On Wed, Jan 23, 2013 at 12:38:43AM +0100, Niels Thykier wrote: > On 2013-01-22 23:59, Dominic Hargreaves wrote: > > Adding debian-release as CC. > > > > On Wed, Jan 16, 2013 at 07:33:19AM +0100, Salvatore Bonaccorso wrote: > >> Hi Dominic > >> > >> On Tue, Jan 15, 2013 at 11:26:09PM +0000, Dominic Hargreaves wrote: > >>> On Mon, Jan 14, 2013 at 09:46:55PM +0100, Salvatore Bonaccorso wrote: > >>>> Upload of Digest::SHA 5.81 mentions the following: > >>>> > >>>> 5.81 Mon Jan 14 05:17:08 MST 2013 > >>>> - corrected load subroutine (SHA.pm) to prevent double-free > >>>> -- Bug #82655: Security issue - segfault > >>>> -- thanks to Victor Efimov and Nicholas Clark > >>>> for technical expertise and suggestions > >>>> > >>>> Upstream bugreport is [1] and it was also sent to > >>>> perl5-security-rep...@perl.org list. > >>>> > >>>> [1]: https://rt.cpan.org/Ticket/Display.html?id=82655 > >>> > >>> The view so far appears to be that this is not exploitable: > >>> > >>> http://seclists.org/oss-sec/2013/q1/88 > >> > >> Yes I have seen. I think at this stage we can remove the security tag > >> for #698174 (and #698172). > > > > At this stage I'm not planning to push this for inclusion in wheezy; > > since it doesn't meet <http://release.debian.org/wheezy/freeze_policy.html> > > but let me know if anyone thinks differently. > > > > Is this the same fix as in libdigest-sha-perl?
Yes. The same perl module appears in perl core. > If so, that already got > an unblock. Right. That is of course Priority: optional and therefore a Severity: important fix qualifies. But until I read your question, I hadn't thought through this carefully enough. Having this fix only in one of the two places Digest::SHA appears in wheezy is probably a Bad Thing, so maybe we should upload a fix for wheezy/perl after all. Dominic. -- Dominic Hargreaves | http://www.larted.org.uk/~dom/ PGP key 5178E2A5 from the.earth.li (keyserver,web,email) -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130122235917.gl5...@urchin.earth.li
