219203 CVE-2008-1927 2008-04-24 21:48 0000 dev-lang/perl < 5.8.8-r5 UTF-8 regex heap-based buffer overflow (CVE-2008-1927) 2008-05-21 21:03:02 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=454792 A2 [glsa] P2 major --- 1 rbu@gentoo.org security@gentoo.org arm@gentoo.org fmccor@gentoo.org m68k@gentoo.org perl@gentoo.org s390@gentoo.org sh@gentoo.org rbu@gentoo.org 2008-04-24 21:48:21 0000 CVE-2008-1927 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1927): Double free vulnerability in Perl 5.8.8 allows context-dependent attackers to cause a denial of service (memory corruption and crash) via a crafted regular expression containing UTF8 characters. NOTE: this issue might only be present on certain operating systems. rbu@gentoo.org 2008-04-24 21:55:19 0000 See the Debian bug for details, patch is in the 5.8 stable branch and to be released as 5.8.9. py@gentoo.org 2008-05-09 15:48:24 0000 (In reply to comment #1) > See the Debian bug for details, patch is in the 5.8 stable branch and to be > released as 5.8.9. > *ping* tove@gentoo.org 2008-05-10 14:32:57 0000 I've commited patched ebuilds for perl and libperl: =dev-lang/perl-5.8.8-r5 =sys-devel/libperl-5.8.8-r2 I've used the patch from debian and tested with: <http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=5;filename=test.pl;att=2;bug=454792> tove@gentoo.org 2008-05-14 08:21:23 0000 (In reply to comment #2) > (In reply to comment #1) > > See the Debian bug for details, patch is in the 5.8 stable branch and to be > > released as 5.8.9. > > > > *ping* *pong* -- see comment #3 py@gentoo.org 2008-05-14 09:13:13 0000 (In reply to comment #3) > I've commited patched ebuilds for perl and libperl: > > =dev-lang/perl-5.8.8-r5 > =sys-devel/libperl-5.8.8-r2 > Arches, please test and mark stable. Target "alpha amd64 arm hppa ia64 m68k ~mips ppc ppc64 release s390 sh sparc ~sparc-fbsd x86 ~x86-fbsd jer@gentoo.org 2008-05-14 14:21:42 0000 t/op/filetest.............................Can't locate Config_heavy.pl in @INC (@INC contains: ../lib) at ../lib/Config.pm line 66. # Looks like you planned 10 tests but ran 5. FAILED--expected 10 tests, saw 5 Nevertheless, both stable for HPPA. fmccor@gentoo.org 2008-05-14 14:25:47 0000 Sparc stable for both. All tests seem good on sparc. corsair@gentoo.org 2008-05-14 15:52:47 0000 ppc64 stable fauli@gentoo.org 2008-05-14 17:10:25 0000 x86 stable maekke@gentoo.org 2008-05-14 20:15:16 0000 amd64 stable armin76@gentoo.org 2008-05-15 09:41:09 0000 alpha/ia64 stable dertobi123@gentoo.org 2008-05-16 19:20:57 0000 ppc stable py@gentoo.org 2008-05-17 10:42:51 0000 glsa request filed pva@gentoo.org 2008-05-18 15:24:02 0000 Fixed in release snapshot. rbu@gentoo.org 2008-05-18 15:59:24 0000 not quite fixed ;-) keytoaster@gentoo.org 2008-05-21 21:03:02 0000 GLSA 200805-17