Bug#637376: perl: Encode security: Unicode.xs!decode_xs n-byte heap-overflow

Niko Tyni ntyni at debian.org
Sun Aug 21 15:52:28 UTC 2011


retitle 637376 perl: [CVE-2011-2939] Encode security: Unicode.xs!decode_xs n-byte heap-overflow
thanks

On Wed, Aug 10, 2011 at 06:52:43PM +0100, Dominic Hargreaves wrote:
> Package: perl
> Version: 5.12.4-3
> Severity: grave
> Tags: security
> Justification: user security hole
> 
> Encode 2.44 has been released with the following change:
> 
> ! Unicode/Unicode.xs
>   Addressed the following:
>     Date: Fri, 22 Jul 2011 13:58:43 +0200
>     From: Robert Zacek <zacek at avast.com>
>     To: perl5-security-report at perl.org
>     Subject: Unicode.xs!decode_xs n-byte heap-overflow

> I haven't seen any further details about this one, but setting severity
> to grave for now.

Quoting Josh Bresser in 
 http://www.openwall.com/lists/oss-security/2011/08/19/17

>   I'm going to assign this CVE-2011-2939. It looks like a single byte
>   overflow. It's probably not exploitable (even as a DoS), but to play it
>   safe, I'm assigning this ID.

-- 
Niko Tyni   ntyni at debian.org






More information about the Perl-maintainers mailing list