Bug#637376: perl: Encode security: Unicode.xs!decode_xs n-byte heap-overflow
Dominic Hargreaves
dom at earth.li
Tue Aug 16 23:32:55 UTC 2011
On Wed, Aug 10, 2011 at 06:52:43PM +0100, Dominic Hargreaves wrote:
> Encode 2.44 has been released with the following change:
>
> ! Unicode/Unicode.xs
> Addressed the following:
> Date: Fri, 22 Jul 2011 13:58:43 +0200
> From: Robert Zacek <zacek at avast.com>
> To: perl5-security-report at perl.org
> Subject: Unicode.xs!decode_xs n-byte heap-overflow
>
> This has been fixed in libencode-perl 2.44-1; it probably also needs
> fixing in perl.
>
> The relevant patch appears to be
>
> <http://perl5.git.perl.org/perl.git/commitdiff/e46d973584785af1f445c4dedbee4243419cb860#patch5>
>
> I haven't seen any further details about this one, but setting severity
> to grave for now.
Now fixed in experimental, sid, and wheezy. Fix prepared for squeeze
in git (http://anonscm.debian.org/gitweb/?p=perl/perl-squeeze.git).
Awaiting more information from upstream about the issue before
considering a DSA.
The code in lenny is completely different, and I don't feel qualified
to say whether the issue exists there.
--
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)
More information about the Perl-maintainers
mailing list