On Fri, Jun 12, 2009 at 12:00:11AM +0300, Niko Tyni wrote: > > > > Compress::Raw::Zlib versions before 2.017 contain a buffer overflow in > > > inflate(). A badly formed zlib-stream can trigger this buffer overflow > > > and cause > > > the perl process at least to hang or to crash. > > > > https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-1391
> Security team, I'd love to have some confirmation on all this. I'll make > my best to get the fix into sid in the weekend, hopefully Friday night. Just uploaded perl/5.10.0-23 with the minimal fix and urgency=high. > @pkg-perl: if somebody wants to handle the separate package, be my > guest. I'll prioritize the perl package and will look at the other one > afterwards if necessary. For the benefit of testing migration, I suggest a minimal 2.015-2 upload for libcompress-raw-zlib-perl too, despite the newer upstream version already pending in the pkg-perl SVN repository. The libio-compress-zlib-perl, libcompress-raw-zlib-perl, and libio-compress-base-perl versions are currently tightly coupled and updating libcompress-raw-zlib-perl past 2.015 will need changes to the other ones too. I'll prepare a security perl upload for lenny next, probably tomorrow. Cheers, -- Niko Tyni [email protected] -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]

