Re: perl regex vulnerability - debian - pcre only?

To: london.pm@london.pm.org, debian-security@lists.debian.org
Subject: Re: perl regex vulnerability - debian - pcre only?
From: paddy@panici.net
Date: Tue, 6 Nov 2007 17:10:46 +0000
Message-id: <[🔎] 20071106171046.GA27934@localhost.localdomain>
Mail-followup-to: london.pm@london.pm.org, debian-security@lists.debian.org
In-reply-to: <47306531.8090107@lokku.com>
References: <47306531.8090107@lokku.com>

On Tue, Nov 06, 2007 at 12:59:29PM +0000, Mike Astle wrote:
> That don't look so good:
> 
> ----
> 
> "[...] discovered a flaw in Perl's regular
> expression engine. Specially crafted input to a regular expression can
> cause Perl to improperly allocate memory, resulting in the possible
> execution of arbitrary code with the permissions of the user running
> Perl."
> 
> https://rhn.redhat.com/errata/RHSA-2007-0966.html
> 
> Also...
> 
> http://www.debian.org/security/2007/dsa-1399
> 
> ----
> 
> I only see new pcre3 packages for debian.  Is this a problem with just 
> pcre or perl itself?
> 
> -mike

http://security-tracker.debian.net/tracker/CVE-2007-5116

is uninformative, but that is cve id that redhat and others are
referring to.

(Apologies for the cross-post.  please set follow-ups correctly 
according to proportions of debian, security, perl, beer, buffy
and a pony.  Thank you.)

Regards,
Paddy

Reply to:

Follow-Ups:
- Re: perl regex vulnerability - debian - pcre only?
  - From: Florian Weimer <fw@deneb.enyo.de>

Prev by Date: Re: How to verify debian packages?
Next by Date: Re: perl regex vulnerability - debian - pcre only?
Previous by thread: Re: How to verify debian packages?
Next by thread: Re: perl regex vulnerability - debian - pcre only?
Index(es):
- Date
- Thread