Bug#416611: libapache-mod-perl: Possible DoS problem with PerlRun (CVE-2007-1349)

To: Kjetil Kjernsmo <kjetilk@opera.com>, 416611@bugs.debian.org
Subject: Bug#416611: libapache-mod-perl: Possible DoS problem with PerlRun (CVE-2007-1349)
From: Peter Samuelson <peter@p12n.org>
Date: Thu, 29 Mar 2007 06:18:57 -0500
Message-id: <[🔎] 20070329111857.GB6578@p12n.org>
Reply-to: Peter Samuelson <peter@p12n.org>, 416611@bugs.debian.org
In-reply-to: <[🔎] 200703291058.25986.kjetilk@opera.com>
References: <[🔎] 200703291058.25986.kjetilk@opera.com>

[Kjetil Kjernsmo]
> The problem was fixed in the recent 1.30 RC1 of the package:
> 
> SECURITY: CVE-2007-1349 (cve.mitre.org)
> fix unescaped variable interpolation in Apache::PerlRun
> regular expression to prevent regex engine tampering.
> reported by Alex Solovey
> [Randal L. Schwartz <merlyn@stonehenge.com>, Fred Moyer 
> <fred@redhotpenguin.com>]

Indeed, for reference the one-line fix is:

  svn diff -c521582 http://svn.apache.org/repos/asf/perl/modperl/branches/1.x

Do you know the scope of the DoS - does it allow the attacker to kill
the process running the perl program, or exhaust your memory, or what?

Thanks,
Peter

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Bug#416611: libapache-mod-perl: Possible DoS problem with PerlRun (CVE-2007-1349)
  - From: Kjetil Kjernsmo <kjetilk@opera.com>

References:
- Bug#416611: libapache-mod-perl: Possible DoS problem with PerlRun (CVE-2007-1349)
  - From: Kjetil Kjernsmo <kjetilk@opera.com>

Prev by Date: Bug#416562: marked as done (apache: No php5.conf and php5.load generated)
Next by Date: Bug#416611: libapache-mod-perl: Possible DoS problem with PerlRun (CVE-2007-1349)
Previous by thread: Bug#416611: libapache-mod-perl: Possible DoS problem with PerlRun (CVE-2007-1349)
Next by thread: Bug#416611: libapache-mod-perl: Possible DoS problem with PerlRun (CVE-2007-1349)
Index(es):
- Date
- Thread