Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri, 19 Aug 2011 15:49:41 -0400 (EDT)
From: Josh Bressers <>
Subject: Re: CVE request: heap overflow in perl while
 decoding Unicode string

I'm going to assign this CVE-2011-2939. It looks like a single byte
overflow. It's probably not exploitable (even as a DoS), but to play it
safe, I'm assigning this ID.



----- Original Message -----
> Does anyone know more about this flaw? It's in perl and the Encode
> module:
> ! Unicode/Unicode.xs
> Addressed the following:
> Date: Fri, 22 Jul 2011 13:58:43 +0200
> From: Robert Zacek <>
> To:
> Subject: Unicode.xs!decode_xs n-byte heap-overflow
> It's been fixed in perl:
> Seems to be in all versions of perl since 5.10.0.
> There isn't really information on the impact of this though. I don't
> know enough to determine whether this is something that can cause
> arbitrary code execution, whether some gcc/glibc hardening prevents or
> minimizes the impact, whether it's a crash-only, etc. It has been
> asked
> on the perl5-porters list, but no response was given:
> Does anyone know anything more about this flaw? Could a CVE be
> assigned
> to it as well?
> Thanks.
> --
> Vincent Danen / Red Hat Security Response Team

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ