https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6225
--- Comment #4 from Mark Martinec <[email protected]> 2009-10-23 15:59:52 UTC --- > Effects only perl-5.10.1, but apparently not perl-5.8.0, perl-5.8.5, > perl-5.8.8, perl-5.10.0. Thanks for investigating with other versions. > http://www.openwall.com/lists/oss-security/2009/10/23/9 > CVE-2009-3627 HTML-Parser-3.63 > All versions prior to HTML::Parser 3.63 are effected. > > Mark Martinec reported a denial of service flaw ((infinite loop), > present in HTML-Parser in versions prior to 3.63, while parsing > HTML entity with invalid UTF-8 character. Just to make it clear: not to be confused, there are two independent problems here. 1. The crashing flaw is in a perl 5.10.1 regex evaluation, which is being investigated. A problem in HTML::Parser facilitates triggering that perl bug, but that perl crash could occur even with fixed HTML::Parser (just needs more malicious mail text), or even without that module; 2. Jan iankko Lieskovsky of the Red Hat Security Response Team discovered that the HTML::Parser bug could itself cause an infinite loop, regardless of the perl regexp bug. -- Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug.
