Bug#552291: CVE-2009-3626: DoS in Unicode processing

2009-10-25 Thread Moritz Muehlenhoff 
Package: perl
Version: 5.10.1-5
Severity: grave
Tags: security

Quoting a posting from Jan Lieskovsky/Red Hat to oss-security.
I've verified that Etch and Lenny are not affected.

Cheers,
Moritz


Hello Steve, vendors,

  Mark Martinec reported Perl crash while processing utf-8 character
with large and invalid codepoint.

References:
--
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6225 (original source)
http://rt.perl.org/rt3/Public/Bug/Display.html?id=69973 (perl bug)
http://rt.perl.org/rt3/Ticket/Attachment/617489/295383/ (PoC)

Affected versions:
--
Have checked Perl of versions perl-5.8.0, perl-5.8.5, perl-5.8.8, perl-5.10.0
is not vulnerable to this flaw.

Issue was confirmed in Perl of version perl-5.10.1, as available at:

http://www.cpan.org/src/perl-5.10.1.tar.gz

CVE identifier:
---
CVE identifier of CVE-2009-3626 has been already assigned to this issue.
---



-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.30-2-686 (SMP w/1 CPU core)
Locale: LANG=C, lc_ctype=de_de.iso-8859...@euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash

Versions of packages perl depends on:
ii  libbz2-1.0 1.0.5-3   high-quality block-sorting file co
ii  libc6  2.9-27GNU C Library: Shared libraries
ii  libdb4.7   4.7.25-8  Berkeley v4.7 Database Libraries [
ii  libgdbm3   1.8.3-6+b1GNU dbm database routines (runtime
ii  perl-base  5.10.1-5  minimal Perl system
ii  perl-modules   5.10.1-5  Core Perl modules
ii  zlib1g 1:1.2.3.3.dfsg-15 compression library - runtime

Versions of packages perl recommends:
ii  make  3.81-6 An utility for Directing compilati
ii  netbase   4.37   Basic TCP/IP networking system

Versions of packages perl suggests:
pn  libterm-readline-gnu-perl | l none (no description available)
ii  perl-doc  5.10.1-5   Perl documentation

-- no debconf information



-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#552291: CVE-2009-3626: DoS in Unicode processing

2009-10-25 Thread Eugene V. Lyubimkin 
package perl perl-base
reassign 552291 perl-base
found 552291 perl-base/5.10.1-5
tags 552291 + confirmed upstream
thanks

Moritz Muehlenhoff wrote:
 Package: perl
 Version: 5.10.1-5
 Severity: grave
 Tags: security
 
 Quoting a posting from Jan Lieskovsky/Red Hat to oss-security.
 I've verified that Etch and Lenny are not affected.
 
Thanks for the report. An upstream fix is not yet available, waiting for it.

-- 
Eugene V. Lyubimkin aka JackYF, JID: jackyf.devel(maildog)gmail.com
C++/Perl developer, Debian Developer



signature.asc
Description: OpenPGP digital signature

Processed: Re: Bug#552291: CVE-2009-3626: DoS in Unicode processing

2009-10-25 Thread Debian Bug Tracking System 
Processing commands for cont...@bugs.debian.org:

 package perl perl-base
Limiting to bugs with field 'package' containing at least one of 'perl', 
'perl-base'
Limit currently set to 'package':'perl', 'perl-base'

 reassign 552291 perl-base
Bug #552291 [perl] CVE-2009-3626: DoS in Unicode processing
Bug reassigned from package 'perl' to 'perl-base'.
Bug No longer marked as found in versions perl/5.10.1-5.
 found 552291 perl-base/5.10.1-5
Bug #552291 [perl-base] CVE-2009-3626: DoS in Unicode processing
The source perl-base and version 5.10.1-5 do not appear to match any binary 
packages
Bug Marked as found in versions perl-base/5.10.1-5.
 tags 552291 + confirmed upstream
Bug #552291 [perl-base] CVE-2009-3626: DoS in Unicode processing
Added tag(s) upstream and confirmed.
 thanks
Stopping processing here.

Please contact me if you need assistance.

Debian bug tracking system administrator
(administrator, Debian Bugs database)


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org