On Sun, Apr 20, 2008 at 09:46:34PM +0200, Florian Weimer wrote:
 
> >> I'm unsure about the security implications. Will ask for opinions on p5p.
> >> Cc'ing the security team to get them in the loop.
> >
> > No response from either in two weeks, so it seems that nobody is
> > particularly concerned.
> 
> It's potentially security-relevant if it can be exploited by
> UTF-8-decoding some input within the script.
> 
> Has there been any reaction on perl-5-porters (I guess this is what p5p
> stands for)?
 
No reaction except a mention in "This Week on perl5-porters":

 http://www.nntp.perl.org/group/perl.perl5.porters/2008/04/msg135902.html

On Sun, Apr 20, 2008 at 09:56:23PM +0200, Florian Weimer wrote:

> Okay, next opinion, after actually investigating the bug (not so much
> "different bug", but "wrong impression after seeing the uuencode blob"):
> 
> This bug also happens with
> 
>   if (/^\Q$ans\E| \Q$ans\E/) { print "I was wrong, sorry...\n"}
> 
> (the recommended method of including untrusted input in regular
> expressions).  As a result, I fear that it opens a DoS vector in quite a
> few services.
> 
> How much testing has this patch:
> 
> http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=26;filename=27_fix_regcomp_utf8;att=1;bug=454792
> 
> received?

It's picked from the upstream branch that's soon going to be released
as 5.8.9.

I have verified that it fixes the reported segfault and built a local
package passing the test suite on i386/sid on top of 5.8.8-12.

> Are there any other issues we should bundle with an update?

Please look at #470676, which I also Cc'd the security team about today.

No other issues that I know about. Brendan?

Cheers,
-- 
Niko Tyni   [EMAIL PROTECTED]



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to