Bug#637376: perl: Encode security: Unicode.xs!decode_xs n-byte heap-overflow

Dominic Hargreaves dom at earth.li
Wed Aug 10 17:52:43 UTC 2011


Package: perl
Version: 5.12.4-3
Severity: grave
Tags: security
Justification: user security hole

Encode 2.44 has been released with the following change:

! Unicode/Unicode.xs
  Addressed the following:
    Date: Fri, 22 Jul 2011 13:58:43 +0200
    From: Robert Zacek <zacek at avast.com>
    To: perl5-security-report at perl.org
    Subject: Unicode.xs!decode_xs n-byte heap-overflow

This has been fixed in libencode-perl 2.44-1; it probably also needs
fixing in perl.

The relevant patch appears to be

<http://perl5.git.perl.org/perl.git/commitdiff/e46d973584785af1f445c4dedbee4243419cb860#patch5>

I haven't seen any further details about this one, but setting severity
to grave for now.






More information about the Perl-maintainers mailing list