Bug#622817: perl: CVE-2011-1487: taint laundering in lc, uc

[Dominic Hargreaves]

On Sat, Apr 30, 2011 at 06:26:51PM +0200, Florian Weimer wrote:
> * Adam D. Barratt:
> 
> > I do share Florian's concern about the potential breakage as a result of
> > the change.  Do we have any idea how many packages in {old,}stable would
> > be affected and to what degree?

I don't think we have any reports of breakage -- I'm not sure how we'd
undertake a comprehensive analysis.

> Particularly in the case of oldstable,
> > with its four month update cycle, fixing packages broken by the change
> > could be somewhat painful.
> 
> Okay, then we should release a DSA for it, so that the breakage is
> more easily blamed on this particular change, and that it's less
> confusing if we have to issue follow-up DSAs.  Perhaps late May or
> early June would be a convenient release date?

I'd be happy with that. The fix has been in unstable since 2011-04-22
(and now in testing). Bear in mind that once perl 5.12 has been
uploaded to unstable, it's quite likely that any breakage caused by this
bug will be more difficult to detect in isolation.

-- 
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)