Your message dated Wed, 29 Nov 2023 22:47:08 +0000
with message-id <[email protected]>
and subject line Bug#1056746: fixed in perl 5.36.0-7+deb12u1
has caused the Debian Bug report #1056746,
regarding perl: CVE-2023-47038: Write past buffer end via illegal user-defined
Unicode property
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1056746: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1056746
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: perl
Version: 5.30.0-1
Severity: important
Tags: security patch fixed-upstream bullseye bookworm trixie
X-Debbugs-Cc: [email protected]
Perl upstream released 5.34.2, 5.36.2 and 5.38.1 today with coordinated
fixes for two security issues. One of these (CVE-2023-47039) is specific
to Windows, but the other one (CVE-2023-47038) concerns us.
We discussed this earlier with Salvatore from the security team and
decided that CVE-2023-47038 is non-DSA like other "crafted regular
expression crashes" we've handled in the past. It will hence be fixed
via point releases for stable and oldstable.
CVE-2023-47038 - Write past buffer end via illegal user-defined Unicode property
A test case is
perl -e 'qr/\p{utf8::_perl_surrogate}/'
which crashes on oldstable (bullseye, 5.32), stable (bookworm, 5.36),
unstable / testing (5.36) and experimental (5.38).
The issue was introduced in the 5.30 cycle, so LTS (buster, 5.28) is
not affected.
The upstream fixes are at
5.34
https://github.com/Perl/perl5/commit/12c313ce49b36160a7ca2e9b07ad5bd92ee4a010
5.36
https://github.com/Perl/perl5/commit/7047915eef37fccd93e7cd985c29fe6be54650b6
5.38
https://github.com/Perl/perl5/commit/92a9eb3d0d52ec7655c1beb29999a5a5219be664
The 5.34 fix applies to 5.32 as well.
I'll start with sid/trixie and handle the *stable updates after that,
mainly targeting next bookworm point update on 2023-12-09 as per
https://lists.debian.org/debian-project/2023/11/msg00003.html
For experimental/5.38, I intend to push 5.38.1 instead of cherry
picking the patch.
--
Niko Tyni [email protected]
--- End Message ---
--- Begin Message ---
Source: perl
Source-Version: 5.36.0-7+deb12u1
Done: Niko Tyni <[email protected]>
We believe that the bug you reported is fixed in the latest version of
perl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Niko Tyni <[email protected]> (supplier of updated perl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 25 Nov 2023 22:59:54 +0200
Source: perl
Architecture: source
Version: 5.36.0-7+deb12u1
Distribution: bookworm
Urgency: medium
Maintainer: Niko Tyni <[email protected]>
Changed-By: Niko Tyni <[email protected]>
Closes: 1056746
Changes:
perl (5.36.0-7+deb12u1) bookworm; urgency=medium
.
* [SECURITY] CVE-2023-47038: Write past buffer end via illegal
user-defined Unicode property. (Closes: #1056746)
Checksums-Sha1:
0da52776dc6cc0b31b1e6deb04539ad06ff5f94f 2918 perl_5.36.0-7+deb12u1.dsc
7f59052b20e059d2fd0f89c95e27dd20fd7fc355 171136
perl_5.36.0-7+deb12u1.debian.tar.xz
d1a5353e41b62db94adc57b062db04c38a831883 6270
perl_5.36.0-7+deb12u1_source.buildinfo
Checksums-Sha256:
26ddac979ddb41229abc97b19fc2e97cdd840fe1a315e8f829ae1aeb0a1d05c5 2918
perl_5.36.0-7+deb12u1.dsc
e5680de573f95b990cf995a7189c167281785cc49589c43874736e4b8b3c9e2f 171136
perl_5.36.0-7+deb12u1.debian.tar.xz
58038ebd5511a4dc79d640f802b8e2a7c621228c3f4081ce79eed42e502a634d 6270
perl_5.36.0-7+deb12u1_source.buildinfo
Files:
5e4e3995839e27e32231e005d817123a 2918 perl standard perl_5.36.0-7+deb12u1.dsc
3489ac3a413030d41698911e79d911b4 171136 perl standard
perl_5.36.0-7+deb12u1.debian.tar.xz
f62855f19a8cefd21566484c331aded2 6270 perl standard
perl_5.36.0-7+deb12u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJFBAEBCgAvFiEEdqKOQsmBHZHoj7peLsD/s7cwGx8FAmVjaMQRHG50eW5pQGRl
Ymlhbi5vcmcACgkQLsD/s7cwGx+6Sw//Ror5+wna/apZaPMjYBfX/7iWrbsi0k9M
wR/0T4dcT/qkMwnJjgzLpGJ9bP1LMDdY/1mtvBwaAW3h3lraeAqz6Hlf/qWjCyau
H2aoXSYTFeA72MaHrtVH5tvTCEJKRRKB6i/voCZHwAV5S/A2YkAEf7VIpf2NkMgT
GfBk7nrGMjzPlOBTGyK84QpXzI1AkvxCToWHDEkv0E3FVfocFMvJUUo+mxjW4JeO
M9d0T9P8othH6hFqo6Dc6k5fnwQ5nlu0e7MUtOlDeT+KXfpRwAe1NbxPfWauJOOg
p/9HHgzamgimFN22L3lxG31KhOHfKam7fqvz6SFEZxjZzc7uEx7itnj4MReN9vAf
hdPaFSilu0QHrVTLSvfaEkBGCgg0EmTU9yBLk84cyG6RvkSJJkjXEE4y+RMN5Ojv
9EOMGsZP0B31gSx8mUc6nmBveyvZGyuAH0iR+q2AZ58UMH+t3Mxc9j3BOHLe6N6K
EXzaGb2b7hxvv6cOgmvDYV2OVtGsIKz6M/GcUASOYhAEPwV++ffDnzsdxFtabz5p
GDRzCwOeJ2a+3UgMS9RUoFbwcviYtCU5VcpN3ggaCAQ+yyQG/IqfkUwicLIr07aJ
0v00P++iOBr5afdKceCjTSyxD37Na/9hnQTgliaFAILUfLS25dzGld+ZvF8fr+n6
9iHOsztyVzg=
=oi9P
-----END PGP SIGNATURE-----
--- End Message ---
