Re: Bug#622817: perl: CVE-2011-1487: taint laundering in lc, uc
On Thu, Jun 16, 2011 at 10:11:09PM +0200, Florian Weimer wrote:
> >> > Okay, then we should release a DSA for it, so that the breakage is
> >> > more easily blamed on this particular change, and that it's less
> >> > confusing if we have to issue follow-up DSAs. Perhaps late May or
> >> > early June would be a convenient release date?
> Anyway, we should probably push the fix to lenny and squeeze at this
> point. (See above for part of my rationale for that.)
Fine by me.
> I can grab
> 0002-CVE-2011-1487-lc-uc-first-fail-to-taint-the-returned.patch and
> apply it to squeeze & lenny if you want me to.
I'm short on time and I believe Dominic is also, so I'd be glad if you
could handle this.
FWIW, I already prepared full debdiffs for lenny and squeeze earlier, see
Feel free to use those if you like, modified or unmodified.
> Are there any other pending changes I should pick up?
I don't think so.
We have two other CVE issues open:
#628836 perl-debug: CVE-2010-4777 perl: assertion failure with certain regular expressions
applies to perl-debug only, not fixed in unstable yet
#628817 perl NULL pointer dereference CVE-2011-0761
(at least symptoms) fixed in unstable by a newer upstream version
These are low to medium severity bugs, and neither currently has a
clearly correct patch available for 5.10.x, so I don't think they are
candidates at this time.
#629363 perl consumes all the memory on: open FILE, '<', \*STDIN or die; <FILE>;
is a recent candidate for a stable update but it's not even fixed in
unstable yet so we'll have to leave it for later too.
Thanks for looking at this,
Niko Tyni email@example.com