Summary: | <perl-core/Data-Dumper-2.154.0 : Denial of Service Vulnerability (CVE-2014-4330) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | ||
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.nntp.perl.org/group/perl.perl5.porters/2014/09/msg220118.html | ||
Whiteboard: | B3 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2014-09-24 14:56:45 UTC
This is fixed in perl-core/Data-Dumper-2.154.0 virtual/perl-Data-Dumper-2.154.0 Let's keep it in ~arch for a few days and then stabilize. Target: all stable arches Arches, please test and mark stable: =perl-core/Data-Dumper-2.154.0 =virtual/perl-Data-Dumper-2.154.0 Target Keywords : "amd64 hppa ppc x86" Thank you! Stable for HPPA. amd64 stable x86 stable @ago: you did not stabilize the virtual, only perl-core. This has the effect that the perl-core package is never installed, and the bug is therefore not fixed... I copied the stable keywords over, so amd64 and x86 are fine now. Waiting for ppc... ppc stable. Maintainer(s), please cleanup. Security, please vote. (In reply to Agostino Sarubbo from comment #7) > ppc stable. > > Maintainer(s), please cleanup. > Security, please vote. Not so fast. I said "all stable arches". Arches, please test and mark stable: =perl-core/Data-Dumper-2.154.0 =virtual/perl-Data-Dumper-2.154.0 Still missing : "alpha arm ia64 ppc64 sparc" Thank you! Stable on alpha. (In reply to Andreas K. Hüttel from comment #6) > @ago: you did not stabilize the virtual, only perl-core. This has the effect > that the perl-core package is never installed, and the bug is therefore not > fixed... It was a script failure. (In reply to Andreas K. Hüttel from comment #8) > Not so fast. I said "all stable arches". THe script changes the whiteboard when there aren't arches in CC. sparc stable arm stable ia64 stable ppc64 stable. Maintainer(s), please cleanup. Security, please vote. Cleanup done, Perl out. GLSA vote: no. CVE-2014-4330 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4330): The Dumper method in Data::Dumper before 2.154, as used in Perl 5.20.1 and earlier, allows context-dependent attackers to cause a denial of service (stack consumption and crash) via an Array-Reference with many nested Array-References, which triggers a large number of recursive calls to the DD_dump function. GLSA Vote: No, closing noglsa |