Date: Thu, 18 Aug 2011 10:58:44 -0600 From: Vincent Danen <vdanen@...hat.com> To: oss-security@...ts.openwall.com Subject: CVE request: heap overflow in perl while decoding Unicode string Does anyone know more about this flaw? It's in perl and the Encode module: http://cpansearch.perl.org/src/DANKOGAI/Encode-2.44/Changes ! Unicode/Unicode.xs Addressed the following: Date: Fri, 22 Jul 2011 13:58:43 +0200 From: Robert Zacek <zacek@...st.com> To: perl5-security-report@...l.org Subject: Unicode.xs!decode_xs n-byte heap-overflow It's been fixed in perl: http://perl5.git.perl.org/perl.git/commitdiff/e46d973584785af1f445c4dedbee4243419cb860#patch5 Seems to be in all versions of perl since 5.10.0. There isn't really information on the impact of this though. I don't know enough to determine whether this is something that can cause arbitrary code execution, whether some gcc/glibc hardening prevents or minimizes the impact, whether it's a crash-only, etc. It has been asked on the perl5-porters list, but no response was given: http://permalink.gmane.org/gmane.comp.lang.perl.perl5.porters/98004 Does anyone know anything more about this flaw? Could a CVE be assigned to it as well? Thanks. -- Vincent Danen / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ