Moritz Muehlenhoff
2009-Oct-25 08:19 UTC
[Secure-testing-team] Bug#552291: CVE-2009-3626: DoS in Unicode processing
Package: perl
Version: 5.10.1-5
Severity: grave
Tags: security
Quoting a posting from Jan Lieskovsky/Red Hat to oss-security.
I''ve verified that Etch and Lenny are not affected.
Cheers,
Moritz
----
Hello Steve, vendors,
Mark Martinec reported Perl crash while processing utf-8 character
with large and invalid codepoint.
References:
----------
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6225 (original source)
http://rt.perl.org/rt3/Public/Bug/Display.html?id=69973 (perl bug)
http://rt.perl.org/rt3/Ticket/Attachment/617489/295383/ (PoC)
Affected versions:
------------------
Have checked Perl of versions perl-5.8.0, perl-5.8.5, perl-5.8.8, perl-5.10.0
is not vulnerable to this flaw.
Issue was confirmed in Perl of version perl-5.10.1, as available at:
http://www.cpan.org/src/perl-5.10.1.tar.gz
CVE identifier:
---------------
CVE identifier of CVE-2009-3626 has been already assigned to this issue.
---
-- System Information:
Debian Release: squeeze/sid
APT prefers unstable
APT policy: (500, ''unstable'')
Architecture: i386 (i686)
Kernel: Linux 2.6.30-2-686 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15 at euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash
Versions of packages perl depends on:
ii libbz2-1.0 1.0.5-3 high-quality block-sorting file co
ii libc6 2.9-27 GNU C Library: Shared libraries
ii libdb4.7 4.7.25-8 Berkeley v4.7 Database Libraries [
ii libgdbm3 1.8.3-6+b1 GNU dbm database routines (runtime
ii perl-base 5.10.1-5 minimal Perl system
ii perl-modules 5.10.1-5 Core Perl modules
ii zlib1g 1:1.2.3.3.dfsg-15 compression library - runtime
Versions of packages perl recommends:
ii make 3.81-6 An utility for Directing compilati
ii netbase 4.37 Basic TCP/IP networking system
Versions of packages perl suggests:
pn libterm-readline-gnu-perl | l <none> (no description available)
ii perl-doc 5.10.1-5 Perl documentation
-- no debconf information