Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 198196 (CVE-2007-5116) - dev-lang/perl < 5.8.8-r4 UTF/Regular expressions boundary error (CVE-2007-5116)
Summary: dev-lang/perl < 5.8.8-r4 UTF/Regular expressions boundary error (CVE-2007-5116)
Alias: CVE-2007-5116
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
Whiteboard: A2 [glsa]
Depends on: 199518
  Show dependency tree
Reported: 2007-11-05 19:40 UTC by Robert Buchholz (RETIRED)
Modified: 2020-04-03 07:01 UTC (History)
6 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2007-11-05 19:40:18 UTC
  A flaw was found in Perl's regular expression engine. Specially crafted
  input to a regular expression can cause Perl to improperly allocate memory,
  possibly resulting in arbitrary code running with the permissions of the
  user running Perl. (CVE-2007-5116)
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2007-11-05 19:41:42 UTC
Perl, please advise. A patch can be found at URL, I don't know the upstream status of it.
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2007-11-07 13:53:31 UTC
Perl, please advise.
Comment 3 Antoine Raillon (RETIRED) gentoo-dev 2007-11-07 23:12:45 UTC
We are aware of it, however there's no status upstream yet. I'll handle it anyway =)
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2007-11-12 02:44:42 UTC
What's the status here?
Comment 5 Antoine Raillon (RETIRED) gentoo-dev 2007-11-12 17:20:47 UTC
- still nothing upstream
- I have an ebuild ready to be released but I'm waiting for some feedback from the security team :)
Comment 6 Antoine Raillon (RETIRED) gentoo-dev 2007-11-12 19:27:28 UTC
patch commited in perl-5.8.8-r3
Comment 7 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-11-12 19:41:49 UTC
Thanks Antoine.
Arches, please test and mark stable perl-5.8.8-r3.
Target keywords: "alpha amd64 arm hppa ia64 m68k mips ppc ppc64 s390 sh sparc ~sparc-fbsd x86 ~x86-fbsd"
Comment 8 Ferris McCormick (RETIRED) gentoo-dev 2007-11-12 20:44:24 UTC
Stable for sparc.  All tests run cleanly, autotools work, ....
Comment 9 Jeroen Roovers (RETIRED) gentoo-dev 2007-11-13 06:50:24 UTC
Stable for HPPA.
Comment 10 Dawid Węgliński (RETIRED) gentoo-dev 2007-11-13 09:26:41 UTC
Tested on amd64, please mark stable

Portage (default-linux/amd64/2007.0, gcc-4.1.2, glibc-2.6.1-r0, 2.6.19-rc1-git3 x86_64)
System uname: 2.6.19-rc1-git3 x86_64 AMD Opteron(tm) Processor 842
Timestamp of tree: Tue, 13 Nov 2007 00:02:01 +0000
app-shells/bash:     3.2_p17
dev-lang/python:     2.4.4-r6
dev-python/pycrypto: 2.0.1-r6
sys-apps/baselayout: 1.12.9-r2
sys-devel/autoconf:  2.61-r1
sys-devel/automake:  1.9.6-r2, 1.10
sys-devel/binutils:  2.18-r1
sys-devel/gcc-config: 1.3.16
sys-devel/libtool:   1.5.24
virtual/os-headers:  2.6.22-r2
CFLAGS="-march=opteron -O2 -fomit-frame-pointer -pipe"
CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/terminfo /etc/udev/rules.d"
CXXFLAGS="-march=opteron -O2 -fomit-frame-pointer -pipe"
FEATURES="collision-protect distlocks metadata-transfer multilib-strict sandbox sfperms strict test unmerge-orphans userfetch"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*"
USE="acl amd64 berkdb bitmap-fonts cli cracklib crypt cups dri fortran gdbm gpm iconv ipv6 isdnlog midi mmx mudflap ncurses nls nptl nptlonly openmp pam pcre perl pppd python readline reflection session spl sse sse2 ssl tcpd test truetype-fonts type1-fonts unicode vim-syntax xorg zlib zsh-completion" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="apm ark chips cirrus cyrix dummy fbdev glint i128 i810 mach64 mga neomagic nv r128 radeon rendition s3 s3virge savage siliconmotion sis sisusb tdfx tga trident tseng v4l vesa vga via vmware voodoo"
Comment 11 Markus Meier gentoo-dev 2007-11-13 10:55:09 UTC
x86 stable
Comment 12 Raúl Porcel (RETIRED) gentoo-dev 2007-11-13 13:46:00 UTC
alpha/ia64 stable
Comment 13 Markus Rothe (RETIRED) gentoo-dev 2007-11-13 18:08:08 UTC
ppc64 stable
Comment 14 Tobias Scherbaum (RETIRED) gentoo-dev 2007-11-13 19:53:56 UTC
ppc stable
Comment 15 Chris Gianelloni (RETIRED) gentoo-dev 2007-11-14 01:11:09 UTC
amd64 done...
Comment 16 Robert Buchholz (RETIRED) gentoo-dev 2007-11-14 01:27:22 UTC
request filed.
Comment 17 Jakub Moc (RETIRED) gentoo-dev 2007-11-18 13:43:07 UTC
Back to ebuild, this patch broke the thing on any 64bit arch (Bug 199518)

  18 Nov 2007; <> -files/perl-5.8.8-lib64.patch,
  +files/perl-5.8.8-libbits.patch, perl-5.8.8-r2.ebuild,
  - fixed the lib64 patch that was breaking on amd64 32ul.
Comment 18 Christian Hartmann (RETIRED) gentoo-dev 2007-11-19 09:57:31 UTC
Revbump to -r4 to clean up the mess in bug #199518 (see suggestion in comment 22). 
Comment 19 Robert Buchholz (RETIRED) gentoo-dev 2007-11-19 11:54:02 UTC
(In reply to comment #18)
> Revbump to -r4 to clean up the mess in bug #199518 (see suggestion in comment
> 22). 

Is that our target to be stabled?
Comment 20 Christian Hartmann (RETIRED) gentoo-dev 2007-11-19 14:11:28 UTC
(In reply to comment #19)
> Is that our target to be stabled?

Yes. -r4 is what -r3 was before the mess introduced by the patch in the bug mentioned above.
Comment 21 Robert Buchholz (RETIRED) gentoo-dev 2007-11-19 14:23:25 UTC
Ah, it's already stable. Thanks.
Comment 22 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-11-19 21:12:34 UTC
GLSA 200711-28, sorry for the delay.
Comment 23 Peter Volkov (RETIRED) gentoo-dev 2008-03-06 09:46:26 UTC
Does not affect current (2008.0) release. Removing release.