From https://github.com/Perl/perl5/commit/2d00bc45c5a0a53e522a6b986b0e343097e4696c#diff-9519bf71d633eb5c46351ee781b20b95f5420217819cd9dae32176dc210b2d47R40: """ =head2 CVE-2023-47038 - Write past buffer end via illegal user-defined Unicode property This vulnerability was reported directly to the Perl security team by Nathan Mills C<the.true.nathan.mills@gmail.com>. A crafted regular expression when compiled by perl 5.30.0 through 5.38.0 can cause a one-byte attacker controlled buffer overflow in a heap allocated buffer. """
Fixed in 5.38.1.
commit d1b2c352339239dc5d153081567aef0286828084 (origin/master, origin/HEAD) Author: Andreas K. Hüttel <dilfridge@gentoo.org> Date: Sun Nov 26 17:15:35 2023 +0100 dev-lang/perl: add 5.38.1 One test fails (porting/regen.t), but that's harmless. Fix coming soon. Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org> commit df327deb744b58519799378d67c3e219b126e96c Author: Andreas K. Hüttel <dilfridge@gentoo.org> Date: Sun Nov 26 16:47:35 2023 +0100 package.mask: Add perl 5.38.1 WIP mask Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org>
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c0b7369815e7f995486d0fe256bfeda1f4a0eaec commit c0b7369815e7f995486d0fe256bfeda1f4a0eaec Author: Andreas K. Hüttel <dilfridge@gentoo.org> AuthorDate: 2023-11-29 22:32:53 +0000 Commit: Andreas K. Hüttel <dilfridge@gentoo.org> CommitDate: 2023-11-29 22:34:01 +0000 package.mask: Unmask Perl 5.38.2 Bug: https://bugs.gentoo.org/918612 Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org> profiles/package.mask | 7 ------- 1 file changed, 7 deletions(-)
Given that this is a one byte write overflow I've classified it at "3" assuming that just having that one byte will be hard to exploit for e.g. RCE. We can upgrade to "2" if that assumption is wrong.
(In reply to Hans de Graaff from comment #4) > Given that this is a one byte write overflow I've classified it at "3" > assuming that just having that one byte will be hard to exploit for e.g. > RCE. We can upgrade to "2" if that assumption is wrong. This assumption is wrong, even one byte could lead to RCE.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=06b1665a387d4d7cb73b9b91b99b6ed644d013ed commit 06b1665a387d4d7cb73b9b91b99b6ed644d013ed Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2024-11-17 09:51:20 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2024-11-17 09:51:58 +0000 [ GLSA 202411-09 ] Perl: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/807307 Bug: https://bugs.gentoo.org/905296 Bug: https://bugs.gentoo.org/918612 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202411-09.xml | 46 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 46 insertions(+)