Bug#628817: perl NULL pointer dereference
dom at earth.li
Wed Jun 1 19:14:15 UTC 2011
On Wed, Jun 01, 2011 at 05:52:17PM +0200, Thijs Kinkhorst wrote:
> the following CVE (Common Vulnerabilities & Exposures) id was
> published for perl.
> | Perl 5.10.x allows context-dependent attackers to cause a denial of
> | service (NULL pointer dereference and application crash) by leveraging
> | an ability to inject arguments into a (1) getpeername, (2) readdir,
> | (3) closedir, (4) getsockname, (5) rewinddir, (6) tell, or (7) telldir
> | function call.
> If you fix the vulnerability please also make sure to include the
> CVE id in your changelog entry.
> For further information see:
>  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0761
As some pointed out upstream, this is only an issue if an application
passes unvalidated input directly into those functions. Do we think
this makes this issue not worth fixing in stable/oldstable?
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)
More information about the Perl-maintainers