Bug#631529: Missing fix for CVE-2010-1447
Niko Tyni
ntyni at debian.org
Tue Jun 28 11:26:27 UTC 2011
On Mon, Jun 27, 2011 at 07:01:24PM +0200, Moritz Mühlenhoff wrote:
> On Sun, Jun 26, 2011 at 08:49:12AM +0300, Niko Tyni wrote:
> > On Sat, Jun 25, 2011 at 12:09:03PM +0100, Dominic Hargreaves wrote:
> > > On Fri, Jun 24, 2011 at 06:56:40PM +0200, Moritz Muehlenhoff wrote:
> > > > Package: perl
> > > > Severity: grave
> > > > Tags: security
> > > >
> > > > Hi Perl maintainers,
> > > > it turns out that CVE-2010-1447 is still missing in Lenny and
> > > > Squeeze. It was originally attributed to Postgres, but it
> > > > was later found out that Perl is affected as well.
> > > >
> > > > The attached patch is still needed in both Lenny and Squeeze.
> > >
> > > Thanks for pointing this out. I'll verify the patch and prepare packages;
> > > do you want them uploaded to security-master ASAP?
> >
> > Please note that this is probably going to break libpetal-perl and no
> > fix is available. See #582805.
>
> But this software must've already been broken with the initial Safe.pm fix for
> Lenny/Squeeze? (5.10.0-19lenny3 / CVE-2010-1168)
No, it's really this fix for CVE-2010-1447 that breaks it.
I've verified on both Lenny and Squeeze that libpetal-perl_2.19-1
builds fine without CVE-2010-1447.patch, but applying the patch
manually to /usr/lib/perl/5.10/Safe.pm (or, in the squeeze case,
/usr/share/perl/5.10/Safe.pm) makes the libpetal-perl test suite crash
and burn.
I see I left the CVE-2010-1168 update at Safe-2.25 precisely because of
this; quoting myself in #582978:
Upstream is now at 2.27, which has further related changes and was also
bundled with Perl 5.12.1. However, it causes regressions in (at least)
libpetal-perl (#582805) and libtext-micromason-perl (#582892). These
two regressions don't happen with 2.25.
See also my mail to team at security.debian.org in January 2011 with
CVE-2010-1168 in the subject and
Message-ID: <20110114185338.GA25109 at madeleine.local.invalid>
Fortunately libtext-micromason-perl isn't a problem in this context:
- it's not in Lenny at all
- the Squeeze package got fixed in time, and I've verified the it still
builds with CVE-2010-1447.patch
--
Niko Tyni ntyni at debian.org
More information about the Perl-maintainers
mailing list