Bug#628817: perl NULL pointer dereference
Dominic Hargreaves
dom at earth.li
Wed Jun 1 19:14:15 UTC 2011
On Wed, Jun 01, 2011 at 05:52:17PM +0200, Thijs Kinkhorst wrote:
> the following CVE (Common Vulnerabilities & Exposures) id was
> published for perl.
>
> CVE-2011-0761[0]:
> | Perl 5.10.x allows context-dependent attackers to cause a denial of
> | service (NULL pointer dereference and application crash) by leveraging
> | an ability to inject arguments into a (1) getpeername, (2) readdir,
> | (3) closedir, (4) getsockname, (5) rewinddir, (6) tell, or (7) telldir
> | function call.
>
> If you fix the vulnerability please also make sure to include the
> CVE id in your changelog entry.
>
> For further information see:
>
> [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0761
> http://security-tracker.debian.org/tracker/CVE-2011-0761
As some pointed out upstream[0], this is only an issue if an application
passes unvalidated input directly into those functions. Do we think
this makes this issue not worth fixing in stable/oldstable?
Dominic.
[0] <http://www.xray.mpe.mpg.de/mailing-lists/perl5-porters/2011-06/msg00027.html>
--
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)
More information about the Perl-maintainers
mailing list