Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

CVE-2009-3626: DoS in Unicode processing

Related Vulnerabilities: CVE-2009-3626  

Source

Debian Bug report logs - #552291
CVE-2009-3626: DoS in Unicode processing

version graph

Package: perl-base; Maintainer for perl-base is Niko Tyni <ntyni@debian.org>; Source for perl-base is src:perl (PTS, buildd, popcon).

Reported by: Moritz Muehlenhoff <jmm@debian.org>

Date: Sun, 25 Oct 2009 08:42:02 UTC

Severity: grave

Tags: confirmed, fixed-upstream, patch, security, upstream

Found in version perl-base/5.10.1-5

Fixed in version perl/5.10.1-6

Done: jackyf@debian.org (Eugene V. Lyubimkin)

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Brendan O'Dea <bod@debian.org>:
Bug#552291; Package perl. (Sun, 25 Oct 2009 08:42:05 GMT) (full text, mbox, link).

Acknowledgement sent to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Brendan O'Dea <bod@debian.org>. (Sun, 25 Oct 2009 08:42:05 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CVE-2009-3626: DoS in Unicode processing
Date: Sun, 25 Oct 2009 09:19:00 +0100
Package: perl
Version: 5.10.1-5
Severity: grave
Tags: security

Quoting a posting from Jan Lieskovsky/Red Hat to oss-security.
I've verified that Etch and Lenny are not affected.

Cheers,
        Moritz

----
Hello Steve, vendors,

  Mark Martinec reported Perl crash while processing utf-8 character
with large and invalid codepoint.

References:
----------
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6225 (original source)
http://rt.perl.org/rt3/Public/Bug/Display.html?id=69973 (perl bug)
http://rt.perl.org/rt3/Ticket/Attachment/617489/295383/ (PoC)

Affected versions:
------------------
Have checked Perl of versions perl-5.8.0, perl-5.8.5, perl-5.8.8, perl-5.10.0
is not vulnerable to this flaw.

Issue was confirmed in Perl of version perl-5.10.1, as available at:

http://www.cpan.org/src/perl-5.10.1.tar.gz

CVE identifier:
---------------
CVE identifier of CVE-2009-3626 has been already assigned to this issue.
---



-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.30-2-686 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash

Versions of packages perl depends on:
ii  libbz2-1.0             1.0.5-3           high-quality block-sorting file co
ii  libc6                  2.9-27            GNU C Library: Shared libraries
ii  libdb4.7               4.7.25-8          Berkeley v4.7 Database Libraries [
ii  libgdbm3               1.8.3-6+b1        GNU dbm database routines (runtime
ii  perl-base              5.10.1-5          minimal Perl system
ii  perl-modules           5.10.1-5          Core Perl modules
ii  zlib1g                 1:1.2.3.3.dfsg-15 compression library - runtime

Versions of packages perl recommends:
ii  make                          3.81-6     An utility for Directing compilati
ii  netbase                       4.37       Basic TCP/IP networking system

Versions of packages perl suggests:
pn  libterm-readline-gnu-perl | l <none>     (no description available)
ii  perl-doc                      5.10.1-5   Perl documentation

-- no debconf information

Information forwarded to debian-bugs-dist@lists.debian.org, Brendan O'Dea <bod@debian.org>:
Bug#552291; Package perl. (Sun, 25 Oct 2009 09:39:05 GMT) (full text, mbox, link).

Acknowledgement sent to "Eugene V. Lyubimkin" <jackyf.devel@gmail.com>:
Extra info received and forwarded to list. Copy sent to Brendan O'Dea <bod@debian.org>. (Sun, 25 Oct 2009 09:39:05 GMT) (full text, mbox, link).

Message #10 received at 552291@bugs.debian.org (full text, mbox, reply):

From: "Eugene V. Lyubimkin" <jackyf.devel@gmail.com>
To: Moritz Muehlenhoff <jmm@debian.org>, 552291@bugs.debian.org
Subject: Re: Bug#552291: CVE-2009-3626: DoS in Unicode processing
Date: Sun, 25 Oct 2009 11:09:53 +0200
[Message part 1 (text/plain, inline)]
package perl perl-base
reassign 552291 perl-base
found 552291 perl-base/5.10.1-5
tags 552291 + confirmed upstream
thanks

Moritz Muehlenhoff wrote:
> Package: perl
> Version: 5.10.1-5
> Severity: grave
> Tags: security
> 
> Quoting a posting from Jan Lieskovsky/Red Hat to oss-security.
> I've verified that Etch and Lenny are not affected.
> 
Thanks for the report. An upstream fix is not yet available, waiting for it.

-- 
Eugene V. Lyubimkin aka JackYF, JID: jackyf.devel(maildog)gmail.com
C++/Perl developer, Debian Developer


[signature.asc (application/pgp-signature, attachment)]

Bug reassigned from package 'perl' to 'perl-base'. Request was from "Eugene V. Lyubimkin" <jackyf.devel@gmail.com> to control@bugs.debian.org. (Sun, 25 Oct 2009 16:27:06 GMT) (full text, mbox, link).

Bug No longer marked as found in versions perl/5.10.1-5. Request was from "Eugene V. Lyubimkin" <jackyf.devel@gmail.com> to control@bugs.debian.org. (Sun, 25 Oct 2009 16:27:06 GMT) (full text, mbox, link).

Bug Marked as found in versions perl-base/5.10.1-5. Request was from "Eugene V. Lyubimkin" <jackyf.devel@gmail.com> to control@bugs.debian.org. (Sun, 25 Oct 2009 16:27:07 GMT) (full text, mbox, link).

Added tag(s) upstream and confirmed. Request was from "Eugene V. Lyubimkin" <jackyf.devel@gmail.com> to control@bugs.debian.org. (Sun, 25 Oct 2009 16:27:08 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Brendan O'Dea <bod@debian.org>:
Bug#552291; Package perl-base. (Tue, 27 Oct 2009 09:45:09 GMT) (full text, mbox, link).

Acknowledgement sent to Matt Kraai <kraai@ftbfs.org>:
Extra info received and forwarded to list. Copy sent to Brendan O'Dea <bod@debian.org>. (Tue, 27 Oct 2009 09:45:09 GMT) (full text, mbox, link).

Message #23 received at 552291@bugs.debian.org (full text, mbox, reply):

From: Matt Kraai <kraai@ftbfs.org>
To: 552291@bugs.debian.org, control@bugs.debian.org
Subject: Upstream fix available
Date: Mon, 26 Oct 2009 21:33:29 -0700
[Message part 1 (text/plain, inline)]
tag 552291 + patch
thanks

Hi,

This problem has been fixed upstream by the attached commit, which is
also available from

 http://perl5.git.perl.org/perl.git/commit/0abd0d78a73da1c4d13b1c700526b7e5d03b32d4

-- 
Matt                                            http://ftbfs.org/kraai

[disable-non-unicode-case-insensitive-trie-matching.patch (text/x-diff, attachment)]

Added tag(s) patch. Request was from Matt Kraai <kraai@ftbfs.org> to control@bugs.debian.org. (Tue, 27 Oct 2009 09:45:11 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Brendan O'Dea <bod@debian.org>:
Bug#552291; Package perl-base. (Tue, 27 Oct 2009 20:27:04 GMT) (full text, mbox, link).

Acknowledgement sent to "Eugene V. Lyubimkin" <jackyf.devel@gmail.com>:
Extra info received and forwarded to list. Copy sent to Brendan O'Dea <bod@debian.org>. (Tue, 27 Oct 2009 20:27:04 GMT) (full text, mbox, link).

Message #30 received at 552291@bugs.debian.org (full text, mbox, reply):

From: "Eugene V. Lyubimkin" <jackyf.devel@gmail.com>
To: Matt Kraai <kraai@ftbfs.org>, 552291@bugs.debian.org
Cc: control@bugs.debian.org
Subject: Re: Bug#552291: Upstream fix available
Date: Tue, 27 Oct 2009 12:12:52 +0200
[Message part 1 (text/plain, inline)]
package perl-base
tags 552291 + fixed-upstream
thanks

Matt Kraai wrote:
> tag 552291 + patch
> thanks
> 
> Hi,
> 
> This problem has been fixed upstream by the attached commit, which is
> also available from
> 
>  http://perl5.git.perl.org/perl.git/commit/0abd0d78a73da1c4d13b1c700526b7e5d03b32d4
Thanks for the message, Matt.

-- 
Eugene V. Lyubimkin aka JackYF, JID: jackyf.devel(maildog)gmail.com
C++/Perl developer, Debian Developer


[signature.asc (application/pgp-signature, attachment)]

Added tag(s) fixed-upstream. Request was from "Eugene V. Lyubimkin" <jackyf.devel@gmail.com> to control@bugs.debian.org. (Tue, 27 Oct 2009 20:27:05 GMT) (full text, mbox, link).

Added tag(s) pending. Request was from Eugene V. Lyubimkin <jackyf@debian.org> to control@bugs.debian.org. (Tue, 27 Oct 2009 21:24:22 GMT) (full text, mbox, link).

Reply sent to jackyf@debian.org (Eugene V. Lyubimkin):
You have taken responsibility. (Thu, 29 Oct 2009 02:41:35 GMT) (full text, mbox, link).

Notification sent to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer. (Thu, 29 Oct 2009 02:41:35 GMT) (full text, mbox, link).

Message #39 received at 552291-close@bugs.debian.org (full text, mbox, reply):

From: jackyf@debian.org (Eugene V. Lyubimkin)
To: 552291-close@bugs.debian.org
Subject: Bug#552291: fixed in perl 5.10.1-6
Date: Wed, 28 Oct 2009 20:58:08 +0000
Source: perl
Source-Version: 5.10.1-6

We believe that the bug you reported is fixed in the latest version of
perl, which is due to be installed in the Debian FTP archive:

libcgi-fast-perl_5.10.1-6_all.deb
  to main/p/perl/libcgi-fast-perl_5.10.1-6_all.deb
libperl-dev_5.10.1-6_amd64.deb
  to main/p/perl/libperl-dev_5.10.1-6_amd64.deb
libperl5.10_5.10.1-6_amd64.deb
  to main/p/perl/libperl5.10_5.10.1-6_amd64.deb
perl-base_5.10.1-6_amd64.deb
  to main/p/perl/perl-base_5.10.1-6_amd64.deb
perl-debug_5.10.1-6_amd64.deb
  to main/p/perl/perl-debug_5.10.1-6_amd64.deb
perl-doc_5.10.1-6_all.deb
  to main/p/perl/perl-doc_5.10.1-6_all.deb
perl-modules_5.10.1-6_all.deb
  to main/p/perl/perl-modules_5.10.1-6_all.deb
perl-suid_5.10.1-6_amd64.deb
  to main/p/perl/perl-suid_5.10.1-6_amd64.deb
perl_5.10.1-6.diff.gz
  to main/p/perl/perl_5.10.1-6.diff.gz
perl_5.10.1-6.dsc
  to main/p/perl/perl_5.10.1-6.dsc
perl_5.10.1-6_amd64.deb
  to main/p/perl/perl_5.10.1-6_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 552291@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Eugene V. Lyubimkin <jackyf@debian.org> (supplier of updated perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 22 Oct 2009 23:21:24 +0300
Source: perl
Binary: perl-base libcgi-fast-perl perl-doc perl-modules perl-debug perl-suid libperl5.10 libperl-dev perl
Architecture: source all amd64
Version: 5.10.1-6
Distribution: unstable
Urgency: high
Maintainer: Brendan O'Dea <bod@debian.org>
Changed-By: Eugene V. Lyubimkin <jackyf@debian.org>
Description: 
 libcgi-fast-perl - CGI::Fast Perl module
 libperl-dev - Perl library: development files
 libperl5.10 - shared Perl library
 perl       - Larry Wall's Practical Extraction and Report Language
 perl-base  - minimal Perl system
 perl-debug - debug-enabled Perl interpreter
 perl-doc   - Perl documentation
 perl-modules - Core Perl modules
 perl-suid  - runs setuid Perl scripts
Closes: 552291
Changes: 
 perl (5.10.1-6) unstable; urgency=high
 .
   * Added /me to Uploaders.
   * Apply upstream fix to resolve some crash in pattern matching against
     non-Unicode tainted string. This fixes CVE-2009-3626. (Closes: #552291)
Checksums-Sha1: 
 f22858f7410f30091a3dd1d87eeffcc2044d07a7 1387 perl_5.10.1-6.dsc
 1902b740415080c78e94a60376f51a7249766b89 99275 perl_5.10.1-6.diff.gz
 7336d5d16f785e40997467dd524bb404c2266ad5 50304 libcgi-fast-perl_5.10.1-6_all.deb
 0aa1ad448f3e1cd4f345479044e47581aa0d2d82 7156130 perl-doc_5.10.1-6_all.deb
 c5ec66fb57b4d7850b4aead7abc9bc2f5fc20bca 3458686 perl-modules_5.10.1-6_all.deb
 1ad8fd78dac5cec9dc1a2f3817b8ef993c7f5845 1062062 perl-base_5.10.1-6_amd64.deb
 11939394f11258aa88602133b8542117beabfa51 6049702 perl-debug_5.10.1-6_amd64.deb
 f3d4a69b99f7bceaab7be5f0bcb4c32f73d02e00 31416 perl-suid_5.10.1-6_amd64.deb
 0daf4aa89f61a07c61384b44fc4582ad56da5f76 1144 libperl5.10_5.10.1-6_amd64.deb
 5a3c271cc80926a80df06caeb8b4cd16ebf5c02e 2621202 libperl-dev_5.10.1-6_amd64.deb
 ed0e54ade19b5cfddbe018bf53a19f28be6c274a 4392278 perl_5.10.1-6_amd64.deb
Checksums-Sha256: 
 8f9cdb4c68c1166da309d2f138e7836fa0e8062063bf1ede44f14a4927c68ac5 1387 perl_5.10.1-6.dsc
 0dd0dfa56b2d9cca33ab019637b58b039ee9a8e5cd074ea303ee69bdcbc976d9 99275 perl_5.10.1-6.diff.gz
 37cad44055cd07fdfba8353177a7af5c581305bea4520ef9dd04b2f930ebb259 50304 libcgi-fast-perl_5.10.1-6_all.deb
 79734c827ad674d9209d59d9a5a41a301607985ba8280f303b8ba2a06d380fda 7156130 perl-doc_5.10.1-6_all.deb
 b95f9b664380dae67a6dab2f545a428d35794c25a92c2aadf0abd39c473fc0cf 3458686 perl-modules_5.10.1-6_all.deb
 4e1207570af2512b5bb263e1dafd1151c099f6435136a1a95d3d7ef269890278 1062062 perl-base_5.10.1-6_amd64.deb
 28e4b6cefd1ad4d59131dcaeae7b33f9cf83554bbeec2f0a818eb992a1622bfc 6049702 perl-debug_5.10.1-6_amd64.deb
 c0c4909d9d439c39115e64860cfca075bf70358b3e169ca26c54e510fd473629 31416 perl-suid_5.10.1-6_amd64.deb
 73d4a21bedcd54721d93feccaea3d028b7cb92d187e2231ac8b5b81d0099869e 1144 libperl5.10_5.10.1-6_amd64.deb
 35466db184401c273232ebe4d49eef4a22277e2654fbf67ec63d336619a0a7b4 2621202 libperl-dev_5.10.1-6_amd64.deb
 cd39c11a3df07712157015d1f2b5a8547383441e7d06afe14fef6792740ed254 4392278 perl_5.10.1-6_amd64.deb
Files: 
 df54acf18a3965d88bcea46f635132f9 1387 perl standard perl_5.10.1-6.dsc
 fa3c7b620b04ced3105b9e059e8cf0d1 99275 perl standard perl_5.10.1-6.diff.gz
 4944a8a72d5445b37e758cdf06ad794d 50304 perl optional libcgi-fast-perl_5.10.1-6_all.deb
 10aed98ba0fc661ccd13fe2515aa6095 7156130 doc optional perl-doc_5.10.1-6_all.deb
 4ce4c201e13fd56cdb46cb511abddec7 3458686 perl standard perl-modules_5.10.1-6_all.deb
 af47a4b9bb98f53a77b373dd53510b34 1062062 perl required perl-base_5.10.1-6_amd64.deb
 a20c4462aade0339bcf1ac410902ec97 6049702 debug extra perl-debug_5.10.1-6_amd64.deb
 aa0984f3bcefd9fac48a63054f096bce 31416 perl optional perl-suid_5.10.1-6_amd64.deb
 8b938c53ce185dd7773f835a36173b39 1144 libs optional libperl5.10_5.10.1-6_amd64.deb
 2ced2461dfa1f62fb5971a3fa54b1c9e 2621202 libdevel optional libperl-dev_5.10.1-6_amd64.deb
 9b025f27380503b84bbb1acce06d4edb 4392278 perl standard perl_5.10.1-6_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkroB4AACgkQchorMMFUmYwjswCgmEDEDOn/d+TQL/qBd4HLRHHG
SDkAoJGMtc/BYyVUh4U1ohmoTC8X16n3
=hHvO
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 26 Nov 2009 07:33:24 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 15:53:38 2019; Machine Name: beach

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started