Bug#552291: marked as done (CVE-2009-3626: DoS in Unicode processing)

Debian Bug Tracking System Wed, 28 Oct 2009 19:48:49 -0700

Your message dated Wed, 28 Oct 2009 20:58:08 +0000
with message-id <[email protected]>
and subject line Bug#552291: fixed in perl 5.10.1-6
has caused the Debian Bug report #552291,
regarding CVE-2009-3626: DoS in Unicode processing
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
552291: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=552291
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Package: perl
Version: 5.10.1-5
Severity: grave
Tags: security

Quoting a posting from Jan Lieskovsky/Red Hat to oss-security.
I've verified that Etch and Lenny are not affected.

Cheers,
        Moritz

----
Hello Steve, vendors,

  Mark Martinec reported Perl crash while processing utf-8 character
with large and invalid codepoint.

References:
----------
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6225 (original source)
http://rt.perl.org/rt3/Public/Bug/Display.html?id=69973 (perl bug)
http://rt.perl.org/rt3/Ticket/Attachment/617489/295383/ (PoC)

Affected versions:
------------------
Have checked Perl of versions perl-5.8.0, perl-5.8.5, perl-5.8.8, perl-5.10.0
is not vulnerable to this flaw.

Issue was confirmed in Perl of version perl-5.10.1, as available at:

http://www.cpan.org/src/perl-5.10.1.tar.gz

CVE identifier:
---------------
CVE identifier of CVE-2009-3626 has been already assigned to this issue.
---



-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.30-2-686 (SMP w/1 CPU core)
Locale: LANG=C, lc_ctype=de_de.iso-8859...@euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash

Versions of packages perl depends on:
ii  libbz2-1.0             1.0.5-3           high-quality block-sorting file co
ii  libc6                  2.9-27            GNU C Library: Shared libraries
ii  libdb4.7               4.7.25-8          Berkeley v4.7 Database Libraries [
ii  libgdbm3               1.8.3-6+b1        GNU dbm database routines (runtime
ii  perl-base              5.10.1-5          minimal Perl system
ii  perl-modules           5.10.1-5          Core Perl modules
ii  zlib1g                 1:1.2.3.3.dfsg-15 compression library - runtime

Versions of packages perl recommends:
ii  make                          3.81-6     An utility for Directing compilati
ii  netbase                       4.37       Basic TCP/IP networking system

Versions of packages perl suggests:
pn  libterm-readline-gnu-perl | l <none>     (no description available)
ii  perl-doc                      5.10.1-5   Perl documentation

-- no debconf information

--- End Message ---

--- Begin Message ---

Source: perl
Source-Version: 5.10.1-6

We believe that the bug you reported is fixed in the latest version of
perl, which is due to be installed in the Debian FTP archive:

libcgi-fast-perl_5.10.1-6_all.deb
  to main/p/perl/libcgi-fast-perl_5.10.1-6_all.deb
libperl-dev_5.10.1-6_amd64.deb
  to main/p/perl/libperl-dev_5.10.1-6_amd64.deb
libperl5.10_5.10.1-6_amd64.deb
  to main/p/perl/libperl5.10_5.10.1-6_amd64.deb
perl-base_5.10.1-6_amd64.deb
  to main/p/perl/perl-base_5.10.1-6_amd64.deb
perl-debug_5.10.1-6_amd64.deb
  to main/p/perl/perl-debug_5.10.1-6_amd64.deb
perl-doc_5.10.1-6_all.deb
  to main/p/perl/perl-doc_5.10.1-6_all.deb
perl-modules_5.10.1-6_all.deb
  to main/p/perl/perl-modules_5.10.1-6_all.deb
perl-suid_5.10.1-6_amd64.deb
  to main/p/perl/perl-suid_5.10.1-6_amd64.deb
perl_5.10.1-6.diff.gz
  to main/p/perl/perl_5.10.1-6.diff.gz
perl_5.10.1-6.dsc
  to main/p/perl/perl_5.10.1-6.dsc
perl_5.10.1-6_amd64.deb
  to main/p/perl/perl_5.10.1-6_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Eugene V. Lyubimkin <[email protected]> (supplier of updated perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 22 Oct 2009 23:21:24 +0300
Source: perl
Binary: perl-base libcgi-fast-perl perl-doc perl-modules perl-debug perl-suid 
libperl5.10 libperl-dev perl
Architecture: source all amd64
Version: 5.10.1-6
Distribution: unstable
Urgency: high
Maintainer: Brendan O'Dea <[email protected]>
Changed-By: Eugene V. Lyubimkin <[email protected]>
Description: 
 libcgi-fast-perl - CGI::Fast Perl module
 libperl-dev - Perl library: development files
 libperl5.10 - shared Perl library
 perl       - Larry Wall's Practical Extraction and Report Language
 perl-base  - minimal Perl system
 perl-debug - debug-enabled Perl interpreter
 perl-doc   - Perl documentation
 perl-modules - Core Perl modules
 perl-suid  - runs setuid Perl scripts
Closes: 552291
Changes: 
 perl (5.10.1-6) unstable; urgency=high
 .
   * Added /me to Uploaders.
   * Apply upstream fix to resolve some crash in pattern matching against
     non-Unicode tainted string. This fixes CVE-2009-3626. (Closes: #552291)
Checksums-Sha1: 
 f22858f7410f30091a3dd1d87eeffcc2044d07a7 1387 perl_5.10.1-6.dsc
 1902b740415080c78e94a60376f51a7249766b89 99275 perl_5.10.1-6.diff.gz
 7336d5d16f785e40997467dd524bb404c2266ad5 50304 
libcgi-fast-perl_5.10.1-6_all.deb
 0aa1ad448f3e1cd4f345479044e47581aa0d2d82 7156130 perl-doc_5.10.1-6_all.deb
 c5ec66fb57b4d7850b4aead7abc9bc2f5fc20bca 3458686 perl-modules_5.10.1-6_all.deb
 1ad8fd78dac5cec9dc1a2f3817b8ef993c7f5845 1062062 perl-base_5.10.1-6_amd64.deb
 11939394f11258aa88602133b8542117beabfa51 6049702 perl-debug_5.10.1-6_amd64.deb
 f3d4a69b99f7bceaab7be5f0bcb4c32f73d02e00 31416 perl-suid_5.10.1-6_amd64.deb
 0daf4aa89f61a07c61384b44fc4582ad56da5f76 1144 libperl5.10_5.10.1-6_amd64.deb
 5a3c271cc80926a80df06caeb8b4cd16ebf5c02e 2621202 libperl-dev_5.10.1-6_amd64.deb
 ed0e54ade19b5cfddbe018bf53a19f28be6c274a 4392278 perl_5.10.1-6_amd64.deb
Checksums-Sha256: 
 8f9cdb4c68c1166da309d2f138e7836fa0e8062063bf1ede44f14a4927c68ac5 1387 
perl_5.10.1-6.dsc
 0dd0dfa56b2d9cca33ab019637b58b039ee9a8e5cd074ea303ee69bdcbc976d9 99275 
perl_5.10.1-6.diff.gz
 37cad44055cd07fdfba8353177a7af5c581305bea4520ef9dd04b2f930ebb259 50304 
libcgi-fast-perl_5.10.1-6_all.deb
 79734c827ad674d9209d59d9a5a41a301607985ba8280f303b8ba2a06d380fda 7156130 
perl-doc_5.10.1-6_all.deb
 b95f9b664380dae67a6dab2f545a428d35794c25a92c2aadf0abd39c473fc0cf 3458686 
perl-modules_5.10.1-6_all.deb
 4e1207570af2512b5bb263e1dafd1151c099f6435136a1a95d3d7ef269890278 1062062 
perl-base_5.10.1-6_amd64.deb
 28e4b6cefd1ad4d59131dcaeae7b33f9cf83554bbeec2f0a818eb992a1622bfc 6049702 
perl-debug_5.10.1-6_amd64.deb
 c0c4909d9d439c39115e64860cfca075bf70358b3e169ca26c54e510fd473629 31416 
perl-suid_5.10.1-6_amd64.deb
 73d4a21bedcd54721d93feccaea3d028b7cb92d187e2231ac8b5b81d0099869e 1144 
libperl5.10_5.10.1-6_amd64.deb
 35466db184401c273232ebe4d49eef4a22277e2654fbf67ec63d336619a0a7b4 2621202 
libperl-dev_5.10.1-6_amd64.deb
 cd39c11a3df07712157015d1f2b5a8547383441e7d06afe14fef6792740ed254 4392278 
perl_5.10.1-6_amd64.deb
Files: 
 df54acf18a3965d88bcea46f635132f9 1387 perl standard perl_5.10.1-6.dsc
 fa3c7b620b04ced3105b9e059e8cf0d1 99275 perl standard perl_5.10.1-6.diff.gz
 4944a8a72d5445b37e758cdf06ad794d 50304 perl optional 
libcgi-fast-perl_5.10.1-6_all.deb
 10aed98ba0fc661ccd13fe2515aa6095 7156130 doc optional perl-doc_5.10.1-6_all.deb
 4ce4c201e13fd56cdb46cb511abddec7 3458686 perl standard 
perl-modules_5.10.1-6_all.deb
 af47a4b9bb98f53a77b373dd53510b34 1062062 perl required 
perl-base_5.10.1-6_amd64.deb
 a20c4462aade0339bcf1ac410902ec97 6049702 debug extra 
perl-debug_5.10.1-6_amd64.deb
 aa0984f3bcefd9fac48a63054f096bce 31416 perl optional 
perl-suid_5.10.1-6_amd64.deb
 8b938c53ce185dd7773f835a36173b39 1144 libs optional 
libperl5.10_5.10.1-6_amd64.deb
 2ced2461dfa1f62fb5971a3fa54b1c9e 2621202 libdevel optional 
libperl-dev_5.10.1-6_amd64.deb
 9b025f27380503b84bbb1acce06d4edb 4392278 perl standard perl_5.10.1-6_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkroB4AACgkQchorMMFUmYwjswCgmEDEDOn/d+TQL/qBd4HLRHHG
SDkAoJGMtc/BYyVUh3U1ohmoTC8X16n3
=hHvO
-----END PGP SIGNATURE-----

--- End Message ---

Bug#552291: marked as done (CVE-2009-3626: DoS in Unicode processing)

Reply via email to