perl: CVE-2023-47038: Write past buffer end via illegal user-defined Unicode property

Debian Bug report logs - #1056746
perl: CVE-2023-47038: Write past buffer end via illegal user-defined Unicode property

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Niko Tyni <ntyni@debian.org>

To: submit@bugs.debian.org

Subject: perl: CVE-2023-47038: Write past buffer end via illegal user-defined Unicode property

Date: Sat, 25 Nov 2023 22:17:18 +0200

Package: perl
Version: 5.30.0-1
Severity: important
Tags: security patch fixed-upstream bullseye bookworm trixie
X-Debbugs-Cc: team@security.debian.org

Perl upstream released 5.34.2, 5.36.2 and 5.38.1 today with coordinated
fixes for two security issues. One of these (CVE-2023-47039) is specific
to Windows, but the other one (CVE-2023-47038) concerns us.

We discussed this earlier with Salvatore from the security team and
decided that CVE-2023-47038 is non-DSA like other "crafted regular
expression crashes" we've handled in the past. It will hence be fixed
via point releases for stable and oldstable.

CVE-2023-47038 - Write past buffer end via illegal user-defined Unicode property

A test case is

  perl -e 'qr/\p{utf8::_perl_surrogate}/'

which crashes on oldstable (bullseye, 5.32), stable (bookworm, 5.36),
unstable / testing (5.36) and experimental (5.38).

The issue was introduced in the 5.30 cycle, so LTS (buster, 5.28) is
not affected.

The upstream fixes are at

  5.34 https://github.com/Perl/perl5/commit/12c313ce49b36160a7ca2e9b07ad5bd92ee4a010
  5.36 https://github.com/Perl/perl5/commit/7047915eef37fccd93e7cd985c29fe6be54650b6
  5.38 https://github.com/Perl/perl5/commit/92a9eb3d0d52ec7655c1beb29999a5a5219be664

The 5.34 fix applies to 5.32 as well.

I'll start with sid/trixie and handle the *stable updates after that,
mainly targeting next bookworm point update on 2023-12-09 as per

  https://lists.debian.org/debian-project/2023/11/msg00003.html

For experimental/5.38, I intend to push 5.38.1 instead of cherry
picking the patch.
-- 
Niko Tyni   ntyni@debian.org

Message #10 received at 1056746-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

To: 1056746-close@bugs.debian.org

Subject: Bug#1056746: fixed in perl 5.36.0-10

Date: Sat, 25 Nov 2023 22:04:55 +0000

Source: perl
Source-Version: 5.36.0-10
Done: Niko Tyni <ntyni@debian.org>

We believe that the bug you reported is fixed in the latest version of
perl, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1056746@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Niko Tyni <ntyni@debian.org> (supplier of updated perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 25 Nov 2023 22:54:24 +0200
Source: perl
Architecture: source
Version: 5.36.0-10
Distribution: unstable
Urgency: medium
Maintainer: Niko Tyni <ntyni@debian.org>
Changed-By: Niko Tyni <ntyni@debian.org>
Closes: 1056746
Changes:
 perl (5.36.0-10) unstable; urgency=medium
 .
   * [SECURITY] CVE-2023-47039: Write past buffer end via illegal
     user-defined Unicode property. (Closes: #1056746)
Checksums-Sha1:
 28bf190aeb55dfece2a91005c04c46fe3733813d 2923 perl_5.36.0-10.dsc
 d4bca42a1e8d2794de792d0276b4575f5d2f8538 172148 perl_5.36.0-10.debian.tar.xz
 729322e1193b4ca307ef620574045c8f8b18fbf8 6242 perl_5.36.0-10_source.buildinfo
Checksums-Sha256:
 ab00058c9cc6a2fbb1e716f24257eab332422f5f575a0b0e0452db9f14d40975 2923 perl_5.36.0-10.dsc
 b14fb2e71fbc6a0310c6f5a4ec2a1fe88de4a6954532d45ae94578d51c56870b 172148 perl_5.36.0-10.debian.tar.xz
 d45c5f415d07137fb0eee13139755bc512db27a00fd20c09eed0e725f4a5ea3a 6242 perl_5.36.0-10_source.buildinfo
Files:
 e839c3745f8baa38952bd459b6920489 2923 perl standard perl_5.36.0-10.dsc
 64ff69c222010d43dffb4c246f328259 172148 perl standard perl_5.36.0-10.debian.tar.xz
 b8d92cfb432e2647671429639cdd1733 6242 perl standard perl_5.36.0-10_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJFBAEBCgAvFiEEdqKOQsmBHZHoj7peLsD/s7cwGx8FAmViX5YRHG50eW5pQGRl
Ymlhbi5vcmcACgkQLsD/s7cwGx/bow//WHILDpSjvZvZsQffB7746V6KXJfmTD1p
CJxDh4G3tIP5Op6hpbyEIailrEq1MSg9La6gasYIuOa5500AGfYHWpf4TX9RR3oZ
Cms0N1txSWx6/+Zjm6nPtYHUlwZeJXf9V1NnNdHY/5o5fDCt3nO0jk62tjey55DQ
qu37mVllf4DuKlmMLJjMGFFkiWDqIRHkLGe5kjr/asUoo8/m+/C75xujUNy898FM
x9EQwxNrJJ2BURUhaplH7mLQQfKr0CPN6mBRqOdRJb/eKTTyhIXLnZ2HXlX8wpjj
jmnI0tbMIZlAzJ8n2tmDqo4QSpAgTURnLTI/fEKmjj7v9DaEZ2S7QRV4UvgXWgG1
DZvkGY1fqbokaGHUmj37gWuvfhj7eYc8jWyeNcUKJ2/d/+xYuYydh0AzG+0cEY3C
oA36XdAqn9dlV7UigkrXrHwSdkCni2wxz2GPZoj1l3fLIyCW6wmi9y1MI86acD9o
2pTln7zlvIIi6WvM23LRiRCgz4v9KYcqYBG+K/cWaU0iDCHWQ78K9EGdc3FFhHtK
XfxhpTgYFkHmLBpq5aSbX+MCvJYSqYaeVdX/ppuX+zvx+MqkBFBIZZyMoDbkKOF+
cgyCSaH5AQ0WeDOqtmubNNduLjO4U8zYtIlYX1mtiWNRlR3ba62iJXZHBa8WE6sC
2JvLTTLbux0=
=BscL
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.