Bug#698174: perl: double-free in load subroutine for Digest::SHA

Salvatore Bonaccorso carnil at debian.org
Wed Jan 16 06:33:19 UTC 2013


Hi Dominic

On Tue, Jan 15, 2013 at 11:26:09PM +0000, Dominic Hargreaves wrote:
> On Mon, Jan 14, 2013 at 09:46:55PM +0100, Salvatore Bonaccorso wrote:
> > Upload of Digest::SHA 5.81 mentions the following:
> > 
> > 5.81  Mon Jan 14 05:17:08 MST 2013
> > 	- corrected load subroutine (SHA.pm) to prevent double-free
> > 		-- Bug #82655: Security issue - segfault
> > 		-- thanks to Victor Efimov and Nicholas Clark
> > 			for technical expertise and suggestions
> > 
> > Upstream bugreport is [1] and it was also sent to
> > perl5-security-report at perl.org list.
> > 
> >  [1]: https://rt.cpan.org/Ticket/Display.html?id=82655
> 
> The view so far appears to be that this is not exploitable:
> 
> http://seclists.org/oss-sec/2013/q1/88

Yes I have seen. I think at this stage we can remove the security tag
for #698174 (and #698172).

Regards,
Salvatore




More information about the Perl-maintainers mailing list