Bug#1102984: unblock/preapproval: perl/5.40.1-3 CVE-2024-56406
Niko Tyni
ntyni at debian.org
Sun Apr 13 14:32:41 BST 2025
Package: release.debian.org
Severity: normal
User: release.debian.org at packages.debian.org
Usertags: unblock
X-Debbugs-Cc: perl at packages.debian.org, perl at packages.debian.org
Control: affects -1 + src:perl
Hi, please pre-approve the attached one line security fix for sid/trixie
for CVE-2024-56406: Perl 5.34, 5.36, 5.38 and 5.40 are vulnerable to a
heap buffer overflow when transliterating non-ASCII bytes.
https://lists.security.metacpan.org/cve-announce/msg/28708725/
A DSA update for bookworm is already uploaded and being processed by
the security team.
Thanks for your work,
--
Niko Tyni ntyni at debian.org
-------------- next part --------------
diff -Nru perl-5.40.1/debian/changelog perl-5.40.1/debian/changelog
--- perl-5.40.1/debian/changelog 2025-02-16 17:16:32.000000000 +0200
+++ perl-5.40.1/debian/changelog 2025-04-12 18:34:34.000000000 +0300
@@ -1,3 +1,9 @@
+perl (5.40.1-3) unstable; urgency=high
+
+ * [SECURITY] CVE-2024-56406: Fix heap-buffer-overflow with tr//
+
+ -- Niko Tyni <ntyni at debian.org> Sat, 12 Apr 2025 18:34:34 +0300
+
perl (5.40.1-2) unstable; urgency=medium
* Refresh cross support files with 5.40.1-1 results.
diff -Nru perl-5.40.1/debian/patches/fixes/CVE-2024-56406.diff perl-5.40.1/debian/patches/fixes/CVE-2024-56406.diff
--- perl-5.40.1/debian/patches/fixes/CVE-2024-56406.diff 1970-01-01 02:00:00.000000000 +0200
+++ perl-5.40.1/debian/patches/fixes/CVE-2024-56406.diff 2025-04-12 18:34:34.000000000 +0300
@@ -0,0 +1,31 @@
+From: Karl Williamson <khw at cpan.org>
+Date: Wed, 18 Dec 2024 18:25:29 -0700
+Subject: CVE-2024-56406: Heap-buffer-overflow with tr//
+
+This was due to underallocating needed space. If the translation forces
+something to become UTF-8 that is initially bytes, that UTF-8 could
+now require two bytes where previously a single one would do.
+
+(cherry picked from commit f93109c8a6950aafbd7488d98e112552033a3686)
+
+commit 385e8759c3ff1e7f7f996bd4ea391074d61d48c1
+Author: Karl Williamson <khw at cpan.org>
+AuthorDate: 2024-12-18 18:25:29 -0700
+Commit: Steve Hay <steve.m.hay at googlemail.com>
+CommitDate: 2025-03-30 11:59:51 +0100
+---
+ op.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/op.c b/op.c
+index 3fc23ec..aeee88e 100644
+--- a/op.c
++++ b/op.c
+@@ -6649,6 +6649,7 @@ S_pmtrans(pTHX_ OP *o, OP *expr, OP *repl)
+ * same time. But otherwise one crosses before the other */
+ if (t_cp < 256 && r_cp_end > 255 && r_cp != t_cp) {
+ can_force_utf8 = TRUE;
++ max_expansion = MAX(2, max_expansion);
+ }
+ }
+
diff -Nru perl-5.40.1/debian/patches/series perl-5.40.1/debian/patches/series
--- perl-5.40.1/debian/patches/series 2025-01-19 00:25:46.000000000 +0200
+++ perl-5.40.1/debian/patches/series 2025-04-12 18:34:34.000000000 +0300
@@ -40,3 +40,4 @@
debian/configure-regen.diff
fixes/json-pp-options.diff
fixes/test-harness-bailout.diff
+fixes/CVE-2024-56406.diff
More information about the Perl-maintainers
mailing list