[Secure-testing-team] Bug#552291: CVE-2009-3626: DoS in Unicode processing

Moritz Muehlenhoff jmm at debian.org
Sun Oct 25 08:19:00 UTC 2009 

Package: perl
Version: 5.10.1-5
Severity: grave
Tags: security

Quoting a posting from Jan Lieskovsky/Red Hat to oss-security.
I've verified that Etch and Lenny are not affected.

Cheers,
        Moritz

----
Hello Steve, vendors,

  Mark Martinec reported Perl crash while processing utf-8 character
with large and invalid codepoint.

References:
----------
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6225 (original source)
http://rt.perl.org/rt3/Public/Bug/Display.html?id=69973 (perl bug)
http://rt.perl.org/rt3/Ticket/Attachment/617489/295383/ (PoC)

Affected versions:
------------------
Have checked Perl of versions perl-5.8.0, perl-5.8.5, perl-5.8.8, perl-5.10.0
is not vulnerable to this flaw.

Issue was confirmed in Perl of version perl-5.10.1, as available at:

http://www.cpan.org/src/perl-5.10.1.tar.gz

CVE identifier:
---------------
CVE identifier of CVE-2009-3626 has been already assigned to this issue.
---



-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.30-2-686 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15 at euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash

Versions of packages perl depends on:
ii  libbz2-1.0             1.0.5-3           high-quality block-sorting file co
ii  libc6                  2.9-27            GNU C Library: Shared libraries
ii  libdb4.7               4.7.25-8          Berkeley v4.7 Database Libraries [
ii  libgdbm3               1.8.3-6+b1        GNU dbm database routines (runtime
ii  perl-base              5.10.1-5          minimal Perl system
ii  perl-modules           5.10.1-5          Core Perl modules
ii  zlib1g                 1:1.2.3.3.dfsg-15 compression library - runtime

Versions of packages perl recommends:
ii  make                          3.81-6     An utility for Directing compilati
ii  netbase                       4.37       Basic TCP/IP networking system

Versions of packages perl suggests:
pn  libterm-readline-gnu-perl | l <none>     (no description available)
ii  perl-doc                      5.10.1-5   Perl documentation

-- no debconf information

More information about the Secure-testing-team mailing list