Debian Bug report logs -
#762256
perl: CVE-2014-4330: stack exhaustion bug in Data::Dumper
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Sat, 20 Sep 2014 07:42:01 UTC
Severity: important
Tags: fixed-upstream, patch, security, upstream
Found in version perl/5.14.2-21
Fixed in versions perl/5.20.1-1, perl/5.14.2-21+deb7u2
Done: Dominic Hargreaves <dom@earth.li>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Niko Tyni <ntyni@debian.org>:
Bug#762256; Package src:perl.
(Sat, 20 Sep 2014 07:42:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Niko Tyni <ntyni@debian.org>.
(Sat, 20 Sep 2014 07:42:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: perl
Version: 5.14.2-21
Severity: important
Tags: security upstream patch fixed-upstream
Hi Niko and Dominic,
Know you are already aware of it, but creating a bug in BTS to have a
easier trackability fo the security-tracker (thanks also for already
requesting the upload trough wheezy-pu).
CVE-2014-4330[0]:
stack exhaustion in Data::Dumper
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2014-4330
[1] http://www.nntp.perl.org/group/perl.perl5.porters/2014/09/msg220118.html
[2] http://perl5.git.perl.org/perl.git/commitdiff/19be3be6968e2337bcdfe480693fff795ecd1304
Thanks for your work! Regards,
Salvatore
Added tag(s) pending.
Request was from Dominic Hargreaves <dom@earth.li>
to control@bugs.debian.org.
(Sat, 20 Sep 2014 09:33:11 GMT) (full text, mbox, link).
Reply sent
to Dominic Hargreaves <dom@earth.li>:
You have taken responsibility.
(Sat, 20 Sep 2014 15:27:13 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sat, 20 Sep 2014 15:27:13 GMT) (full text, mbox, link).
Message #12 received at 762256-close@bugs.debian.org (full text, mbox, reply):
Source: perl
Source-Version: 5.20.1-1
We believe that the bug you reported is fixed in the latest version of
perl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 762256@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Dominic Hargreaves <dom@earth.li> (supplier of updated perl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 20 Sep 2014 14:11:36 +0100
Source: perl
Binary: perl-base perl-doc perl-debug libperl5.20 libperl-dev perl-modules perl
Architecture: all i386 source
Version: 5.20.1-1
Distribution: unstable
Urgency: medium
Maintainer: Niko Tyni <ntyni@debian.org>
Changed-By: Dominic Hargreaves <dom@earth.li>
Closes: 762256 762269 762270
Description:
libperl5.20 - shared Perl library
libperl-dev - Perl library: development files
perl-base - minimal Perl system
perl-debug - debug-enabled Perl interpreter
perl-doc - Perl documentation
perl - Larry Wall's Practical Extraction and Report Language
perl-modules - Core Perl modules
Changes:
perl (5.20.1-1) unstable; urgency=medium
.
* New upstream release
* [SECURITY] CVE-2014-4330: don't recurse infinitely in Data::Dumper
(Closes: #762256)
* Update Standards-Version (no changes)
* Update maintainer tests to reflect the fact that libcgi-fast-perl
is not being shipped
* Update Breaks versions for libfile-spec-perl, libmodule-corelist-perl,
libversion-perl
* Update patch metadata to reflect upstream status
(Closes: #762270, #762269)
* Upload to unstable
Checksums-Sha1:
d170b4e7fe72f145f2fe5a1b5e9821d465ab1cad 2313 perl_5.20.1-1.dsc
cd424d1520ba2686fe5d4422565aaf880e9467f6 13676155 perl_5.20.1.orig.tar.bz2
3ea492a8e11420c158fb36776651cab7f31e5663 104920 perl_5.20.1-1.debian.tar.xz
dbabbcfa9ec20201925f7a4f64371db889a849fe 7292346 perl-doc_5.20.1-1_all.deb
c5aa6b4d0d59deef8e64fcfdf2d57f3471ee3836 2570270 perl-modules_5.20.1-1_all.deb
270f47d7766bd10a49da72cde929f483f6e5dd3e 1257252 perl-base_5.20.1-1_i386.deb
bb8588f769fb6f9c608c1d4e499400f151257c87 4569000 perl-debug_5.20.1-1_i386.deb
f22d41195fd68e91de0d1b007b847634415bab8d 725252 libperl5.20_5.20.1-1_i386.deb
bf6563fca056db6dc0429261a5ad0f6e4810d257 1907538 libperl-dev_5.20.1-1_i386.deb
86b90e5fe8c51f52d2a3715ecca5ee33d720abd2 2149722 perl_5.20.1-1_i386.deb
Checksums-Sha256:
f26d77e0ee1e83744c287f79bb901914ab7b2679ca18726fddfd266530ab12e7 2313 perl_5.20.1-1.dsc
ede5ded37e7fb6139b04728cfca826f17076f9888dbfd100a56834dbeb04657c 13676155 perl_5.20.1.orig.tar.bz2
2467178fbe74b5611ed6417dd4b71d6ed787752f86f516f0e9b89fdc313ce6ff 104920 perl_5.20.1-1.debian.tar.xz
46fddb97619b280b932443dea685da41fe8000ba3264cbdaba220570ea865ee5 7292346 perl-doc_5.20.1-1_all.deb
0bb1042b9574ecf8a62fe78614b22fea7a0bfa24306a9283367d8766a7979c56 2570270 perl-modules_5.20.1-1_all.deb
00f66fe9332e7601aa65a81d8ee6da4aeb8eb67634d52edc060a85b43df4af0d 1257252 perl-base_5.20.1-1_i386.deb
d43e589e8b8f2b64e81055406a725f313ecbcc93c19f500a93b551024ffa2a12 4569000 perl-debug_5.20.1-1_i386.deb
7903a0e32d38c926e3e5d2187d3e1e60dd86e812b1febd1d2dcfdc1ff79df000 725252 libperl5.20_5.20.1-1_i386.deb
e6e03f6faf81594e06a2bf8aef894c703a2d97c093e2a8cb3ab201266eeaa133 1907538 libperl-dev_5.20.1-1_i386.deb
946d9265079d7362da18587c0383c8f454349b048b4c9d71f5bedf7ee124818c 2149722 perl_5.20.1-1_i386.deb
Files:
4613e65f2c2cc58e00709d9515408cd7 2313 perl standard perl_5.20.1-1.dsc
ede5166f949d9a07163bc5b086be9759 13676155 perl standard perl_5.20.1.orig.tar.bz2
60b5b4c119f4434a480f19d97b943651 104920 perl standard perl_5.20.1-1.debian.tar.xz
8e80afdde50b5121f9813dfd5e65f1b6 7292346 doc optional perl-doc_5.20.1-1_all.deb
86c74a5806b5d70d995e9f9f01f2773b 2570270 perl standard perl-modules_5.20.1-1_all.deb
8260383777870dfe6998d46ee228d818 1257252 perl required perl-base_5.20.1-1_i386.deb
61cb8759d5327fc1f28610c8910bc1a5 4569000 debug extra perl-debug_5.20.1-1_i386.deb
11f20aa91e4fa1d93172c8e24ae8ae38 725252 libs optional libperl5.20_5.20.1-1_i386.deb
ad2525447581ea3bf323e17d004451f1 1907538 libdevel optional libperl-dev_5.20.1-1_i386.deb
f46a3c7f4dc384d3771d720480f9e70f 2149722 perl standard perl_5.20.1-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCAAGBQJUHY9UAAoJEMAFfnFNaU+yrwEP/R2yWg4c8oOPmxYlgmWBu2s/
UqcWUFCN1OMJ+Y2nKNDzPCKTp3x6/+44KUGswpi3u21+KoLNO1BSAKijnqD/Eyj4
leU08ZXBmHDfhLupfk99VR47C7i0uE9uygpYFQRyqlG2qw2/fDG2osQt7Ga32Xbq
frRdKaSwzLnsjbAZ0Z6Vd/xbi62SqMEN+/MTCJIXymSIfJufbhurfDKjiFm89EDd
2u9VGG1XOrUENh5V9SdWPjrXyjTy+7RXJ3G/pinbnk2pIk2hQnv9sWqy3USnEOa1
sBNyRl91++ug+tN2UwQ0RMCN0F29MEFbFiDaoAxU5MGnw1VXjmX1w7SmU13D8aUu
atgrjw6jPIoC+Q2G+/u+pPJrVKjm08LrEPRRCKtzXK0SORJqmS+L3vhpvj96WZR2
yehoyU+vhLDS26urZ3dhp9vnvX31BBV4qgNNf2nS+UU5P+QHVdZADSsNjKYCf0eQ
TYw7myl+5tAkJZKY0CuA79E/KXjmCTpVP5PHzpWxlREm3c4dHDD4tz1jv53Ej3nX
zQVCxBmCcGo0KTtDaxsxyW9mUFFs3e1NPmTBH8Q3U89diN5dNKlEQ/vd40BmzTp4
7Dk7xkv5A+i1AHMIUpHxiZ0z6pRhQzKR/OWEHux8bTvqO/y05QtEd7KXraP7i3gU
L3ZHbtyNmX3QgS3VYJ86
=HUQ6
-----END PGP SIGNATURE-----
Reply sent
to Dominic Hargreaves <dom@earth.li>:
You have taken responsibility.
(Tue, 30 Sep 2014 05:51:12 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Tue, 30 Sep 2014 05:51:12 GMT) (full text, mbox, link).
Message #17 received at 762256-close@bugs.debian.org (full text, mbox, reply):
Source: perl
Source-Version: 5.14.2-21+deb7u2
We believe that the bug you reported is fixed in the latest version of
perl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 762256@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Dominic Hargreaves <dom@earth.li> (supplier of updated perl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 27 Sep 2014 23:48:33 +0100
Source: perl
Binary: perl-base libcgi-fast-perl perl-doc perl-modules perl-debug libperl5.14 libperl-dev perl
Architecture: all i386 source
Version: 5.14.2-21+deb7u2
Distribution: stable
Urgency: low
Maintainer: Niko Tyni <ntyni@debian.org>
Changed-By: Dominic Hargreaves <dom@earth.li>
Closes: 762256
Description:
libcgi-fast-perl - CGI::Fast Perl module
libperl5.14 - shared Perl library
libperl-dev - Perl library: development files
perl-base - minimal Perl system
perl-debug - debug-enabled Perl interpreter
perl-doc - Perl documentation
perl - Larry Wall's Practical Extraction and Report Language
perl-modules - Core Perl modules
Changes:
perl (5.14.2-21+deb7u2) stable; urgency=low
.
* [SECURITY] CVE-2014-4330: don't recurse infinitely in Data::Dumper
(Closes: #762256)
Checksums-Sha1:
ce212ac75433b9c81d822299973bcd02b9a0ed43 2397 perl_5.14.2-21+deb7u2.dsc
b68ba12e7bb70148081211eeac3ba00ba33286b6 173783 perl_5.14.2-21+deb7u2.debian.tar.gz
120f2e3f885a4365d224d3f8904c6a38703da626 76792 libcgi-fast-perl_5.14.2-21+deb7u2_all.deb
abd5288bc9e3f6b541afed4b06ecf454ccfcbc77 8168408 perl-doc_5.14.2-21+deb7u2_all.deb
210fdd1aa6e0964a33e0eac1cc0d674341ec1a36 3442500 perl-modules_5.14.2-21+deb7u2_all.deb
Checksums-Sha256:
511f8467728c3ddc0a502487fe772b6b81828b84f340c064a02a0f73d71c6a9e 2397 perl_5.14.2-21+deb7u2.dsc
46273b9908fd290c3caa4208f7d44617194757043538456edf8ce4e4bcff96f3 173783 perl_5.14.2-21+deb7u2.debian.tar.gz
23ee89bf92b3eec336bc17bbc36a55bbb1e62ab4ea3ff5b466d00dc93eb788dd 76792 libcgi-fast-perl_5.14.2-21+deb7u2_all.deb
cad6e5d6231ca5eef5386f3fe74c7577ac9b3d1988f62be8c30669376c2cec8c 8168408 perl-doc_5.14.2-21+deb7u2_all.deb
c7992154fd333bcfbfb07dc0b0203e6bc349ad9edbbb6369b19de2847bac828c 3442500 perl-modules_5.14.2-21+deb7u2_all.deb
Files:
eaf28e6739bbd1cea77244e111abe452 2397 perl standard perl_5.14.2-21+deb7u2.dsc
b376e5799d66c7db5546f44800bd987e 173783 perl standard perl_5.14.2-21+deb7u2.debian.tar.gz
c1661f19c8771c346703da211a57e28f 76792 perl optional libcgi-fast-perl_5.14.2-21+deb7u2_all.deb
ff040980e74e15f22c0bf27e1046359c 8168408 doc optional perl-doc_5.14.2-21+deb7u2_all.deb
bc994bb3811ae5637a77c7e288ff77b1 3442500 perl standard perl-modules_5.14.2-21+deb7u2_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCAAGBQJUKeJJAAoJEMAFfnFNaU+yqDoQAOhUHku93ffxwB3XyA+2/U/M
WOjBrLeLuCxHcR2bVX96HIJ3o8GMyL+bnyXNS3rQa5znDxtqBkLA0hetB3FvfwvS
9I3l/DmAGSq31iafsnkRw7SewpNPpbhH00AZItQ5RK7bYBjONioYbt/YoeD/SuLr
muTOAUiM7HbqrXmOgZbkvayQBXo0Ro2s3PVFcP+6m/ktcyU5ZGtahaboBMvXmMPU
ezxsuYlCaKnz5Nmz6Q3qfHOzKXwMAkPMV2Vvqqn38refI9ilG/boGRdOMmHJwKiY
foQXG+8xwwAp344BCn8MYN+6wfck/bMTgKgwUDVhInLpf+lFtep5AVWbVzCs5MiO
Csliuj/mI4HD4eE1dkUJ34ZEzjaft6R6TwnY3EDyOqBb/wtCNhFFYMlgXxhb+4nZ
c0IN7FTw1fqD0+IR8Kwkb62EUwxXJU50yGNV8aLcRG/sMPcyYjGAzYjQAisHDNW1
n+mokD8UFQNpKYofJp8IVBCGUTD8clq8vBC8nswPHbqZU8qgTz7RbvcluhO8HPOv
QUilLw5GV3t6Jg4HRx3zn+p+leUTldAvKf0RNuSpCmy9jVRiK2vJKhRVj15dc4Zh
1hWSkUFjTQQYi9R22dHy8sjeBJDgqSITrfRPafXpxnR7FLcjO9qTjoL2ijFpfFfL
OZ/vk3V3zwGZ8oxgBAu9
=uXbD
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 25 Nov 2014 07:33:51 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:05:13 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon