Your message dated Mon, 18 Dec 2023 18:32:45 +0000
with message-id <[email protected]>
and subject line Bug#1056746: fixed in perl 5.32.1-4+deb11u3
has caused the Debian Bug report #1056746,
regarding perl: CVE-2023-47038: Write past buffer end via illegal user-defined
Unicode property
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1056746: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1056746
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: perl
Version: 5.30.0-1
Severity: important
Tags: security patch fixed-upstream bullseye bookworm trixie
X-Debbugs-Cc: [email protected]
Perl upstream released 5.34.2, 5.36.2 and 5.38.1 today with coordinated
fixes for two security issues. One of these (CVE-2023-47039) is specific
to Windows, but the other one (CVE-2023-47038) concerns us.
We discussed this earlier with Salvatore from the security team and
decided that CVE-2023-47038 is non-DSA like other "crafted regular
expression crashes" we've handled in the past. It will hence be fixed
via point releases for stable and oldstable.
CVE-2023-47038 - Write past buffer end via illegal user-defined Unicode property
A test case is
perl -e 'qr/\p{utf8::_perl_surrogate}/'
which crashes on oldstable (bullseye, 5.32), stable (bookworm, 5.36),
unstable / testing (5.36) and experimental (5.38).
The issue was introduced in the 5.30 cycle, so LTS (buster, 5.28) is
not affected.
The upstream fixes are at
5.34
https://github.com/Perl/perl5/commit/12c313ce49b36160a7ca2e9b07ad5bd92ee4a010
5.36
https://github.com/Perl/perl5/commit/7047915eef37fccd93e7cd985c29fe6be54650b6
5.38
https://github.com/Perl/perl5/commit/92a9eb3d0d52ec7655c1beb29999a5a5219be664
The 5.34 fix applies to 5.32 as well.
I'll start with sid/trixie and handle the *stable updates after that,
mainly targeting next bookworm point update on 2023-12-09 as per
https://lists.debian.org/debian-project/2023/11/msg00003.html
For experimental/5.38, I intend to push 5.38.1 instead of cherry
picking the patch.
--
Niko Tyni [email protected]
--- End Message ---
--- Begin Message ---
Source: perl
Source-Version: 5.32.1-4+deb11u3
Done: Niko Tyni <[email protected]>
We believe that the bug you reported is fixed in the latest version of
perl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Niko Tyni <[email protected]> (supplier of updated perl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 25 Nov 2023 23:03:14 +0200
Source: perl
Architecture: source
Version: 5.32.1-4+deb11u3
Distribution: bullseye
Urgency: medium
Maintainer: Niko Tyni <[email protected]>
Changed-By: Niko Tyni <[email protected]>
Closes: 1056746
Changes:
perl (5.32.1-4+deb11u3) bullseye; urgency=medium
.
* [SECURITY] CVE-2023-47038: Write past buffer end via illegal
user-defined Unicode property. (Closes: #1056746)
Checksums-Sha1:
39a611fa4ceaf00ab4f805dbc3917baab5723446 2918 perl_5.32.1-4+deb11u3.dsc
335383a549989bcc89b727b7ab6731e5e03425b3 167388
perl_5.32.1-4+deb11u3.debian.tar.xz
f9eb23047178f2c0797b7c7ea829d6e49dc9694d 6270
perl_5.32.1-4+deb11u3_source.buildinfo
Checksums-Sha256:
75699317b7e2865de39e86fb53f630669fd6e5904c8526699e8a01af98d56e6d 2918
perl_5.32.1-4+deb11u3.dsc
a875b28e158180906d77df06dea08b8e724f91b31249fe7d205fc3f2cb520ddf 167388
perl_5.32.1-4+deb11u3.debian.tar.xz
fd60dc97113bab88fc091c5be58273ef0241a7d728523380d93b6b9b0d836793 6270
perl_5.32.1-4+deb11u3_source.buildinfo
Files:
9c03a8f7f3ef27d2580759d398b07a2d 2918 perl standard perl_5.32.1-4+deb11u3.dsc
741773ddb9b9d629e197e4d81c3f4f9f 167388 perl standard
perl_5.32.1-4+deb11u3.debian.tar.xz
423c9fa8bdd73ac889d5bc3fa9e7e9db 6270 perl standard
perl_5.32.1-4+deb11u3_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJFBAEBCgAvFiEEdqKOQsmBHZHoj7peLsD/s7cwGx8FAmVjaJwRHG50eW5pQGRl
Ymlhbi5vcmcACgkQLsD/s7cwGx80YBAAjQyP0JspqdB4PU1szUlzHJLf70g2lBBx
EV/PHkziEzAHRJsopriGAkxRQIfXV3m/mWTRBbjaaF5WMF4RpmiMBbGViprV9mtq
WRnvd80l8AoBim9UZCFBS3MMbY+0K3TunCGY4m/5eZYqCa/51/Jbw7vswm2i0nNX
31zCOhFnly1c6f4k1e0Vf87433Eim50LCFfsvg1shnvK96dj8bucJyfhbvXoGsno
6DIGCv58qWdZPIgUGie2Vk4yiCdWbZ+CO0ZV8fyFIvhCc6NHm4yll/hxAVF0hx+J
1Dcb64WtFvu9M9SghCKFWJMBpBauy8f+wSetuocB9bqIwRNwg5Q0Ohcl5NZVbHrv
dKz6Dp25WPGyivSmsg5My5fYii3pfwZpNWxIRv0kq/BuIQW1wg70nmpwJVzxXhM8
m0OZWxQ39gXixHicjm54I3jbfjS854HEgMY1KngfswhsuOHQ7JKZHYpKMk3n4xZQ
jf+qAna0AbuuiA0TsQ0m8Ee0P+o0US3am6/8fkuEbxANm4C6vb2oSSP9oZLo8LcB
/S+rXHrup4w75TwkDo8VQbgOzSjxbrZAgmIJ5pxZgFKqAqYAJkv/nr4nw6J93bMi
X2FaM/50T7kIXEJQxtaBOEAH3WQ0I0VRlBL8V6Kc3+vWr3dOeM1GzA5BMUrj3LCg
5tuICxJkptc=
=AGz9
-----END PGP SIGNATURE-----
--- End Message ---
