On Wed, Aug 10, 2011 at 06:52:43PM +0100, Dominic Hargreaves wrote: > Encode 2.44 has been released with the following change: > > ! Unicode/Unicode.xs > Addressed the following: > Date: Fri, 22 Jul 2011 13:58:43 +0200 > From: Robert Zacek <za...@avast.com> > To: perl5-security-rep...@perl.org > Subject: Unicode.xs!decode_xs n-byte heap-overflow > > This has been fixed in libencode-perl 2.44-1; it probably also needs > fixing in perl. > > The relevant patch appears to be > > <http://perl5.git.perl.org/perl.git/commitdiff/e46d973584785af1f445c4dedbee4243419cb860#patch5> > > I haven't seen any further details about this one, but setting severity > to grave for now.
Now fixed in experimental, sid, and wheezy. Fix prepared for squeeze in git (http://anonscm.debian.org/gitweb/?p=perl/perl-squeeze.git). Awaiting more information from upstream about the issue before considering a DSA. The code in lenny is completely different, and I don't feel qualified to say whether the issue exists there. -- Dominic Hargreaves | http://www.larted.org.uk/~dom/ PGP key 5178E2A5 from the.earth.li (keyserver,web,email) -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org