Bug#622817: perl: CVE-2011-1487: taint laundering in lc, uc

Niko Tyni ntyni at debian.org
Fri Jun 17 06:48:28 UTC 2011


On Thu, Jun 16, 2011 at 10:11:09PM +0200, Florian Weimer wrote:

> >> > Okay, then we should release a DSA for it, so that the breakage is
> >> > more easily blamed on this particular change, and that it's less
> >> > confusing if we have to issue follow-up DSAs.  Perhaps late May or
> >> > early June would be a convenient release date?

> Anyway, we should probably push the fix to lenny and squeeze at this
> point.  (See above for part of my rationale for that.)

Fine by me.

> I can grab
> 0002-CVE-2011-1487-lc-uc-first-fail-to-taint-the-returned.patch and
> apply it to squeeze & lenny if you want me to.

I'm short on time and I believe Dominic is also, so I'd be glad if you
could handle this.

FWIW, I already prepared full debdiffs for lenny and squeeze earlier, see
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=622817#32

Feel free to use those if you like, modified or unmodified.

> Are there any other pending changes I should pick up?

I don't think so.

We have two other CVE issues open:

#628836 perl-debug: CVE-2010-4777 perl: assertion failure with certain regular expressions
  applies to perl-debug only, not fixed in unstable yet

#628817 perl NULL pointer dereference CVE-2011-0761
  (at least symptoms) fixed in unstable by a newer upstream version

These are low to medium severity bugs, and neither currently has a
clearly correct patch available for 5.10.x, so I don't think they are
candidates at this time.

#629363 perl consumes all the memory on: open FILE, '<', \*STDIN or die; <FILE>;

is a recent candidate for a stable update but it's not even fixed in
unstable yet so we'll have to leave it for later too.

Thanks for looking at this,
-- 
Niko Tyni   ntyni at debian.org






More information about the Perl-maintainers mailing list