Bug#637376: perl: Encode security: Unicode.xs!decode_xs n-byte heap-overflow
Dominic Hargreaves
dom at earth.li
Mon Aug 29 12:06:37 UTC 2011
severity 637376 important
thanks
On Sun, Aug 21, 2011 at 06:52:28PM +0300, Niko Tyni wrote:
> retitle 637376 perl: [CVE-2011-2939] Encode security: Unicode.xs!decode_xs n-byte heap-overflow
> thanks
>
> On Wed, Aug 10, 2011 at 06:52:43PM +0100, Dominic Hargreaves wrote:
> > Package: perl
> > Version: 5.12.4-3
> > Severity: grave
> > Tags: security
> > Justification: user security hole
> >
> > Encode 2.44 has been released with the following change:
> >
> > ! Unicode/Unicode.xs
> > Addressed the following:
> > Date: Fri, 22 Jul 2011 13:58:43 +0200
> > From: Robert Zacek <zacek at avast.com>
> > To: perl5-security-report at perl.org
> > Subject: Unicode.xs!decode_xs n-byte heap-overflow
>
> > I haven't seen any further details about this one, but setting severity
> > to grave for now.
>
> Quoting Josh Bresser in
> http://www.openwall.com/lists/oss-security/2011/08/19/17
>
> > I'm going to assign this CVE-2011-2939. It looks like a single byte
> > overflow. It's probably not exploitable (even as a DoS), but to play it
> > safe, I'm assigning this ID.
I get the impression that upstream agrees with this low potential for
exploitability, so I'm lowering the severity of this bug.
I suggest we wait for upstream to make stable releases including the fix
before pushing this out to squeeze/lenny (I had a look at lenny and the
code is, as Niko mentioned, completely different), so it's unlikely that
this problem exists in the same form, there.
--
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)
More information about the Perl-maintainers
mailing list