Your message dated Mon, 01 Jun 2020 23:49:31 +0000 with message-id <e1jfubp-0009fz...@fasolo.debian.org> and subject line Bug#962005: fixed in perl 5.30.3-1 has caused the Debian Bug report #962005, regarding perl: regexp security issues: CVE-2020-10543, CVE-2020-10878, CVE-2020-12723 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 962005: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=962005 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: perl Version: 5.30.2-1 Severity: important Tags: security pending X-Debbugs-Cc: t...@security.debian.org These three issues have all been judged to be no-dsa. An unstable release will be forthcoming and we hope to provide fixes for stable and oldstable via point releases. The following text comes from <https://metacpan.org/release/XSAWYERX/perl-5.30.3>. [CVE-2020-10543] Buffer overflow caused by a crafted regular expression A signed size_t integer overflow in the storage space calculations for nested regular expression quantifiers could cause a heap buffer overflow in Perl's regular expression compiler that overwrites memory allocated after the regular expression storage space with attacker supplied data. The target system needs a sufficient amount of memory to allocate partial expansions of the nested quantifiers prior to the overflow occurring. This requirement is unlikely to be met on 64-bit systems. Discovered by: ManhND of The Tarantula Team, VinCSS (a member of Vingroup). [CVE-2020-10878] Integer overflow via malformed bytecode produced by a crafted regular expression Integer overflows in the calculation of offsets between instructions for the regular expression engine could cause corruption of the intermediate language state of a compiled regular expression. An attacker could abuse this behaviour to insert instructions into the compiled form of a Perl regular expression. Discovered by: Hugo van der Sanden and Slaven Rezic. [CVE-2020-12723] Buffer overflow caused by a crafted regular expression Recursive calls to S_study_chunk() by Perl's regular expression compiler to optimize the intermediate language representation of a regular expression could cause corruption of the intermediate language state of a compiled regular expression. Discovered by: Sergey Aleynikov. Additional Note An application written in Perl would only be vulnerable to any of the above flaws if it evaluates regular expressions supplied by the attacker. Evaluating regular expressions in this fashion is known to be dangerous since the regular expression engine does not protect against denial of service attacks in this usage scenario.
--- End Message ---
--- Begin Message ---Source: perl Source-Version: 5.30.3-1 Done: Dominic Hargreaves <d...@earth.li> We believe that the bug you reported is fixed in the latest version of perl, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 962...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Dominic Hargreaves <d...@earth.li> (supplier of updated perl package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Mon, 01 Jun 2020 22:23:43 +0100 Source: perl Architecture: source Version: 5.30.3-1 Distribution: unstable Urgency: medium Maintainer: Niko Tyni <nt...@debian.org> Changed-By: Dominic Hargreaves <d...@earth.li> Closes: 958721 962005 Changes: perl (5.30.3-1) unstable; urgency=medium . [ Dominic Hargreaves ] * Update perlbug to no longer email deprecated bug address (Closes: #958721) . [ Niko Tyni ] * Update the build system to debhelper compatibility level 13. . [ Dominic Hargreaves ] * Update to new upstream version (Closes: #962005) + [SECURITY] CVE-2020-10543: Buffer overflow caused by a crafted regular expression + [SECURITY] CVE-2020-10878: Integer overflow via malformed bytecode produced by a crafted regular expression + [SECURITY] CVE-2020-12723: Buffer overflow caused by a crafted regular expression Checksums-Sha1: 80bd9c2b4bc8668a939e47d017d1cd5bf8ce281d 2868 perl_5.30.3-1.dsc 8998cffbb866af0e302baa62949cfba37006fc0d 870970 perl_5.30.3.orig-regen-configure.tar.gz 1003c6aa71d8966501038178459a9fa4e9aba747 12375128 perl_5.30.3.orig.tar.xz 757232902de5dbdd448f30db931ec38a3d519c47 167112 perl_5.30.3-1.debian.tar.xz 1d0be8d1b255a2a703842be7550931317db54174 5902 perl_5.30.3-1_source.buildinfo Checksums-Sha256: 56df312974f79a78cb31776238863c6787e7c3d8c1b8753eae1a4f1a193c9132 2868 perl_5.30.3-1.dsc 99174174fbfc550f801076ab8a1a5831c92f75c1b81e553150351f14a111dcf8 870970 perl_5.30.3.orig-regen-configure.tar.gz 6967595f2e3f3a94544c35152f9a25e0cb8ea24ae45f4bf1882f2e33f4a400f4 12375128 perl_5.30.3.orig.tar.xz d14cdea07729b5b135494d1cebafd5728d8b65be13ff49d483c543f164086684 167112 perl_5.30.3-1.debian.tar.xz 295dd559cf735bdb106ec22b5c67d1956ee7aa7b7eeaac97aee3274823f40b2e 5902 perl_5.30.3-1_source.buildinfo Files: dabfcf04a8357451a1fcc19b25896539 2868 perl standard perl_5.30.3-1.dsc 0311edd9e01c1ae4101df137f13bd2f0 870970 perl standard perl_5.30.3.orig-regen-configure.tar.gz 0af2ab0f01ec13e37cc13a27de930936 12375128 perl standard perl_5.30.3.orig.tar.xz e2a9d60958fd1b8661bd3081b63b08e6 167112 perl standard perl_5.30.3-1.debian.tar.xz 80db2e26eaf9224781d0f26262a2878b 5902 perl standard perl_5.30.3-1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQJBBAEBCAArFiEEy0llJ/kAnyscGnbawAV+cU1pT7IFAl7VkHcNHGRvbUBlYXJ0 aC5saQAKCRDABX5xTWlPsrS3EADB/sHrXg+Brve7eopTxEsl0UEmHbcr7xfZY9vX r0wNO9PfFjS4SlPd80o2bg0uOSV43kzFQHvXtc3q/z6j55Ok4uJeHkXAoQIuf9Ep H2nuTTzaVVxz6rj4lJEJ0uS33I+/EAQsxkyrcH+8jQTUSAdfGpkj0hPEVLGG/377 07iY9hmS5q+VEyhoLBkdao4slfOigOwVGxCP0peVof0QFGdDW+kJJESezOJFnbUZ Inm/sxJ5qAhhMr/HeFO3TWN+qZp25bEEuVfow2rIzBpCE7C0hndLIfU95yEx4uQ0 ii/JQYZJI3nAl8qiXDCT0JwbR07VLd8/DePMfdotggjVy5tZTqczljF8Bh7mKefz Sd5gof8B4MOjUEHPXZPf8EoUXKu6NOrNs4idacRDty2FpdVnxf2WL6J0agAF4IfG TQ8ylI9p9ZQYJZRcUiqE8W0TjJ6+rZ5/S4HcFHo+WczF94YRvaFZ2Y5G7ask6mE6 jUtNmKjplflJJnCNHaHXwV6WKiD56mHkySpKDFlCn4+ekbSfcEbfeVn7wu+R1Dng EYDbecMBclCcUSxFBDGulfrtmU4/hUT17cBkF8rdWSGU/fV1lOnMR46I+wyW0i5Y kFT1fC1ptmh9iit0erIH0AKN7jrCJe933yVE0HFxRY2J3/5c7sfOeyKyMI4iP/5c r/MP0A== =/h5h -----END PGP SIGNATURE-----
--- End Message ---
