Bug#1056746: perl: CVE-2023-47038: Write past buffer end via illegal user-defined Unicode property
Niko Tyni
ntyni at debian.org
Sat Nov 25 20:17:18 GMT 2023
Package: perl
Version: 5.30.0-1
Severity: important
Tags: security patch fixed-upstream bullseye bookworm trixie
X-Debbugs-Cc: team at security.debian.org
Perl upstream released 5.34.2, 5.36.2 and 5.38.1 today with coordinated
fixes for two security issues. One of these (CVE-2023-47039) is specific
to Windows, but the other one (CVE-2023-47038) concerns us.
We discussed this earlier with Salvatore from the security team and
decided that CVE-2023-47038 is non-DSA like other "crafted regular
expression crashes" we've handled in the past. It will hence be fixed
via point releases for stable and oldstable.
CVE-2023-47038 - Write past buffer end via illegal user-defined Unicode property
A test case is
perl -e 'qr/\p{utf8::_perl_surrogate}/'
which crashes on oldstable (bullseye, 5.32), stable (bookworm, 5.36),
unstable / testing (5.36) and experimental (5.38).
The issue was introduced in the 5.30 cycle, so LTS (buster, 5.28) is
not affected.
The upstream fixes are at
5.34 https://github.com/Perl/perl5/commit/12c313ce49b36160a7ca2e9b07ad5bd92ee4a010
5.36 https://github.com/Perl/perl5/commit/7047915eef37fccd93e7cd985c29fe6be54650b6
5.38 https://github.com/Perl/perl5/commit/92a9eb3d0d52ec7655c1beb29999a5a5219be664
The 5.34 fix applies to 5.32 as well.
I'll start with sid/trixie and handle the *stable updates after that,
mainly targeting next bookworm point update on 2023-12-09 as per
https://lists.debian.org/debian-project/2023/11/msg00003.html
For experimental/5.38, I intend to push 5.38.1 instead of cherry
picking the patch.
--
Niko Tyni ntyni at debian.org
More information about the Perl-maintainers
mailing list