Your message dated Thu, 30 Nov 2023 20:52:39 +0000
with message-id <[email protected]>
and subject line Bug#1056746: fixed in perl 5.38.2-1
has caused the Debian Bug report #1056746,
regarding perl: CVE-2023-47038: Write past buffer end via illegal user-defined
Unicode property
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1056746: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1056746
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: perl
Version: 5.30.0-1
Severity: important
Tags: security patch fixed-upstream bullseye bookworm trixie
X-Debbugs-Cc: [email protected]
Perl upstream released 5.34.2, 5.36.2 and 5.38.1 today with coordinated
fixes for two security issues. One of these (CVE-2023-47039) is specific
to Windows, but the other one (CVE-2023-47038) concerns us.
We discussed this earlier with Salvatore from the security team and
decided that CVE-2023-47038 is non-DSA like other "crafted regular
expression crashes" we've handled in the past. It will hence be fixed
via point releases for stable and oldstable.
CVE-2023-47038 - Write past buffer end via illegal user-defined Unicode property
A test case is
perl -e 'qr/\p{utf8::_perl_surrogate}/'
which crashes on oldstable (bullseye, 5.32), stable (bookworm, 5.36),
unstable / testing (5.36) and experimental (5.38).
The issue was introduced in the 5.30 cycle, so LTS (buster, 5.28) is
not affected.
The upstream fixes are at
5.34
https://github.com/Perl/perl5/commit/12c313ce49b36160a7ca2e9b07ad5bd92ee4a010
5.36
https://github.com/Perl/perl5/commit/7047915eef37fccd93e7cd985c29fe6be54650b6
5.38
https://github.com/Perl/perl5/commit/92a9eb3d0d52ec7655c1beb29999a5a5219be664
The 5.34 fix applies to 5.32 as well.
I'll start with sid/trixie and handle the *stable updates after that,
mainly targeting next bookworm point update on 2023-12-09 as per
https://lists.debian.org/debian-project/2023/11/msg00003.html
For experimental/5.38, I intend to push 5.38.1 instead of cherry
picking the patch.
--
Niko Tyni [email protected]
--- End Message ---
--- Begin Message ---
Source: perl
Source-Version: 5.38.2-1
Done: Niko Tyni <[email protected]>
We believe that the bug you reported is fixed in the latest version of
perl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Niko Tyni <[email protected]> (supplier of updated perl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 30 Nov 2023 20:28:47 +0200
Source: perl
Architecture: source
Version: 5.38.2-1
Distribution: experimental
Urgency: medium
Maintainer: Niko Tyni <[email protected]>
Changed-By: Niko Tyni <[email protected]>
Closes: 1051427 1055109 1056746
Changes:
perl (5.38.2-1) experimental; urgency=medium
.
* Update to new upstream version 5.38.2.
+ [SECURITY] CVE-2023-47038: Write past buffer end via illegal
user-defined Unicode property. (Closes: #1056746)
* Restore optimization level of op.c and opmini.c on hppa and sh4.
Many thanks to John David Anglin. (Closes: #1055109)
* Build depend on libc6-dev (>= 2.37-8) on ppc64el for correct F_GETLK
et al. (See #1050592)
* Explicitly do not use strlcpy and strlcat from glibc 2.38 to keep
libperl5.38 symbols stable. (Closes: #1051427)
Checksums-Sha1:
d808207fdbb42f594fe3f25b42cf0535944e5ba6 2933 perl_5.38.2-1.dsc
0b5d76399e77b21ce892cd38f4a63703628ce896 418808
perl_5.38.2.orig-regen-configure.tar.xz
af1d5f9e0499f3cfa4736433631aebf7624714da 13679524 perl_5.38.2.orig.tar.xz
ccea4d87c1506daebe673c7e39aaf640de07465e 165496 perl_5.38.2-1.debian.tar.xz
261a5bb3fa46820f2b2b61607646d9a6a6e038dc 6238 perl_5.38.2-1_source.buildinfo
Checksums-Sha256:
4603d34507fe493fd4f549c409e97113f226631d8b052e6dfabdb862e156b751 2933
perl_5.38.2-1.dsc
4d1b34cc058f9963cb89785ecc040d57f6d7725cd83329cfa4ef8b27566454d2 418808
perl_5.38.2.orig-regen-configure.tar.xz
d91115e90b896520e83d4de6b52f8254ef2b70a8d545ffab33200ea9f1cf29e8 13679524
perl_5.38.2.orig.tar.xz
d0757268043ecd9424ad2bd16eece8a12482fc0bf74cc6f4ad1cab5e3febc87b 165496
perl_5.38.2-1.debian.tar.xz
5c42c25041de4a46623236500b7e07a11e4519e491ca883cffb437f1593a3e03 6238
perl_5.38.2-1_source.buildinfo
Files:
ba5878793f7cc1c878e2a4d76382bca9 2933 perl standard perl_5.38.2-1.dsc
139d4ab28a90409790d01ec7a38b6858 418808 perl standard
perl_5.38.2.orig-regen-configure.tar.xz
d3957d75042918a23ec0abac4a2b7e0a 13679524 perl standard perl_5.38.2.orig.tar.xz
56630ee7524b9b73b86c192ca9f2dbf7 165496 perl standard
perl_5.38.2-1.debian.tar.xz
90be53110b5a5822dfc0b35cfa800f15 6238 perl standard
perl_5.38.2-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJFBAEBCgAvFiEEdqKOQsmBHZHoj7peLsD/s7cwGx8FAmVo1KoRHG50eW5pQGRl
Ymlhbi5vcmcACgkQLsD/s7cwGx+KOBAAti0QN6RdToOgGzGxQ8lTObfItVRobdkR
l/wXsBObf+RpwLkOE5h8TZq/q+OwzAIkA/inu9z/q+67v99YxqdTnyEvrON5X2LX
rKH/NKsBDGjLNdxWpn3WqMDAbt3Eqr4WKr0nOgHXlWWOOV7OLnYJ5nacKlDwG94T
BJmYLdmcVd9aTquPVaRt0Kcyd56uA0crQ01tN9TzlXXS7BA62/1McseFwqfotNpA
tzSxAUmt1ZF8WqUFchCWcFq4v/EcOA1PNF7vnUzVMtiztX8j4eSpyrmbTKOhyYxu
k5eQujQZLcvMQnmG7B+IWKmaUqtdqO2lpgUuNY4lh6tWl6GD3J4bmBfcMEPnyjoa
zG6fY8yCPklt0FX42rRHAu4iNuBe7aaAXPoo6rmBSDFPg6cdtbUc5VaZqNY0Hz+B
Y4O/0pe8nr2CTx625MYjl7ZbbtTdWOxb349lx6PyYnaD6Sl5qnCHgIn0xAe+WLJp
BzaCA3vCW4RL29meewrgdy1gfhQq/QIvk2AutzhZZin5PH+T8zJDkkuGLvYWvDY9
Fw3fHmiWO06z4Q02Kh6PTKmqP6o0pYzIgkcSgp52YrTSARrApqtFACTmc3TeLp8t
nGNnadQPd79EfG7JCduMhRcY8Q+AntoXcWCb6+GAGQPd4nz5RW0pzP3s8xLKt/ne
PiWg+WtNpRY=
=+pJi
-----END PGP SIGNATURE-----
--- End Message ---
