Re: Bug#970096: buster-pu: package libdbi-perl/1.642-1+deb10u1
Hi Xavier,
On Fri, Sep 11, 2020 at 06:02:00PM +0200, Xavier Guimard wrote:
> Package: release.debian.org
> Severity: normal
> Tags: buster
> User: release.debian.org@packages.debian.org
> Usertags: pu
> X-Debbugs-Cc: debian-perl@lists.debian.org
>
> [ Reason ]
> libdbi-perl is vulnerable to (low) security bug (CVE-2020-14392)
>
> [ Impact ]
> libdbi-perl may crash if an attacker can give a malformed login
>
> [ Tests ]
> No new test, current passed
>
> [ Risks ]
> This patch is very simple
>
> [ Checklist ]
> [X] *all* changes are documented in the d/changelog
> [X] I reviewed all changes and I approve them
> [X] attach debdiff against the package in (old)stable
> [X] the issue is verified as fixed in unstable
>
> [ Changes ]
> Returned values are more tested
> diff --git a/debian/changelog b/debian/changelog
> index d2e35cc..d0ad39a 100644
> --- a/debian/changelog
> +++ b/debian/changelog
> @@ -1,3 +1,10 @@
> +libdbi-perl (1.642-1+deb10u1) buster; urgency=medium
> +
> + * Fix memory corruption in XS functions when Perl stack is reallocated
> + (Closes: CVE-2020-14392)
Note that there is as well CVE-2020-14393, could you add the fix for
this one as well?
Regards,
Salvatore
Reply to: