On Sun, Apr 20, 2008 at 09:46:34PM +0200, Florian Weimer wrote: > >> I'm unsure about the security implications. Will ask for opinions on p5p. > >> Cc'ing the security team to get them in the loop. > > > > No response from either in two weeks, so it seems that nobody is > > particularly concerned. > > It's potentially security-relevant if it can be exploited by > UTF-8-decoding some input within the script. > > Has there been any reaction on perl-5-porters (I guess this is what p5p > stands for)? No reaction except a mention in "This Week on perl5-porters":
http://www.nntp.perl.org/group/perl.perl5.porters/2008/04/msg135902.html On Sun, Apr 20, 2008 at 09:56:23PM +0200, Florian Weimer wrote: > Okay, next opinion, after actually investigating the bug (not so much > "different bug", but "wrong impression after seeing the uuencode blob"): > > This bug also happens with > > if (/^\Q$ans\E| \Q$ans\E/) { print "I was wrong, sorry...\n"} > > (the recommended method of including untrusted input in regular > expressions). As a result, I fear that it opens a DoS vector in quite a > few services. > > How much testing has this patch: > > http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=26;filename=27_fix_regcomp_utf8;att=1;bug=454792 > > received? It's picked from the upstream branch that's soon going to be released as 5.8.9. I have verified that it fixes the reported segfault and built a local package passing the test suite on i386/sid on top of 5.8.8-12. > Are there any other issues we should bundle with an update? Please look at #470676, which I also Cc'd the security team about today. No other issues that I know about. Brendan? Cheers, -- Niko Tyni [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

