Summary: | <dev-lang/perl-5.16.3 "decode_xs()" and "File::Glob::bsd_glob()" Vulnerabilities (CVE-2011-{2728,2939}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | perl |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://secunia.com/advisories/46172/ | ||
Whiteboard: | B2 [glsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 461898 | ||
Bug Blocks: |
Description
Agostino Sarubbo
2011-09-29 09:14:27 UTC
CVE-2011-2939 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2939): Off-by-one error in the decode_xs function in Unicode/Unicode.xs in the Encode module before 2.44, as used in Perl before 5.15.6, might allow context-dependent attackers to cause a denial of service (memory corruption) via a crafted Unicode string, which triggers a heap-based buffer overflow. CVE-2011-2728 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2728): The bsd_glob function in the File::Glob module for Perl before 5.14.2 allows context-dependent attackers to cause a denial of service (crash) via a glob expression with the GLOB_ALTDIRFUNC flag, which triggers an uninitialized pointer dereference. I don't suppose we're any closer to actually getting an unaffected version stable? @security, vote please. ah, B2, set as [glsa] This issue was resolved and addressed in GLSA 201401-11 at http://security.gentoo.org/glsa/glsa-201401-11.xml by GLSA coordinator Chris Reffett (creffett). |