1-2_all.deb
 3ce67dc300f1c5e6b0df12c8df0ce9b0547dd40c 8154512 perl-doc_5.14.1-2_all.deb
 f7725d0c506ffb948e013f03c920da76c68d4fbb 3437340 perl-modules_5.14.1-2_all.deb
 cc8daa659839dd92cdcdb79683089be0fde250ae 1481378 perl-base_5.14.1-2_i386.deb
 6138f9efb830278e837a39cfcab92f2136f0a014 7755696 perl-debug_5.14.1-2_i386.deb
 92dc2f4caa73c633e75e1b2d8744c143dd85d3ca 724676 libperl5.14_5.14.1-2_i386.deb
 260240275ca132ce2be8e6f3bc963e71f74f178f 2678000 libperl-dev_5.14.1-2_i386.deb
 b27f6ca2a53fd9d4886b5edd2c97e698a32018fc 3696886 perl_5.14.1-2_i386.deb
Checksums-Sha256: 
 066d08d81dae467791f34a0aaca86fee16b567dd914ea9be6236b04fc1792986 1419 perl_5.14.1-2.dsc
 53f801c6e110687673f4a84d633f1705044800df7e008a00904f65e13588e602 117035 perl_5.14.1-2.debian.tar.gz
 3536157dc9bf85ac59152d21f8bda05ba792325fda9afe2f73c3f41532ce2730 71658 libcgi-fast-perl_5.14.1-2_all.deb
 e41993d38f0cd747503aa97ea1a7a3a5eb7c8d8dc0405ea03de9d7432bb5c8d8 8154512 perl-doc_5.14.1-2_all.deb
 91d5f9f8191ad3993e02bae70aadfefb7acfee4ed4ba772a225ae188b517a6fc 3437340 perl-modules_5.14.1-2_all.deb
 ff3dcaf044030b2d4b2eda1b43958fcf05000bd85afd415c24253b6e80299fc2 1481378 perl-base_5.14.1-2_i386.deb
 8e648a76ef20f1ec6ff6ba6fe6966fbb3386883eccc2ebc113173a694b056850 7755696 perl-debug_5.14.1-2_i386.deb
 eb65926365d24e7060ad810b5dae04bd0aaa8d414f2e99ac307563771f6d33ab 724676 libperl5.14_5.14.1-2_i386.deb
 630d794ff7a8abd0a9edfc9482bc8ad8e3a8f704253e21cf18cda44dc1db8f8b 2678000 libperl-dev_5.14.1-2_i386.deb
 44770a0fd600feb16aff04cb1f255bff793a8f4820679f846d02cb599f288d92 3696886 perl_5.14.1-2_i386.deb
Files: 
 7fd590ae59dc6d1f9445408ee0408687 1419 perl standard perl_5.14.1-2.dsc
 97f74e154808deba8722696ebf44192a 117035 perl standard perl_5.14.1-2.debian.tar.gz
 b60b86f3f9e7eacab112fa19775753db 71658 perl optional libcgi-fast-perl_5.14.1-2_all.deb
 f2e66fff83a0c6f524e166eb62bfec08 8154512 doc optional perl-doc_5.14.1-2_all.deb
 1a4d48f26cc359f75fff6157e671e1db 3437340 perl standard perl-modules_5.14.1-2_all.deb
 fca1ece69a8e0617e40716dee63da131 1481378 perl required perl-base_5.14.1-2_i386.deb
 8d990e80135e76eb32d788c94094cda1 7755696 debug extra perl-debug_5.14.1-2_i386.deb
 2c61360619b07a07d221de1bddc216c4 724676 libs optional libperl5.14_5.14.1-2_i386.deb
 0f613dd41d7f613d48a00fcced4eee47 2678000 libdevel optional libperl-dev_5.14.1-2_i386.deb
 ad58070e9e793a2180a8df866839c645 3696886 perl standard perl_5.14.1-2_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iD8DBQFORCFMYzuFKFF44qURAo0lAJ9n+ZmoK3hjHiSsq5RG30bu/G1RdwCdHMTV
KjQYVYcU30XRwVPcDvTIjpI=
=Yhja
-----END PGP SIGNATURE-----





Information forwarded to debian-bugs-dist@lists.debian.org, Niko Tyni <ntyni@debian.org>:
Bug#637376; Package perl. (Tue, 16 Aug 2011 23:36:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Dominic Hargreaves <dom@earth.li>:
Extra info received and forwarded to list. Copy sent to Niko Tyni <ntyni@debian.org>. (Tue, 16 Aug 2011 23:36:03 GMT) Full text and rfc822 format available.

Message #28 received at 637376@bugs.debian.org (full text, mbox):

From: Dominic Hargreaves <dom@earth.li>
To: 637376@bugs.debian.org
Cc: team@security.debian.org
Subject: Re: Bug#637376: perl: Encode security: Unicode.xs!decode_xs n-byte heap-overflow
Date: Wed, 17 Aug 2011 00:32:55 +0100
On Wed, Aug 10, 2011 at 06:52:43PM +0100, Dominic Hargreaves wrote:
> Encode 2.44 has been released with the following change:
> 
> ! Unicode/Unicode.xs
>   Addressed the following:
>     Date: Fri, 22 Jul 2011 13:58:43 +0200
>     From: Robert Zacek <zacek@avast.com>
>     To: perl5-security-report@perl.org
>     Subject: Unicode.xs!decode_xs n-byte heap-overflow
> 
> This has been fixed in libencode-perl 2.44-1; it probably also needs
> fixing in perl.
> 
> The relevant patch appears to be
> 
> <http://perl5.git.perl.org/perl.git/commitdiff/e46d973584785af1f445c4dedbee4243419cb860#patch5>
> 
> I haven't seen any further details about this one, but setting severity
> to grave for now.

Now fixed in experimental, sid, and wheezy. Fix prepared for squeeze
in git (http://anonscm.debian.org/gitweb/?p=perl/perl-squeeze.git).
Awaiting more information from upstream about the issue before
considering a DSA.

The code in lenny is completely different, and I don't feel qualified
to say whether the issue exists there.

-- 
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)




Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#637376; Package perl. (Sun, 21 Aug 2011 16:09:09 GMT) Full text and rfc822 format available.

Acknowledgement sent to Niko Tyni <ntyni@debian.org>:
Extra info received and forwarded to list. (Sun, 21 Aug 2011 16:09:09 GMT) Full text and rfc822 format available.

Message #33 received at 637376@bugs.debian.org (full text, mbox):

From: Niko Tyni <ntyni@debian.org>
To: 637376@bugs.debian.org
Subject: Re: Bug#637376: perl: Encode security: Unicode.xs!decode_xs n-byte heap-overflow
Date: Sun, 21 Aug 2011 18:52:28 +0300
retitle 637376 perl: [CVE-2011-2939] Encode security: Unicode.xs!decode_xs n-byte heap-overflow
thanks

On Wed, Aug 10, 2011 at 06:52:43PM +0100, Dominic Hargreaves wrote:
> Package: perl
> Version: 5.12.4-3
> Severity: grave
> Tags: security
> Justification: user security hole
> 
> Encode 2.44 has been released with the following change:
> 
> ! Unicode/Unicode.xs
>   Addressed the following:
>     Date: Fri, 22 Jul 2011 13:58:43 +0200
>     From: Robert Zacek <zacek@avast.com>
>     To: perl5-security-report@perl.org
>     Subject: Unicode.xs!decode_xs n-byte heap-overflow

> I haven't seen any further details about this one, but setting severity
> to grave for now.

Quoting Josh Bresser in 
 http://www.openwall.com/lists/oss-security/2011/08/19/17

>   I'm going to assign this CVE-2011-2939. It looks like a single byte
>   overflow. It's probably not exploitable (even as a DoS), but to play it
>   safe, I'm assigning this ID.

-- 
Niko Tyni   ntyni@debian.org




Changed Bug title to 'perl: [CVE-2011-2939] Encode security: Unicode.xs!decode_xs n-byte heap-overflow' from 'perl: Encode security: Unicode.xs!decode_xs n-byte heap-overflow' Request was from Niko Tyni <ntyni@debian.org> to control@bugs.debian.org. (Sun, 21 Aug 2011 16:09:11 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Niko Tyni <ntyni@debian.org>:
Bug#637376; Package perl. (Mon, 29 Aug 2011 12:32:10 GMT) Full text and rfc822 format available.

Acknowledgement sent to Dominic Hargreaves <dom@earth.li>:
Extra info received and forwarded to list. Copy sent to Niko Tyni <ntyni@debian.org>. (Mon, 29 Aug 2011 12:32:14 GMT) Full text and rfc822 format available.

Message #40 received at 637376@bugs.debian.org (full text, mbox):

From: Dominic Hargreaves <dom@earth.li>
To: Niko Tyni <ntyni@debian.org>, 637376@bugs.debian.org
Cc: control@bugs.debian.org
Subject: Re: Bug#637376: perl: Encode security: Unicode.xs!decode_xs n-byte heap-overflow
Date: Mon, 29 Aug 2011 13:06:37 +0100
severity 637376 important
thanks

On Sun, Aug 21, 2011 at 06:52:28PM +0300, Niko Tyni wrote:
> retitle 637376 perl: [CVE-2011-2939] Encode security: Unicode.xs!decode_xs n-byte heap-overflow
> thanks
> 
> On Wed, Aug 10, 2011 at 06:52:43PM +0100, Dominic Hargreaves wrote:
> > Package: perl
> > Version: 5.12.4-3
> > Severity: grave
> > Tags: security
> > Justification: user security hole
> > 
> > Encode 2.44 has been released with the following change:
> > 
> > ! Unicode/Unicode.xs
> >   Addressed the following:
> >     Date: Fri, 22 Jul 2011 13:58:43 +0200
> >     From: Robert Zacek <zacek@avast.com>
> >     To: perl5-security-report@perl.org
> >     Subject: Unicode.xs!decode_xs n-byte heap-overflow
> 
> > I haven't seen any further details about this one, but setting severity
> > to grave for now.
> 
> Quoting Josh Bresser in 
>  http://www.openwall.com/lists/oss-security/2011/08/19/17
> 
> >   I'm going to assign this CVE-2011-2939. It looks like a single byte
> >   overflow. It's probably not exploitable (even as a DoS), but to play it
> >   safe, I'm assigning this ID.

I get the impression that upstream agrees with this low potential for
exploitability, so I'm lowering the severity of this bug.

I suggest we wait for upstream to make stable releases including the fix
before pushing this out to squeeze/lenny (I had a look at lenny and the
code is, as Niko mentioned, completely different), so it's unlikely that
this problem exists in the same form, there.

-- 
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)




Severity set to 'important' from 'grave' Request was from Dominic Hargreaves <dom@earth.li> to control@bugs.debian.org. (Mon, 29 Aug 2011 12:40:38 GMT) Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 27 Sep 2011 07:39:39 GMT) Full text and rfc822 format available.

Bug unarchived. Request was from Dominic Hargreaves <dom@earth.li> to control@bugs.debian.org. (Sun, 18 Dec 2011 17:00:12 GMT) Full text and rfc822 format available.

Bug No longer marked as fixed in versions perl/5.14.1-2 and perl/5.12.4-4 and reopened. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 18 Dec 2011 17:00:13 GMT) Full text and rfc822 format available.

Bug Marked as fixed in versions perl/5.14.1-2. Request was from Dominic Hargreaves <dom@earth.li> to control@bugs.debian.org. (Tue, 20 Dec 2011 10:18:25 GMT) Full text and rfc822 format available.

Bug Marked as fixed in versions perl/5.12.4-4. Request was from Dominic Hargreaves <dom@earth.li> to control@bugs.debian.org. (Tue, 20 Dec 2011 10:18:34 GMT) Full text and rfc822 format available.

Reply sent to Dominic Hargreaves <dom@earth.li>:
You have taken responsibility. (Wed, 21 Dec 2011 07:57:09 GMT) Full text and rfc822 format available.

Notification sent to Dominic Hargreaves <dom@earth.li>:
Bug acknowledged by developer. (Wed, 21 Dec 2011 07:57:09 GMT) Full text and rfc822 format available.

Message #57 received at 637376-close@bugs.debian.org (full text, mbox):

From: Dominic Hargreaves <dom@earth.li>
To: 637376-close@bugs.debian.org
Subject: Bug#637376: fixed in perl 5.10.1-17squeeze3
Date: Wed, 21 Dec 2011 07:55:45 +0000
Source: perl
Source-Version: 5.10.1-17squeeze3

We believe that the bug you reported is fixed in the latest version of
perl, which is due to be installed in the Debian FTP archive:

libcgi-fast-perl_5.10.1-17squeeze3_all.deb
  to main/p/perl/libcgi-fast-perl_5.10.1-17squeeze3_all.deb
libperl-dev_5.10.1-17squeeze3_i386.deb
  to main/p/perl/libperl-dev_5.10.1-17squeeze3_i386.deb
libperl5.10_5.10.1-17squeeze3_i386.deb
  to main/p/perl/libperl5.10_5.10.1-17squeeze3_i386.deb
perl-base_5.10.1-17squeeze3_i386.deb
  to main/p/perl/perl-base_5.10.1-17squeeze3_i386.deb
perl-debug_5.10.1-17squeeze3_i386.deb
  to main/p/perl/perl-debug_5.10.1-17squeeze3_i386.deb
perl-doc_5.10.1-17squeeze3_all.deb
  to main/p/perl/perl-doc_5.10.1-17squeeze3_all.deb
perl-modules_5.10.1-17squeeze3_all.deb
  to main/p/perl/perl-modules_5.10.1-17squeeze3_all.deb
perl-suid_5.10.1-17squeeze3_i386.deb
  to main/p/perl/perl-suid_5.10.1-17squeeze3_i386.deb
perl_5.10.1-17squeeze3.debian.tar.gz
  to main/p/perl/perl_5.10.1-17squeeze3.debian.tar.gz
perl_5.10.1-17squeeze3.dsc
  to main/p/perl/perl_5.10.1-17squeeze3.dsc
perl_5.10.1-17squeeze3_i386.deb
  to main/p/perl/perl_5.10.1-17squeeze3_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 637376@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Dominic Hargreaves <dom@earth.li> (supplier of updated perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 20 Dec 2011 20:01:23 +0000
Source: perl
Binary: perl-base libcgi-fast-perl perl-doc perl-modules perl-debug perl-suid libperl5.10 libperl-dev perl
Architecture: source all i386
Version: 5.10.1-17squeeze3
Distribution: stable
Urgency: low
Maintainer: Niko Tyni <ntyni@debian.org>
Changed-By: Dominic Hargreaves <dom@earth.li>
Description: 
 libcgi-fast-perl - CGI::Fast Perl module
 libperl-dev - Perl library: development files
 libperl5.10 - shared Perl library
 perl       - Larry Wall's Practical Extraction and Report Language
 perl-base  - minimal Perl system
 perl-debug - debug-enabled Perl interpreter
 perl-doc   - Perl documentation
 perl-modules - Core Perl modules
 perl-suid  - runs setuid Perl scripts
Closes: 604902 637376 644108
Changes: 
 perl (5.10.1-17squeeze3) stable; urgency=low
 .
   * [SECURITY] CVE-2011-2939: Fix decode_xs n-byte heap-overflow security
     bug in Unicode.xs (Closes: #637376)
   * [SECURITY] CVE-2011-3597: Fix unsafe use of eval in Digest->new();
     thanks to Ansgar Burchardt for the notification (Closes: #644108)
   * Unregister signal handler before destroying my_perl; fixes segfault
     (Closes: #604902)
Checksums-Sha1: 
 8843091f6e603972d5b4d4a11089dba53824b0de 1422 perl_5.10.1-17squeeze3.dsc
 bb8db3889b23751f00683d8e5b11773a4b6c4c45 118221 perl_5.10.1-17squeeze3.debian.tar.gz
 0cefaca80ba0a7d0c9e4f0462c07031e862aad30 52942 libcgi-fast-perl_5.10.1-17squeeze3_all.deb
 b116d4697abb77b6e297dde3ed3b256c7ffbb82a 7188506 perl-doc_5.10.1-17squeeze3_all.deb
 19b3dcfa05823ade81293ebe225a84731185f1c0 3490542 perl-modules_5.10.1-17squeeze3_all.deb
 45fc31cb973d06659d35e8dcd2fd65da8bfb3826 980444 perl-base_5.10.1-17squeeze3_i386.deb
 60459dec649a72fbe2a183d2aa9198828534aa89 6631472 perl-debug_5.10.1-17squeeze3_i386.deb
 6fb5ce9309fa5e4496770d09403166ba7996c335 33082 perl-suid_5.10.1-17squeeze3_i386.deb
 1976197275655e04e32bc9ef562dfe16f6df1806 632980 libperl5.10_5.10.1-17squeeze3_i386.deb
 9a90a138eedad64670f5ab8b427bed1d3931a248 2344660 libperl-dev_5.10.1-17squeeze3_i386.deb
 8ec8f63de8cc549a5ce12d6e48a0863468fc50d3 3779972 perl_5.10.1-17squeeze3_i386.deb
Checksums-Sha256: 
 7f65a968e8055330dd39ea8b338a9988a0d5efadc71d37bdd539176537fe1410 1422 perl_5.10.1-17squeeze3.dsc
 7fe9f8d789020722fdc68bdee57943fd8cc934233887b40d4c540f764c17dc61 118221 perl_5.10.1-17squeeze3.debian.tar.gz
 5e59422232d568b1bca7436f4058ecdc8fb3320b274a7af5c74f5189d54f982d 52942 libcgi-fast-perl_5.10.1-17squeeze3_all.deb
 d60be500a411aa9aa47d2e956eaf733d98658141d9e8883d3000da47704a322a 7188506 perl-doc_5.10.1-17squeeze3_all.deb
 87d0138eff66a0f0e7f585dae5e2b512703ebf49ec6547d79662b859ed18bf8f 3490542 perl-modules_5.10.1-17squeeze3_all.deb
 80a91d13da776b2a0a1fbce39aaae8d2927de90994cdc64c7bafce5eefaaa447 980444 perl-base_5.10.1-17squeeze3_i386.deb
 16cb303beb593fe49b5fc7a16e2bd31c73c35466f3d24527c91f77a660c5cde5 6631472 perl-debug_5.10.1-17squeeze3_i386.deb
 d8ba102fb43869cd9b0e12cc3bac4d5960f534a222eb5d0ea0e0bc0faf20ee77 33082 perl-suid_5.10.1-17squeeze3_i386.deb
 3021f5a310aa0c6ab902edaa96a141ab7350df6e71ef7a5356bf67baf28caca9 632980 libperl5.10_5.10.1-17squeeze3_i386.deb
 b172480c65818cbd5a9dc20abc7b145e77e57c27149c65ae2b3b55870e8fa1b0 2344660 libperl-dev_5.10.1-17squeeze3_i386.deb
 43d3094c4be1da418e5c99e7b495f86ab0b7a88b3e1bb9a919b5e43c723bf48f 3779972 perl_5.10.1-17squeeze3_i386.deb
Files: 
 d9eab87849364e3327920e382f3a5887 1422 perl standard perl_5.10.1-17squeeze3.dsc
 e1efd83cf80e965a40d8aa4fd745f0f0 118221 perl standard perl_5.10.1-17squeeze3.debian.tar.gz
 40633b98fae67084c284494c961f4f75 52942 perl optional libcgi-fast-perl_5.10.1-17squeeze3_all.deb
 3932fb00d1af19a23af4f55902323cc6 7188506 doc optional perl-doc_5.10.1-17squeeze3_all.deb
 bf3aed2150a5e97f90e9fc136a197a9e 3490542 perl standard perl-modules_5.10.1-17squeeze3_all.deb
 20ced901f6f8c21fb31c546a7177c4ed 980444 perl required perl-base_5.10.1-17squeeze3_i386.deb
 24a219d7133aeb15cf7f08524eb1399f 6631472 debug extra perl-debug_5.10.1-17squeeze3_i386.deb
 e6543333ebbc2da71eede37bec255267 33082 perl optional perl-suid_5.10.1-17squeeze3_i386.deb
 a2ee1211165807ea8766247e5e4cce57 632980 libs optional libperl5.10_5.10.1-17squeeze3_i386.deb
 8de6fcb74ba725c85a2bc23b495645aa 2344660 libdevel optional libperl-dev_5.10.1-17squeeze3_i386.deb
 452c1287272b46e62a2ffdf45b200104 3779972 perl standard perl_5.10.1-17squeeze3_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iD8DBQFO8PpwYzuFKFF44qURAngvAKCbHo99M3keZB76Xq40Vk99ZzQzwgCeICdt
fnvwvuEAY+K9zsBNIHdkezE=
=OItN
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 19 Jan 2012 07:37:43 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 03:09:32 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.