Bug#532738: Bug#532736: CVE-2009-1391: Buffer overflow in Compress::Raw::Zlib
Niko Tyni
ntyni at debian.org
Fri Jun 12 20:16:54 UTC 2009
On Fri, Jun 12, 2009 at 12:00:11AM +0300, Niko Tyni wrote:
>
> > > Compress::Raw::Zlib versions before 2.017 contain a buffer overflow in
> > > inflate(). A badly formed zlib-stream can trigger this buffer overflow and cause
> > > the perl process at least to hang or to crash.
>
> > > https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-1391
> Security team, I'd love to have some confirmation on all this. I'll make
> my best to get the fix into sid in the weekend, hopefully Friday night.
Just uploaded perl/5.10.0-23 with the minimal fix and urgency=high.
> @pkg-perl: if somebody wants to handle the separate package, be my
> guest. I'll prioritize the perl package and will look at the other one
> afterwards if necessary.
For the benefit of testing migration, I suggest a minimal 2.015-2 upload
for libcompress-raw-zlib-perl too, despite the newer upstream version
already pending in the pkg-perl SVN repository.
The libio-compress-zlib-perl, libcompress-raw-zlib-perl, and
libio-compress-base-perl versions are currently tightly coupled and
updating libcompress-raw-zlib-perl past 2.015 will need changes to the
other ones too.
I'll prepare a security perl upload for lenny next, probably tomorrow.
Cheers,
--
Niko Tyni ntyni at debian.org
More information about the pkg-perl-maintainers
mailing list