Re: Bug#698174: perl: double-free in load subroutine for Digest::SHA
On Wed, Jan 23, 2013 at 12:38:43AM +0100, Niels Thykier wrote:
> On 2013-01-22 23:59, Dominic Hargreaves wrote:
> > Adding debian-release as CC.
> >
> > On Wed, Jan 16, 2013 at 07:33:19AM +0100, Salvatore Bonaccorso wrote:
> >> Hi Dominic
> >>
> >> On Tue, Jan 15, 2013 at 11:26:09PM +0000, Dominic Hargreaves wrote:
> >>> On Mon, Jan 14, 2013 at 09:46:55PM +0100, Salvatore Bonaccorso wrote:
> >>>> Upload of Digest::SHA 5.81 mentions the following:
> >>>>
> >>>> 5.81 Mon Jan 14 05:17:08 MST 2013
> >>>> - corrected load subroutine (SHA.pm) to prevent double-free
> >>>> -- Bug #82655: Security issue - segfault
> >>>> -- thanks to Victor Efimov and Nicholas Clark
> >>>> for technical expertise and suggestions
> >>>>
> >>>> Upstream bugreport is [1] and it was also sent to
> >>>> perl5-security-report@perl.org list.
> >>>>
> >>>> [1]: https://rt.cpan.org/Ticket/Display.html?id=82655
> >>>
> >>> The view so far appears to be that this is not exploitable:
> >>>
> >>> http://seclists.org/oss-sec/2013/q1/88
> >>
> >> Yes I have seen. I think at this stage we can remove the security tag
> >> for #698174 (and #698172).
> >
> > At this stage I'm not planning to push this for inclusion in wheezy;
> > since it doesn't meet <http://release.debian.org/wheezy/freeze_policy.html>
> > but let me know if anyone thinks differently.
> >
>
> Is this the same fix as in libdigest-sha-perl?
Yes. The same perl module appears in perl core.
> If so, that already got
> an unblock.
Right. That is of course Priority: optional and therefore a
Severity: important fix qualifies. But until I read your question, I
hadn't thought through this carefully enough. Having this fix only
in one of the two places Digest::SHA appears in wheezy is probably
a Bad Thing, so maybe we should upload a fix for wheezy/perl after all.
Dominic.
--
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)
Reply to: