Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

perl: Segfault in S_regmatch from bad backreference (CVE-2013-7422)

Related Vulnerabilities: CVE-2013-7422  

Source

Debian Bug report logs - #776046
perl: Segfault in S_regmatch from bad backreference (CVE-2013-7422)

version graph

Package: perl; Maintainer for perl is Niko Tyni <ntyni@debian.org>; Source for perl is src:perl (PTS, buildd, popcon).

Reported by: Niko Tyni <ntyni@debian.org>

Date: Fri, 23 Jan 2015 11:03:01 UTC

Severity: important

Tags: fixed-upstream, security, wheezy

Found in version perl/5.14.2-21

Fixed in version perl/5.20.0-1

Done: Salvatore Bonaccorso <carnil@debian.org>

Bug is archived. No further changes may be made.

Forwarded to https://rt.perl.org/Public/Bug/Display.html?id=119505

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org:
Bug#776046; Package perl. (Fri, 23 Jan 2015 11:03:06 GMT) (full text, mbox, link).

Acknowledgement sent to Niko Tyni <ntyni@debian.org>:
New Bug report received and forwarded. (Fri, 23 Jan 2015 11:03:06 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Niko Tyni <ntyni@debian.org>
To: submit@bugs.debian.org
Subject: perl: Segfault in S_regmatch from bad backreference
Date: Fri, 23 Jan 2015 13:01:13 +0200
Package: perl
Version: 5.14.2-21
Severity: important
Tags: wheezy security
Forwarded: https://rt.perl.org/Public/Bug/Display.html?id=119505
Control: fixed -1 5.20.0-1

perl -e '/\7777777777/' 
Segmentation fault (core dumped)

This was fixed upstream in 5.19.5 with
 http://perl5.git.perl.org/perl.git/commitdiff/0c2990d652e985784f095bba4bc356481a66aa06

so it doesn't affect jessie or sid.

carnil from the security team says this should be probably be fixed in
a point release but it's not worth a DSA.
-- 
Niko Tyni   ntyni@debian.org

Marked as fixed in versions perl/5.20.0-1. Request was from Niko Tyni <ntyni@debian.org> to submit@bugs.debian.org. (Fri, 23 Jan 2015 11:03:06 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Niko Tyni <ntyni@debian.org>:
Bug#776046; Package perl. (Tue, 27 Jan 2015 16:21:04 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Niko Tyni <ntyni@debian.org>. (Tue, 27 Jan 2015 16:21:04 GMT) (full text, mbox, link).

Message #12 received at 776046@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Niko Tyni <ntyni@debian.org>, 776046@bugs.debian.org
Subject: Re: Bug#776046: perl: Segfault in S_regmatch from bad backreference
Date: Tue, 27 Jan 2015 17:19:07 +0100
Control: retitle -1 perl: Segfault in S_regmatch from bad backreference (CVE-2013-7422)

Hi Niko,

On Fri, Jan 23, 2015 at 01:01:13PM +0200, Niko Tyni wrote:
> Package: perl
> Version: 5.14.2-21
> Severity: important
> Tags: wheezy security
> Forwarded: https://rt.perl.org/Public/Bug/Display.html?id=119505
> Control: fixed -1 5.20.0-1
> 
> perl -e '/\7777777777/' 
> Segmentation fault (core dumped)
> 
> This was fixed upstream in 5.19.5 with
>  http://perl5.git.perl.org/perl.git/commitdiff/0c2990d652e985784f095bba4bc356481a66aa06
> 
> so it doesn't affect jessie or sid.
> 
> carnil from the security team says this should be probably be fixed in
> a point release but it's not worth a DSA.

So this got assigned a CVE now, it is CVE-2013-7422, see
http://www.openwall.com/lists/oss-security/2015/01/27/3

Regards,
Salvatore

Changed Bug title to 'perl: Segfault in S_regmatch from bad backreference (CVE-2013-7422)' from 'perl: Segfault in S_regmatch from bad backreference' Request was from Salvatore Bonaccorso <carnil@debian.org> to 776046-submit@bugs.debian.org. (Tue, 27 Jan 2015 16:21:04 GMT) (full text, mbox, link).

Added tag(s) fixed-upstream. Request was from bts-link-upstream@lists.alioth.debian.org to control@bugs.debian.org. (Thu, 31 Dec 2015 17:12:06 GMT) (full text, mbox, link).

Marked Bug as done Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sat, 16 Feb 2019 14:42:05 GMT) (full text, mbox, link).

Notification sent to Niko Tyni <ntyni@debian.org>:
Bug acknowledged by developer. (Sat, 16 Feb 2019 14:42:06 GMT) (full text, mbox, link).

Message sent on to Niko Tyni <ntyni@debian.org>:
Bug#776046. (Sat, 16 Feb 2019 14:42:10 GMT) (full text, mbox, link).

Message #23 received at 776046-submitter@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: control@bugs.debian.org
Cc: 776046-submitter@bugs.debian.org
Subject: closing 776046
Date: Sat, 16 Feb 2019 15:39:53 +0100
close 776046 5.20.0-1
thanks

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 17 Mar 2019 07:32:36 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 14:41:45 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started