Bug#622817: perl: CVE-2011-1487: taint laundering in lc, uc
Niko Tyni
ntyni at debian.org
Fri Apr 15 20:41:02 UTC 2011
tag 622817 patch fixed-upstream
forwarded 622817 http://rt.perl.org/rt3/Public/Bug/Display.html?id=87336
thanks
On Thu, Apr 14, 2011 at 09:45:55PM +0100, Dominic Hargreaves wrote:
> Package: perl
> Version: 5.10.1-19
> Severity: grave
> Tags: security
> Justification: user security hole
>
> CVE description:
>
> The (1) lc, (2) lcfirst, (3) uc, and (4) ucfirst functions in Perl
> 5.10.x, 5.11.x, and 5.12.x through 5.12.3, and 5.13.x through 5.13.11,
> do not apply the taint attribute to the return value upon processing
> tainted input, which might allow context-dependent attackers to bypass
> the taint protection mechanism via a crafted string.
>
> Upstream report: <http://rt.perl.org/rt3/Public/Bug/Display.html?id=87336>
> Redhat bug: <https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-1487>
> Fix from bleadperl: <http://perl5.git.perl.org/perl.git/commitdiff/539689e74a3bcb04d29e4cd9396de91a81045b99>
> Fedora fix in 5.12: <https://bugzilla.redhat.com/show_bug.cgi?id=692900>
Security team, I assume this is going to be fixed through a DSA?
I've pushed a fix for sid (5.10.1) into our git repository and I'm
attaching the actual patch. It's slightly modified from the Fedora one
because their test script update has a glitch and doesn't actually fail
without the fix.
This is to be applied after the fixes/tainted-errno patch, so
the test counts and context differ a bit from upstream.
It should be trivial to port this to squeeze and lenny. I'll try to
prepare the debdiffs on Sunday, but if somebody else wants to do that,
feel free.
Please note that the sid fix can't currently be uploaded on its own
because of a db4.7 related problem (just filed as #622916).
--
Niko Tyni ntyni at debian.org
More information about the Perl-maintainers
mailing list