Openwall Project   /home  Owl  JtR  Pro  crypt  pam_passwdqc  tcb  phpass  scanlogd  popa3d  msulogin  /  Linux  BIND  /  advisories  presentations  /  services  donations  /  wordlists  passwords  /  community  lists  wiki  CVSweb  mirrors  signatures
bringing security into open environments
 
Order Openwall GNU/*/Linux 2.0 on a CD with delivery worldwide
[<prev] [next>] [thread-next>] [month] [year] [list] 
Date: Sun, 20 Apr 2008 17:43:37 -0800
From: Jonathan Smith <smithj@...ethemallocs.com>
To: "Steven M. Christey" <coley@...us.mitre.org>
Subject: CVE request:Perl bug #48156

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Florian Weimer wrote:
| Debian will release a security update for Perl bug #48156.  This looks a
| bit like a heap overflow in valgrind.  I consider the DoS vector
| important enough (which manifest on i386), so I haven't checked if it is
| exploitable beyond that.
|
| This is just a heads-up, in case someone else wants to release an
| update.  The issue itself is already public (also via Debian bug
| #454792).

Thanks for the info. Since this is already public, I'm CCing oss-security.

I've reproduced the crash on rPath Linux 2, with perl 5.8.8. On rPL 1,
perl 5.8.7 does not crash, but valgrind shows overflows.

So, we'll probably need a CVE. Steve?

	smithj

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)

iEYEARECAAYFAkgL8UkACgkQCG91qXPaRek4EQCfQfem29oadZ+DVJoSK/Ti0weA
//0AnRICT5rf/KGfvOfJ+bxDg69k6bDj
=bTwa
-----END PGP SIGNATURE-----

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Hosted by DataForce ISP - Powered by Openwall GNU/*/Linux