Debian Bug report logs -
#875597
perl: CVE-2017-12883: Buffer over-read in regular expression parser
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Niko Tyni <ntyni@debian.org>:
Bug#875597; Package src:perl.
(Tue, 12 Sep 2017 13:33:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Niko Tyni <ntyni@debian.org>.
(Tue, 12 Sep 2017 13:33:07 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: perl
Version: 5.20.2-1
Severity: grave
Tags: security patch upstream
Forwarded: https://rt.perl.org/Public/Bug/Display.html?id=131598
*** /tmp/perl.reportbug
Package: perl
X-Debbugs-CC: team@security.debian.org secure-testing-team@lists.alioth.debian.org
Severity: grave
Tags: security
Hi,
the following vulnerability was published for perl.
CVE-2017-12883[0]:
Buffer over-read in regular expression parser
From release notes:
For certain types of syntax error in a regular expression pattern, the error
message could either contain the contents of a random, possibly large, chunk of
memory, or could crash perl. This has now been fixed.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-12883
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12883
[1] https://rt.perl.org/Public/Bug/Display.html?id=131598 (not yet public)
Regards,
Salvatore
Reply sent
to Niko Tyni <ntyni@debian.org>:
You have taken responsibility.
(Tue, 12 Sep 2017 16:39:11 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Tue, 12 Sep 2017 16:39:11 GMT) (full text, mbox, link).
Message #10 received at 875597-close@bugs.debian.org (full text, mbox, reply):
Source: perl
Source-Version: 5.26.0-8
We believe that the bug you reported is fixed in the latest version of
perl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 875597@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Niko Tyni <ntyni@debian.org> (supplier of updated perl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 12 Sep 2017 18:07:07 +0300
Source: perl
Binary: perl-base perl-doc perl-debug libperl5.26 libperl-dev perl-modules-5.26 perl
Architecture: source
Version: 5.26.0-8
Distribution: unstable
Urgency: high
Maintainer: Niko Tyni <ntyni@debian.org>
Changed-By: Niko Tyni <ntyni@debian.org>
Description:
libperl-dev - Perl library: development files
libperl5.26 - shared Perl library
perl - Larry Wall's Practical Extraction and Report Language
perl-base - minimal Perl system
perl-debug - debug-enabled Perl interpreter
perl-doc - Perl documentation
perl-modules-5.26 - Core Perl modules
Closes: 875596 875597
Changes:
perl (5.26.0-8) unstable; urgency=high
.
* [SECURITY] CVE-2017-12837: Fix a heap buffer overflow in regular
expression compiler. (Closes: #875596)
* [SECURITY] CVE-2017-12883: Fix a buffer over-read in regular
expression parser. (Closes: #875597)
Checksums-Sha1:
f95120a308ccd796d99a8548f9c64b212ec550e4 2369 perl_5.26.0-8.dsc
f9176e4620608ba402d3d3f2ae716465a38820f9 159896 perl_5.26.0-8.debian.tar.xz
8177ea4c20d16448b2e5c1261c40c2c61c3850a8 4611 perl_5.26.0-8_source.buildinfo
Checksums-Sha256:
14287efb9981734a2e15c3508b91e1fd3ca1342e9fc6f49c37ed00acd757aece 2369 perl_5.26.0-8.dsc
e6c7f4b6a5790f5909c007d3efe4dcb1f6c6b41da95e4f7ea74748bfb7e198d1 159896 perl_5.26.0-8.debian.tar.xz
16da5c6077c6eb2fa35862528419867c044a56774bf7a4f04a2ed98ea7cf62c2 4611 perl_5.26.0-8_source.buildinfo
Files:
0ff475c5f4cd3296fb403e4055fff538 2369 perl standard perl_5.26.0-8.dsc
e91e79592df67bd0889ba186b7ad744a 159896 perl standard perl_5.26.0-8.debian.tar.xz
c97b94dceba8c050a9e3651b2f773b45 4611 perl standard perl_5.26.0-8_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJFBAEBCAAvFiEEdqKOQsmBHZHoj7peLsD/s7cwGx8FAlm3+LsRHG50eW5pQGRl
Ymlhbi5vcmcACgkQLsD/s7cwGx8gMg/+Lsw2jknW2dCMddrJgLDZSxwah0FdGbaY
l9OpXv3lnb7TMJhHKMfysXv1bxSxyYGDKmJ3pAqDzBTmjhQsVlxnBQHeITSQda25
eA+ghNpPHwlyY6J+u6bNSYUlVuMHEHYhXwdJGGaOwxhqOxe8uRPsp0geyybL2Bz3
Xuk+kW0ueuPFHxjOfmketGpv0q+iIna6tWBovKNLTdS4XZXtsAP/t8k+ol4jlyJk
1qd+ISKQcPNmsI40uFwz5gbVWNnakwCDS2yKERGlk2/l7pbUkS12THLGEyXgXhll
JUuGDuURSqlb8F9BrpLg9rv1bcGN7DrcYsMD0eO3b7B3AndcoVU0PjobZL4p/0Yw
g2AcPnx3JneG7zQrLWmm2S/AeOyCnhKykW0L1bpEupmBz57ZmlliDdOa7Ojpbbbv
e0Grz9w65IbNBmbIFWYKGIhJF/ostQIBDC8on2aOGMpXswE8Jzbqjs7/2OsI7CCN
1fL9miC+u5ltAOBUhZRF18kAoTPbbleob5AlQ7kW1YEh/1yLxGaoPUI5O+OBN8A8
jZshFHno41iyH8M1gBre4uvfdiavjjF5I9h0LyvKfV4gfpSzdwhBj2gAY1bcK941
ptzeow6z70fu4Z2cMizWBOANWvj8UDrRayE4034Br7IwGCTqq2aRo55YrmBhiXt0
QwxyU8M/FiY=
=b7HZ
-----END PGP SIGNATURE-----
Reply sent
to Niko Tyni <ntyni@debian.org>:
You have taken responsibility.
(Sat, 23 Sep 2017 10:06:27 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sat, 23 Sep 2017 10:06:27 GMT) (full text, mbox, link).
Message #15 received at 875597-close@bugs.debian.org (full text, mbox, reply):
Source: perl
Source-Version: 5.24.1-3+deb9u2
We believe that the bug you reported is fixed in the latest version of
perl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 875597@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Niko Tyni <ntyni@debian.org> (supplier of updated perl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 12 Sep 2017 19:37:26 +0300
Source: perl
Binary: perl-base perl-doc perl-debug libperl5.24 libperl-dev perl-modules-5.24 perl
Architecture: source
Version: 5.24.1-3+deb9u2
Distribution: stretch-security
Urgency: high
Maintainer: Niko Tyni <ntyni@debian.org>
Changed-By: Niko Tyni <ntyni@debian.org>
Description:
libperl-dev - Perl library: development files
libperl5.24 - shared Perl library
perl - Larry Wall's Practical Extraction and Report Language
perl-base - minimal Perl system
perl-debug - debug-enabled Perl interpreter
perl-doc - Perl documentation
perl-modules-5.24 - Core Perl modules
Closes: 875596 875597
Changes:
perl (5.24.1-3+deb9u2) stretch-security; urgency=high
.
* Update upstream base.pm no-dot-in-inc fix patch description.
* [SECURITY] CVE-2017-12837: Fix a heap buffer overflow in regular
expression compiler. (Closes: #875596)
* [SECURITY] CVE-2017-12883: Fix a buffer over-read in regular
expression parser. (Closes: #875597)
Checksums-Sha1:
55558fd003a098b5c27fff411a713bf9f9f043e5 2397 perl_5.24.1-3+deb9u2.dsc
5bec25d8821b81a5939ee220997f4c8ab1c13e31 11569284 perl_5.24.1.orig.tar.xz
b28812ef403b6b7a12744dc8a2581671bfcfff41 174248 perl_5.24.1-3+deb9u2.debian.tar.xz
c52ab1491dfc02a8ec40939d4e45a238d582a06a 4639 perl_5.24.1-3+deb9u2_source.buildinfo
Checksums-Sha256:
16a107d177b44570b3048c0407aba647b52808ea5da2e1d59f72156c1d7b752f 2397 perl_5.24.1-3+deb9u2.dsc
03a77bac4505c270f1890ece75afc7d4b555090b41aa41ea478747e23b2afb3f 11569284 perl_5.24.1.orig.tar.xz
2360af85de9a0577d3045e6ffb576c8cc63d9d2622ce6bfbcd8734e63fee50a0 174248 perl_5.24.1-3+deb9u2.debian.tar.xz
0814e386811db45b088a084e2666af7c95876ad0670c3ef88c0dd9fb78a9e73e 4639 perl_5.24.1-3+deb9u2_source.buildinfo
Files:
571cb82e155df56ee749700a9f9d07c6 2397 perl standard perl_5.24.1-3+deb9u2.dsc
af6a84c7c3e2b8b269c105a5db2f6d53 11569284 perl standard perl_5.24.1.orig.tar.xz
208228e1aa5530eb2e85e56e82ec9929 174248 perl standard perl_5.24.1-3+deb9u2.debian.tar.xz
5dd82e98d23113076cdc35137a998755 4639 perl standard perl_5.24.1-3+deb9u2_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJFBAEBCAAvFiEEdqKOQsmBHZHoj7peLsD/s7cwGx8FAlm9FvwRHG50eW5pQGRl
Ymlhbi5vcmcACgkQLsD/s7cwGx+H8xAAtdIOzvkq7Lc/1TsDawzmMZKcocz/uaLQ
kMCtLIHBVyNggXZ/qy0V5utah+YAy6S3/7FuRAqXH/VyaD3/VKERWsuAkD+ecmqi
Nk8o3pTglGdxOfTg2td8VxvNDQXWT5Ot/2dQhY/63nD/9vuQegbT0uMUnJ9f68Ux
ZRLKHsP/Jnit6ncTfcdHkJ6zAXXI1qVFS7/o4uGMeyWC1RMH8kW5Nr2zyY6dYCgn
EoH4Vir7Et2TRL27xVgq/sWgmNMs5rtxew1RXv0hxxqmrOewMnimoZ712r9TQoy7
nwRQLrXPchyzZhKYtYZhnpmqlCCJW9GKarB7bjNuEjWW9qK7Z6FFFei6rwwkEw2J
v6k2BelMgvIwu+/pIsGnloSW1ff25eMlGqjCtNQvvxR0PgVZakmgEY675UJ1XuJI
ntFkKp6IbM44UV3QAifGaUjcSAdM2Vsip2KepycVWHGQCqZKAlJYJO9zaqDLfczH
OymsA/2YSZ1jU7/dIKF4iy8Vop9EcO+LSws0endLUngbDT23qQPCof2S7FpujnwK
FYJCv3JeAa45cCDJnnpQ5EGvP0gAUvFgt2n8V9l7kHFxuyDZyH9pGkjbV+Exi5+S
2j1qWNYHVCtqr7qmUxcZilGzn3NzY+4cUK663EoVeXtx1Hlbg+4hWRBD38q/Nrxe
gGJoukSS7pE=
=S9AW
-----END PGP SIGNATURE-----
Reply sent
to Niko Tyni <ntyni@debian.org>:
You have taken responsibility.
(Sat, 23 Sep 2017 11:36:08 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sat, 23 Sep 2017 11:36:09 GMT) (full text, mbox, link).
Message #20 received at 875597-close@bugs.debian.org (full text, mbox, reply):
Source: perl
Source-Version: 5.20.2-3+deb8u9
We believe that the bug you reported is fixed in the latest version of
perl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 875597@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Niko Tyni <ntyni@debian.org> (supplier of updated perl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 12 Sep 2017 20:00:57 +0300
Source: perl
Binary: perl-base perl-doc perl-debug libperl5.20 libperl-dev perl-modules perl
Architecture: source all
Version: 5.20.2-3+deb8u9
Distribution: jessie-security
Urgency: high
Maintainer: Niko Tyni <ntyni@debian.org>
Changed-By: Niko Tyni <ntyni@debian.org>
Description:
libperl-dev - Perl library: development files
libperl5.20 - shared Perl library
perl - Larry Wall's Practical Extraction and Report Language
perl-base - minimal Perl system
perl-debug - debug-enabled Perl interpreter
perl-doc - Perl documentation
perl-modules - Core Perl modules
Closes: 875596 875597
Changes:
perl (5.20.2-3+deb8u9) jessie-security; urgency=high
.
* Update upstream base.pm no-dot-in-inc fix patch description.
* [SECURITY] CVE-2017-12837: Fix a heap buffer overflow in regular
expression compiler. (Closes: #875596)
* [SECURITY] CVE-2017-12883: Fix a buffer over-read in regular
expression parser. (Closes: #875597)
+ also includes a separate upstream fix from the 5.23 cycle
Checksums-Sha1:
a8f6239916b9b3d901c359182e73f315a02b12c5 2338 perl_5.20.2-3+deb8u9.dsc
6da22dccc647de5b24d078738073d9ee9b96247e 155320 perl_5.20.2-3+deb8u9.debian.tar.xz
1c281e8443ca1a0274f433d7263b30a9b43196d6 7347158 perl-doc_5.20.2-3+deb8u9_all.deb
d5a0b1ec74b275ca0cd929f6b10e784804284991 2553040 perl-modules_5.20.2-3+deb8u9_all.deb
Checksums-Sha256:
b6a40aaebb24ab28bb6a370d3716eb22acb08c981dc8ea6ad086d7ca6767cc62 2338 perl_5.20.2-3+deb8u9.dsc
98163e774fa007567241645792f98530ad05549756cf82611ae4143964a16a4d 155320 perl_5.20.2-3+deb8u9.debian.tar.xz
72782dd079b6cecdb5e25805570bb86717114cd82abbcf7ac208eb8540d64177 7347158 perl-doc_5.20.2-3+deb8u9_all.deb
a8d5eec17ff600c532559da108b1faeac0f97d5f070010b7169a95f97ca98f84 2553040 perl-modules_5.20.2-3+deb8u9_all.deb
Files:
78fa7b7ecd7bba701a0ac58e6e819e74 2338 perl standard perl_5.20.2-3+deb8u9.dsc
b41745f350a12186e0e806e30f99989a 155320 perl standard perl_5.20.2-3+deb8u9.debian.tar.xz
dc4e90b90518de9250bcc0554aef8fa7 7347158 doc optional perl-doc_5.20.2-3+deb8u9_all.deb
a7881dbae8502e03bdc879c4ac92fb59 2553040 perl standard perl-modules_5.20.2-3+deb8u9_all.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEdqKOQsmBHZHoj7peLsD/s7cwGx8FAlm+y40ACgkQLsD/s7cw
Gx8J0Q//cXW3FsekrQV3vazHs0mFgZxgMEk7Liqfa5xSWmqzd58jQccmbre343+7
HZkjdzMr3fS0M8Ti59hAHOHmxstiaM1p38Cu8ZtMf9l/LakBpAq+mTSFX7+KE4NL
fNL6ldl5565lzXZgddFTdFzc5vY7dTlElQ4T7KIMtdg6zGXo6GVy108/wV3wH71w
ZZugnr9NVuWE3JVUaGVTvkgbKmmQ/oDeFbi+u6ewQ5yoOcltyqythChrFB1J8BrD
Nlcz2MO8mc0h4ffNWkwusGpaVMnYqKezfUW8piPXznzuSXBdM+K8Fgbi7PXT1alF
1hYNK2eD0cIOSXdEEfvkdfGvwCLJXp7rrowhcAsjYNm0RuqDZjtFOPaSS/9SiOTG
KkTC6v/QDM9mBl1D2g4Mp8OJLrEIdDxVvmZ4ozb2II47SmgXCvnaecsIMCo7+67F
3WIe++QVd4ozppYGHXyoDqAVDIX2wF2gam+96ALogVdC3ViObAj7h/oGW6IF7hZ6
MkOCl4fgTDW4Oqid87ZuKwhdW+1KqPvPUAV+fuSQ0T1KbJYc3dXMd/Wbw0D/KmDf
+t1lDhWIVlDELcbtcI1HInmRnIt7l9rWigpSGbwux+xo53hGZxTJlIfZkFo2YUml
Cp0O2iYQvbbiAD+eCc7ZT0ggalohlACrn551BZK96t36INsunTM=
=jyk/
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 26 Oct 2017 07:30:36 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:44:03 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon