Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 219203 (CVE-2008-1927)

Summary: dev-lang/perl < 5.8.8-r5 UTF-8 regex heap-based buffer overflow (CVE-2008-1927)
Product: Gentoo Security Reporter: Robert Buchholz (RETIRED) <rbu>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: fmccor, perl
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=454792
Whiteboard: A2 [glsa]
Package list:
Runtime testing required: ---

Description Robert Buchholz (RETIRED) gentoo-dev 2008-04-24 21:48:21 UTC 
CVE-2008-1927 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1927):
  Double free vulnerability in Perl 5.8.8 allows context-dependent attackers to
  cause a denial of service (memory corruption and crash) via a crafted regular
  expression containing UTF8 characters.  NOTE: this issue might only be
  present on certain operating systems.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-04-24 21:55:19 UTC 
See the Debian bug for details, patch is in the 5.8 stable branch and to be released as 5.8.9.
Comment 2 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-05-09 15:48:24 UTC 
(In reply to comment #1)
> See the Debian bug for details, patch is in the 5.8 stable branch and to be
> released as 5.8.9.
> 

*ping*
Comment 3 Torsten Veller (RETIRED) gentoo-dev 2008-05-10 14:32:57 UTC 
I've commited patched ebuilds for perl and libperl:

=dev-lang/perl-5.8.8-r5
=sys-devel/libperl-5.8.8-r2

I've used the patch from debian and tested with:
<http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=5;filename=test.pl;att=2;bug=454792>
Comment 4 Torsten Veller (RETIRED) gentoo-dev 2008-05-14 08:21:23 UTC 
(In reply to comment #2)
> (In reply to comment #1)
> > See the Debian bug for details, patch is in the 5.8 stable branch and to be
> > released as 5.8.9.
> > 
> 
> *ping*

*pong* -- see comment #3
Comment 5 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-05-14 09:13:13 UTC 
(In reply to comment #3)
> I've commited patched ebuilds for perl and libperl:
> 
> =dev-lang/perl-5.8.8-r5
> =sys-devel/libperl-5.8.8-r2
> 

Arches, please test and mark stable.
Target "alpha amd64 arm hppa ia64 m68k ~mips ppc ppc64 release s390 sh sparc ~sparc-fbsd x86 ~x86-fbsd
Comment 6 Jeroen Roovers (RETIRED) gentoo-dev 2008-05-14 14:21:42 UTC 
t/op/filetest.............................Can't locate Config_heavy.pl in @INC (@INC
contains: ../lib) at ../lib/Config.pm line 66.
# Looks like you planned 10 tests but ran 5.
FAILED--expected 10 tests, saw 5

Nevertheless, both stable for HPPA.
Comment 7 Ferris McCormick (RETIRED) gentoo-dev 2008-05-14 14:25:47 UTC 
Sparc stable for both.  All tests seem good on sparc.
Comment 8 Markus Rothe (RETIRED) gentoo-dev 2008-05-14 15:52:47 UTC 
ppc64 stable
Comment 9 Christian Faulhammer (RETIRED) gentoo-dev 2008-05-14 17:10:25 UTC 
x86 stable
Comment 10 Markus Meier gentoo-dev 2008-05-14 20:15:16 UTC 
amd64 stable
Comment 11 Raúl Porcel (RETIRED) gentoo-dev 2008-05-15 09:41:09 UTC 
alpha/ia64 stable
Comment 12 Tobias Scherbaum (RETIRED) gentoo-dev 2008-05-16 19:20:57 UTC 
ppc stable
Comment 13 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-05-17 10:42:51 UTC 
glsa request filed
Comment 14 Peter Volkov (RETIRED) gentoo-dev 2008-05-18 15:24:02 UTC 
Fixed in release snapshot.
Comment 15 Robert Buchholz (RETIRED) gentoo-dev 2008-05-18 15:59:24 UTC 
not quite fixed ;-)
Comment 16 Tobias Heinlein (RETIRED) gentoo-dev 2008-05-21 21:03:02 UTC 
GLSA 200805-17