Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Sun, 20 Apr 2008 17:43:37 -0800
From: Jonathan Smith <smithj@...ethemallocs.com>
To: "Steven M. Christey" <coley@...us.mitre.org>
CC: Florian Weimer <fw@...eb.enyo.de>, vendor-sec@....de, 
 oss-security@...ts.openwall.com
Subject: CVE request:Perl bug #48156

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Florian Weimer wrote:
| Debian will release a security update for Perl bug #48156.  This looks a
| bit like a heap overflow in valgrind.  I consider the DoS vector
| important enough (which manifest on i386), so I haven't checked if it is
| exploitable beyond that.
|
| This is just a heads-up, in case someone else wants to release an
| update.  The issue itself is already public (also via Debian bug
| #454792).

Thanks for the info. Since this is already public, I'm CCing oss-security.

I've reproduced the crash on rPath Linux 2, with perl 5.8.8. On rPL 1,
perl 5.8.7 does not crash, but valgrind shows overflows.

So, we'll probably need a CVE. Steve?

	smithj

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)

iEYEARECAAYFAkgL8UkACgkQCG91qXPaRek4EQCfQfem29oadZ+DVJoSK/Ti0weA
//0AnRICT5rf/KGfvOfJ+bxDg69k6bDj
=bTwa
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.