Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 523624 (CVE-2014-4330) - <perl-core/Data-Dumper-2.154.0 : Denial of Service Vulnerability (CVE-2014-4330)
Summary: <perl-core/Data-Dumper-2.154.0 : Denial of Service Vulnerability (CVE-2014-4330)
Status: RESOLVED FIXED
Alias: CVE-2014-4330
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://www.nntp.perl.org/group/perl.p...
Whiteboard: B3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-09-24 14:56 UTC by Agostino Sarubbo
Modified: 2015-03-18 22:00 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-09-24 14:56:45 UTC
From ${URL} :

CVE-2014-4330 reports a stack exhaustion bug in Data::Dumper, when it attempts
to recurse without limit.  The bug was reported by LSE Leading Security Experts
GmbH employee Markus Vervier.  The fix was written by Tony Cook.  By default,
Data::Dumper will now limit recursion to 1000 levels, but this can be
configured by $Maxrecurse.

This patch has been pre-seeded to downstream vendors, who will apply it as they
see fit.  Expect a new release of Data::Dumper soon.



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Andreas K. Hüttel archtester gentoo-dev 2014-09-24 22:15:56 UTC
This is fixed in 

perl-core/Data-Dumper-2.154.0
virtual/perl-Data-Dumper-2.154.0

Let's keep it in ~arch for a few days and then stabilize.
Target: all stable arches
Comment 2 Yury German Gentoo Infrastructure gentoo-dev 2014-10-05 20:18:23 UTC
Arches, please test and mark stable:

=perl-core/Data-Dumper-2.154.0
=virtual/perl-Data-Dumper-2.154.0

Target Keywords : "amd64 hppa ppc x86"

Thank you!
Comment 3 Jeroen Roovers (RETIRED) gentoo-dev 2014-10-06 06:40:37 UTC
Stable for HPPA.
Comment 4 Agostino Sarubbo gentoo-dev 2014-10-06 19:01:42 UTC
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2014-10-06 19:02:38 UTC
x86 stable
Comment 6 Andreas K. Hüttel archtester gentoo-dev 2014-10-09 19:25:12 UTC
@ago: you did not stabilize the virtual, only perl-core. This has the effect that the perl-core package is never installed, and the bug is therefore not fixed...

I copied the stable keywords over, so amd64 and x86 are fine now. 

Waiting for ppc...
Comment 7 Agostino Sarubbo gentoo-dev 2014-10-17 13:13:40 UTC
ppc stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 8 Andreas K. Hüttel archtester gentoo-dev 2014-10-24 20:02:19 UTC
(In reply to Agostino Sarubbo from comment #7)
> ppc stable.
> 
> Maintainer(s), please cleanup.
> Security, please vote.

Not so fast. I said "all stable arches". 

Arches, please test and mark stable:

=perl-core/Data-Dumper-2.154.0
=virtual/perl-Data-Dumper-2.154.0

Still missing : "alpha arm ia64 ppc64 sparc"

Thank you!
Comment 9 Tobias Klausmann (RETIRED) gentoo-dev 2014-10-29 10:26:19 UTC
Stable on alpha.
Comment 10 Agostino Sarubbo gentoo-dev 2014-10-29 12:02:58 UTC
(In reply to Andreas K. Hüttel from comment #6)
> @ago: you did not stabilize the virtual, only perl-core. This has the effect
> that the perl-core package is never installed, and the bug is therefore not
> fixed...

It was a script failure.


(In reply to Andreas K. Hüttel from comment #8)
> Not so fast. I said "all stable arches". 

THe script changes the whiteboard when there aren't arches in CC.
Comment 11 Agostino Sarubbo gentoo-dev 2014-10-29 12:03:54 UTC
sparc stable
Comment 12 Markus Meier gentoo-dev 2014-10-30 18:55:46 UTC
arm stable
Comment 13 Agostino Sarubbo gentoo-dev 2014-11-02 09:42:55 UTC
ia64 stable
Comment 14 Agostino Sarubbo gentoo-dev 2014-11-10 13:53:14 UTC
ppc64 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 15 Andreas K. Hüttel archtester gentoo-dev 2014-11-29 20:57:46 UTC
Cleanup done, Perl out.
Comment 16 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2014-12-31 14:58:16 UTC
GLSA vote: no.
Comment 17 GLSAMaker/CVETool Bot gentoo-dev 2015-01-11 19:51:24 UTC
CVE-2014-4330 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4330):
  The Dumper method in Data::Dumper before 2.154, as used in Perl 5.20.1 and
  earlier, allows context-dependent attackers to cause a denial of service
  (stack consumption and crash) via an Array-Reference with many nested
  Array-References, which triggers a large number of recursive calls to the
  DD_dump function.
Comment 18 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-03-18 22:00:17 UTC
GLSA Vote: No, closing noglsa