Bug#631529: Missing fix for CVE-2010-1447

Dominic Hargreaves dom at earth.li
Mon Jun 27 21:27:31 UTC 2011


On Mon, Jun 27, 2011 at 07:01:24PM +0200, Moritz Mühlenhoff wrote:
> On Sun, Jun 26, 2011 at 08:49:12AM +0300, Niko Tyni wrote:
> > On Sat, Jun 25, 2011 at 12:09:03PM +0100, Dominic Hargreaves wrote:
> > > On Fri, Jun 24, 2011 at 06:56:40PM +0200, Moritz Muehlenhoff wrote:
> > > > Package: perl
> > > > Severity: grave
> > > > Tags: security
> > > > 
> > > > Hi Perl maintainers,
> > > > it turns out that CVE-2010-1447 is still missing in Lenny and
> > > > Squeeze. It was originally attributed to Postgres, but it
> > > > was later found out that Perl is affected as well.
> > > > 
> > > > The attached patch is still needed in both Lenny and Squeeze.
> > > 
> > > Thanks for pointing this out. I'll verify the patch and prepare packages;
> > > do you want them uploaded to security-master ASAP?
> > 
> > Please note that this is probably going to break libpetal-perl and no
> > fix is available. See #582805.
> 
> But this software must've already been broken with the initial Safe.pm fix for
> Lenny/Squeeze? (5.10.0-19lenny3 / CVE-2010-1168)

I don't think so, no. libpetal-perl builds okay for me on squeeze.
The referenced bug mentions the change in 2.27:

    - Wrap coderefs returned by reval() and rdo()

(the change we're applying in this bug).

I think the opinion of the perl maintainers is that we shouldn't worry
about that package too much, but I guess that's a call for the security
team.

squeeze packages fixing this bug are ready to upload; lenny packages 
need a little more work to get the tests passing again.

Cheers,
Dominic.

-- 
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)






More information about the Perl-maintainers mailing list