Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 630610 (CVE-2017-12837, CVE-2017-12883)

Summary: <dev-lang/perl-{5.24.3, 5.26.1}: multiple vulnerabilities
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: kentnl, nobrowser, perl
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [noglsa cve]
Package list:
=dev-lang/perl-5.24.3 =virtual/perl-Module-CoreList-5.201.709.220-r1 =virtual/perl-Time-HiRes-1.974.100-r1
Runtime testing required: No

Description GLSAMaker/CVETool Bot gentoo-dev 2017-09-10 18:54:20 UTC
CVE-2017-12883 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-12883):
  For certain types of syntax error in a regular expression pattern, the error
  message could either contain the contents of a random, possibly large, chunk
  of memory, or could crash perl.

CVE-2017-12837 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-12837):
  Compiling certain regular expression patterns with the case-insensitive
  modifier could cause a heap buffer overflow and crash perl.
Comment 1 Larry the Git Cow gentoo-dev 2017-09-23 12:44:30 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e9ca302d548362993fd4b39b99f0d17827134c86

commit e9ca302d548362993fd4b39b99f0d17827134c86
Author:     Kent Fredric <kentnl@gentoo.org>
AuthorDate: 2017-09-23 03:23:47 +0000
Commit:     Kent Fredric <kentnl@gentoo.org>
CommitDate: 2017-09-23 12:44:08 +0000

    dev-lang/perl: Bump to version 5.26.1 (pmasked)
    
    - Fixes for CVE-2017-12837, CVE-2017-12883
    
    Bug: https://bugs.gentoo.org/630610
    Package-Manager: Portage-2.3.8, Repoman-2.3.3

 dev-lang/perl/Manifest           |   1 +
 dev-lang/perl/perl-5.26.1.ebuild | 623 +++++++++++++++++++++++++++++++++++++++
 profiles/package.mask            |   1 +
 3 files changed, 625 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=71abf6a63e68f7d76756feafbdcc13767f90dcff

commit 71abf6a63e68f7d76756feafbdcc13767f90dcff
Author:     Kent Fredric <kentnl@gentoo.org>
AuthorDate: 2017-09-23 02:48:41 +0000
Commit:     Kent Fredric <kentnl@gentoo.org>
CommitDate: 2017-09-23 12:44:07 +0000

    dev-lang/perl: Bump to version 5.24.3 (pmasked)
    
    - Upstream Fixes for CVE-2017-12883, CVE-2017-12837
    - Upgraded POSIX
    - Upgraded Time::HiRes
    - Fixes for Configure + -flto on GCC6
    - Block -Duselongdouble and -Dusequadmath together
    
    Bug: https://bugs.gentoo.org/630610
    Package-Manager: Portage-2.3.8, Repoman-2.3.3

 dev-lang/perl/Manifest                                       | 2 +-
 dev-lang/perl/{perl-5.24.3_rc1.ebuild => perl-5.24.3.ebuild} | 0
 profiles/package.mask                                        | 1 +
 3 files changed, 2 insertions(+), 1 deletion(-)}
Comment 2 Kent Fredric (IRC: kent\n) (RETIRED) gentoo-dev 2017-09-26 05:36:31 UTC
Dropping package list for future stabilization after Oct 7

ToCC List:

alpha amd64 arm hppa ia64 ppc ppc64 x86

Additional CC's as a politeness but won't be waited for:

sparc arm64
Comment 3 Kent Fredric (IRC: kent\n) (RETIRED) gentoo-dev 2017-10-06 23:33:45 UTC
Arches: Please stabilize as per the package list to your left.

=dev-lang/perl-5.24.3
=virtual/perl-Module-CoreList-5.201.709.220-r1
=virtual/perl-Time-HiRes-1.974.100-r1

Thanks.
Comment 4 Sergei Trofimovich (RETIRED) gentoo-dev 2017-10-08 18:08:44 UTC
sparc stable (thanks to Rolf Eike Beer)
Comment 5 Sergei Trofimovich (RETIRED) gentoo-dev 2017-10-12 20:55:25 UTC
ppc64 stable
Comment 6 Sergei Trofimovich (RETIRED) gentoo-dev 2017-10-13 00:16:34 UTC
ppc stable
Comment 7 Sergei Trofimovich (RETIRED) gentoo-dev 2017-10-13 08:57:12 UTC
ia64 stable
Comment 8 Manuel Rüger (RETIRED) gentoo-dev 2017-10-13 11:26:13 UTC
Stable on amd64
Comment 9 Thomas Deutschmann (RETIRED) gentoo-dev 2017-10-13 14:40:43 UTC
x86 stable
Comment 10 Sergei Trofimovich (RETIRED) gentoo-dev 2017-10-15 09:20:44 UTC
hppa stable
Comment 11 Markus Meier gentoo-dev 2017-10-16 18:11:31 UTC
arm stable
Comment 12 Tobias Klausmann (RETIRED) gentoo-dev 2017-10-22 21:46:29 UTC
Stable on alpha.
Comment 13 Aaron Bauman (RETIRED) gentoo-dev 2017-10-23 00:23:44 UTC
GLSA Vote: No

@maintainers, please clean the vulnerable versions.
Comment 14 Aaron Bauman (RETIRED) gentoo-dev 2018-01-16 01:00:14 UTC
@perl, Can <5.24.3 be cleaned?
Comment 15 Aaron Bauman (RETIRED) gentoo-dev 2018-01-16 01:00:43 UTC
(In reply to Aaron Bauman from comment #14)
> @perl, Can <5.24.3 be cleaned?

and =5.26.0 please.
Comment 16 Kent Fredric (IRC: kent\n) (RETIRED) gentoo-dev 2018-01-16 05:00:41 UTC
I wasn't expecting arm64 to take this long, and even though I said initially we wouldn't wait for them, I have so far because of Perl's importance relative to @system and how it would completely break their depgraph/stabilization efforts.

Last time I asked they were stuck needing a staging box sorted, or something like that.

I'll keep pressing them, but may end up doing a purge before they're ready.

( Though I really don't see what benefit we give our users by purging old versions, given portage will coerce their upgrade (or not) regardless, but that's a separate discussion )
Comment 17 Kent Fredric (IRC: kent\n) (RETIRED) gentoo-dev 2018-01-16 22:47:50 UTC
Hah. Looks like vapier stabilized arm64 and didn't update this ticket. Cleanup commencing.
Comment 18 Larry the Git Cow gentoo-dev 2018-01-17 12:42:59 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2bea32fa2444295a12f44c0e2e6bc3005b50a384

commit 2bea32fa2444295a12f44c0e2e6bc3005b50a384
Author:     Kent Fredric <kentnl@gentoo.org>
AuthorDate: 2018-01-16 22:52:42 +0000
Commit:     Kent Fredric <kentnl@gentoo.org>
CommitDate: 2018-01-17 12:42:09 +0000

    dev-lang/perl: Cleanup old re bug #630610
    
    Removing old versions affected by CVE-2017-12837, CVE-2017-12883
    
    Fallbacks to perl 5.24.1 and perl 5.24.2 removed for:
      virtual/perl-Archive-Tar
      virtual/perl-bignum
      virtual/perl-CPAN
      virtual/perl-Digest
      virtual/perl-Digest-SHA
      virtual/perl-Encode
      virtual/perl-ExtUtils-MakeMaker
      virtual/perl-File-Spec
      virtual/perl-HTTP-Tiny
      virtual/perl-IO-Compress
      virtual/perl-IO
      virtual/perl-IPC-Cmd
      virtual/perl-JSON-PP
      virtual/perl-libnet
      virtual/perl-Locale-Maketext
      virtual/perl-Locale-Maketext-Simple
      virtual/perl-Memoize
      virtual/perl-Net-Ping
      virtual/perl-Parse-CPAN-Meta
      virtual/perl-Storable
      virtual/perl-Sys-Syslog
      virtual/perl-Test-Harness
      virtual/perl-Test
      virtual/perl-XSLoader
    
    Virtuals that were only needed for Perl 5.24.1, 5.24.2, Perl 5.26.0
    that had versions removed:
    
      virtual/perl-Module-CoreList
    
    perl-core entries that had versions removed due to becomming
    unreferenced by any virtual:
      perl-core/Module-CoreList
    
    Bug: https://bugs.gentoo.org/630610
    Package-Manager: Portage-2.3.18, Repoman-2.3.6

 dev-lang/perl/Manifest                             |   8 -
 dev-lang/perl/perl-5.24.1-r2.ebuild                | 563 --------------------
 dev-lang/perl/perl-5.24.2.ebuild                   | 564 --------------------
 dev-lang/perl/perl-5.26.0.ebuild                   | 592 ---------------------
 perl-core/Module-CoreList/Manifest                 |   2 -
 .../Module-CoreList-5.201.705.300.ebuild           |  14 -
 .../Module-CoreList-5.201.707.150.ebuild           |  14 -
 ...uild => perl-Archive-Tar-2.40.100_rc-r5.ebuild} |   4 +-
 ...-r4.ebuild => perl-CPAN-2.110.100_rc-r5.ebuild} |   4 +-
 ...uild => perl-Digest-SHA-5.950.100_rc-r5.ebuild} |   4 +-
 .../perl-Digest/perl-Digest-1.170.100_rc-r4.ebuild |  15 -
 .../perl-Digest-1.170.100_rc-r5.ebuild}            |   4 +-
 ...2.ebuild => perl-Encode-2.800.100_rc-r3.ebuild} |   4 +-
 ...perl-ExtUtils-MakeMaker-7.100.200_rc-r3.ebuild} |   4 +-
 ...build => perl-File-Spec-3.630.100_rc-r3.ebuild} |   4 +-
 ...2.ebuild => perl-HTTP-Tiny-0.56.1_rc-r3.ebuild} |   4 +-
 ...ebuild => perl-IO-Compress-2.69.1_rc-r3.ebuild} |   4 +-
 ...rc-r2.ebuild => perl-IO-1.360.100_rc-r3.ebuild} |   4 +-
 .../perl-IPC-Cmd-0.920.100_rc-r5.ebuild}           |   4 +-
 .../perl-JSON-PP-2.273.0.100_rc-r5.ebuild}         |   4 +-
 ...-Locale-Maketext-Simple-0.210.100_rc-r5.ebuild} |   4 +-
 ...=> perl-Locale-Maketext-1.260.100_rc-r5.ebuild} |   4 +-
 .../perl-Memoize-1.30.100_rc-r5.ebuild}            |   4 +-
 .../perl-Module-CoreList-5.201.705.300.ebuild      |  15 -
 .../perl-Module-CoreList-5.201.707.150.ebuild      |  17 -
 ...ebuild => perl-Net-Ping-2.430.100_rc-r5.ebuild} |   4 +-
 ...perl-Parse-CPAN-Meta-1.441.700.100_rc-r2.ebuild |  15 -
 ...perl-Parse-CPAN-Meta-1.441.700.100_rc-r3.ebuild |  15 +
 .../perl-Storable-2.560.100_rc-r3.ebuild}          |   4 +-
 ...uild => perl-Sys-Syslog-0.330.100_rc-r5.ebuild} |   4 +-
 .../perl-Test-Harness-3.360.100_rc-r2.ebuild       |  15 -
 .../perl-Test-Harness-3.360.100_rc-r3.ebuild       |  15 +
 .../perl-Test-1.280.100_rc-r3.ebuild}              |   4 +-
 ...0-r2.ebuild => perl-XSLoader-0.220.0-r3.ebuild} |   4 +-
 ...2.ebuild => perl-bignum-0.420.100_rc-r3.ebuild} |   4 +-
 .../perl-libnet-3.80.100_rc-r3.ebuild}             |   4 +-
 36 files changed, 74 insertions(+), 1878 deletions(-)}
Comment 19 Kent Fredric (IRC: kent\n) (RETIRED) gentoo-dev 2018-01-17 12:46:02 UTC
Cleanup done. Over to you.
Comment 20 Aaron Bauman (RETIRED) gentoo-dev 2018-01-17 13:55:50 UTC
(In reply to Kent Fredric (IRC: kent\n) from comment #19)
> Cleanup done. Over to you.

Thanks, Kent!
Comment 21 Teika kazura 2018-04-26 04:20:20 UTC
@security: Please issue GLSA; any has not been issued yet!
Comment 22 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2018-04-26 17:32:11 UTC
(In reply to Teika kazura from comment #21)
> @security: Please issue GLSA; any has not been issued yet!

This issue was not elegible for a GLSA, please refer to Gentoo Vulnerability Treatment Policy [1] for more detailed info.

Fixed versions are already available.

[1]:https://www.gentoo.org/support/security/vulnerability-treatment-policy.html