Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 293128 (CVE-2009-3626) - <=dev-lang/perl-5.10.1 DOS (CVE-2009-3626)
Summary: <=dev-lang/perl-5.10.1 DOS (CVE-2009-3626)
Status: RESOLVED LATER
Alias: CVE-2009-3626
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High trivial (vote)
Assignee: Gentoo Security
URL: http://perl5.git.perl.org/perl.git/co...
Whiteboard: ~4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2009-11-13 23:25 UTC by Stefan Behte (RETIRED)
Modified: 2010-04-30 17:56 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Behte (RETIRED) gentoo-dev Security 2009-11-13 23:25:18 UTC
CVE-2009-3626 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3626):
  Perl 5.10.1 allows context-dependent attackers to cause a denial of
  service (application crash) via a UTF-8 character with a large,
  invalid codepoint, which is not properly handled during a
  regular-expression match.
Comment 1 Torsten Veller (RETIRED) gentoo-dev 2009-11-13 23:34:31 UTC
5.10.1 was fixed:

| 27 Oct 2009; Torsten Veller <tove@gentoo.org> perl-5.10.1.ebuild:
| Fix RT69973: disable non-unicode case insensitive trie matching (#290194)

5.8.8 is not vulerable.
Comment 2 Stefan Behte (RETIRED) gentoo-dev Security 2009-11-13 23:54:43 UTC
I only grepped for the CVE identifier and UTF. #290194 only lists dev-perl/HTML-Parser and has a different CVE; I didn't look into this too deeply...if I understood it correctly, you are 100% it's the same bug/already fixed? I'm just wondering about the different CVE numbers.

Comment 3 Torsten Veller (RETIRED) gentoo-dev 2009-11-14 06:42:05 UTC
(In reply to comment #2)
> if I understood it correctly, you are 100% it's the same bug/already
> fixed? I'm just wondering about the different CVE numbers.

Jepp. Bug #290194 links the spamassassin bug which is about the HTML-Parser and the perl bug so both were fixed.
Comment 4 Stefan Behte (RETIRED) gentoo-dev Security 2009-11-15 21:08:30 UTC

*** This bug has been marked as a duplicate of bug 290194 ***
Comment 5 Robert Buchholz (RETIRED) gentoo-dev 2009-11-16 12:26:21 UTC
  27 Oct 2009; Torsten Veller <tove@gentoo.org> perl-5.10.1.ebuild:
  Fix RT69973: disable non-unicode case insensitive trie matching (#290194)

Changing the ebuild in place does not fix the vulnerability for users that have it installed. Please revbump.
Comment 6 Torsten Veller (RETIRED) gentoo-dev 2009-11-16 12:41:11 UTC
perl-5.10.1 is still package.mask'ed and i left a note on the tracker bug <https://bugs.gentoo.org/show_bug.cgi?id=280724#c1> to bump i when it gets unmasked.
Comment 7 Robert Buchholz (RETIRED) gentoo-dev 2009-11-16 12:54:15 UTC
Ok, I was not aware it is p.masked. Sorry for the noise.