| Summary: | <dev-lang/perl-5.22.1: denial-of-service / Regexp-matching "hangs" indefinitely on illegal input using binmode :utf8 using 100%CPU (CVE-2015-8853) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | perl |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://www.openwall.com/lists/oss-security/2016/04/20/5 | ||
| Whiteboard: | A3 [glsa cve] | ||
| Package list: | Runtime testing required: | --- | |
| Bug Depends on: | 589680 | ||
| Bug Blocks: | |||
This is fixed in Perl 5.22.1. It makes no sense to stabilize 5.22.1 now, since 5.22.2 with more security fixes comes out in a few days. -> Let's wait for that. (In reply to Andreas K. Hüttel from comment #1) > This is fixed in Perl 5.22.1. > > It makes no sense to stabilize 5.22.1 now, since 5.22.2 with more security > fixes comes out in a few days. -> Let's wait for that. Perl 5.22.2 was released today and is already available in Gentoo. Stabilization will be handled in bug 567482 after a testing period. Please wait for now; arches will be CC'ed in bug 567482 when we're ready to go ahead. (In reply to Andreas K. Hüttel from comment #2) > (In reply to Andreas K. Hüttel from comment #1) > > This is fixed in Perl 5.22.1. > > > > It makes no sense to stabilize 5.22.1 now, since 5.22.2 with more security > > fixes comes out in a few days. -> Let's wait for that. > > Perl 5.22.2 was released today and is already available in Gentoo. > Stabilization will be handled in bug 567482 after a testing period. Please > wait for now; arches will be CC'ed in bug 567482 when we're ready to go > ahead. Perl 5.22.2 is ready for stabilization; please proceed in bug 567482. There you can find the full list of packages to be stabilized. Added to existing GLSA. This issue was resolved and addressed in GLSA 201701-75 at https://security.gentoo.org/glsa/201701-75 by GLSA coordinator Thomas Deutschmann (whissi). |
From ${URL} : A bug in perl can cause regular expressions an malformed UTF8 inputs to go into a forever loop and consume 100% CPU. The issue was found to drive a realworld web application into an infinite loop" The Upstream bugreport about this issue: https://rt.perl.org/Public/Bug/Display.html?id=123562 Upstream commit: http://perl5.git.perl.org/perl.git/commitdiff/22b433eff9a1ffa2454e18405a56650f07b385b5 (which e.g. has been as well cherry-picked back to the maint-5.22 branch). @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.