From ${URL} : CVE-2014-4330 reports a stack exhaustion bug in Data::Dumper, when it attempts to recurse without limit. The bug was reported by LSE Leading Security Experts GmbH employee Markus Vervier. The fix was written by Tony Cook. By default, Data::Dumper will now limit recursion to 1000 levels, but this can be configured by $Maxrecurse. This patch has been pre-seeded to downstream vendors, who will apply it as they see fit. Expect a new release of Data::Dumper soon. @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
This is fixed in perl-core/Data-Dumper-2.154.0 virtual/perl-Data-Dumper-2.154.0 Let's keep it in ~arch for a few days and then stabilize. Target: all stable arches
Arches, please test and mark stable: =perl-core/Data-Dumper-2.154.0 =virtual/perl-Data-Dumper-2.154.0 Target Keywords : "amd64 hppa ppc x86" Thank you!
Stable for HPPA.
amd64 stable
x86 stable
@ago: you did not stabilize the virtual, only perl-core. This has the effect that the perl-core package is never installed, and the bug is therefore not fixed... I copied the stable keywords over, so amd64 and x86 are fine now. Waiting for ppc...
ppc stable. Maintainer(s), please cleanup. Security, please vote.
(In reply to Agostino Sarubbo from comment #7) > ppc stable. > > Maintainer(s), please cleanup. > Security, please vote. Not so fast. I said "all stable arches". Arches, please test and mark stable: =perl-core/Data-Dumper-2.154.0 =virtual/perl-Data-Dumper-2.154.0 Still missing : "alpha arm ia64 ppc64 sparc" Thank you!
Stable on alpha.
(In reply to Andreas K. Hüttel from comment #6) > @ago: you did not stabilize the virtual, only perl-core. This has the effect > that the perl-core package is never installed, and the bug is therefore not > fixed... It was a script failure. (In reply to Andreas K. Hüttel from comment #8) > Not so fast. I said "all stable arches". THe script changes the whiteboard when there aren't arches in CC.
sparc stable
arm stable
ia64 stable
ppc64 stable. Maintainer(s), please cleanup. Security, please vote.
Cleanup done, Perl out.
GLSA vote: no.
CVE-2014-4330 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4330): The Dumper method in Data::Dumper before 2.154, as used in Perl 5.20.1 and earlier, allows context-dependent attackers to cause a denial of service (stack consumption and crash) via an Array-Reference with many nested Array-References, which triggers a large number of recursive calls to the DD_dump function.
GLSA Vote: No, closing noglsa