[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#698174: perl: double-free in load subroutine for Digest::SHA

On 2013-01-22 23:59, Dominic Hargreaves wrote:
> Adding debian-release as CC.
> 
> On Wed, Jan 16, 2013 at 07:33:19AM +0100, Salvatore Bonaccorso wrote:
>> Hi Dominic
>>
>> On Tue, Jan 15, 2013 at 11:26:09PM +0000, Dominic Hargreaves wrote:
>>> On Mon, Jan 14, 2013 at 09:46:55PM +0100, Salvatore Bonaccorso wrote:
>>>> Upload of Digest::SHA 5.81 mentions the following:
>>>>
>>>> 5.81  Mon Jan 14 05:17:08 MST 2013
>>>> 	- corrected load subroutine (SHA.pm) to prevent double-free
>>>> 		-- Bug #82655: Security issue - segfault
>>>> 		-- thanks to Victor Efimov and Nicholas Clark
>>>> 			for technical expertise and suggestions
>>>>
>>>> Upstream bugreport is [1] and it was also sent to
>>>> perl5-security-report@perl.org list.
>>>>
>>>>  [1]: https://rt.cpan.org/Ticket/Display.html?id=82655
>>>
>>> The view so far appears to be that this is not exploitable:
>>>
>>> http://seclists.org/oss-sec/2013/q1/88
>>
>> Yes I have seen. I think at this stage we can remove the security tag
>> for #698174 (and #698172).
> 
> At this stage I'm not planning to push this for inclusion in wheezy;
> since it doesn't meet <http://release.debian.org/wheezy/freeze_policy.html>
> but let me know if anyone thinks differently.
> 

Is this the same fix as in libdigest-sha-perl?  If so, that already got
an unblock.

~Niels
Reply to: