perl-debug: CVE-2010-4777 perl: assertion failure with certain regular expressions

Related Vulnerabilities: CVE-2010-4777  

Debian Bug report logs - #628836
perl-debug: CVE-2010-4777 perl: assertion failure with certain regular expressions

version graph

Package: perl-debug; Maintainer for perl-debug is Niko Tyni <ntyni@debian.org>; Source for perl-debug is src:perl (PTS, buildd, popcon).

Reported by: Dominic Hargreaves <dom@earth.li>

Date: Wed, 1 Jun 2011 18:24:02 UTC

Severity: important

Tags: fixed-upstream, security

Fixed in version 5.18.0-1

Done: Dominic Hargreaves <dom@earth.li>

Bug is archived. No further changes may be made.

Forwarded to http://rt.perl.org/rt3/Public/Bug/Display.html?id=76538

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Niko Tyni <ntyni@debian.org>:
Bug#628836; Package perl-debug. (Wed, 01 Jun 2011 18:24:05 GMT) (full text, mbox, link).


Acknowledgement sent to Dominic Hargreaves <dom@earth.li>:
New Bug report received and forwarded. Copy sent to Niko Tyni <ntyni@debian.org>. (Wed, 01 Jun 2011 18:24:05 GMT) (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Dominic Hargreaves <dom@earth.li>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: perl-debug: CVE-2010-4777 perl: assertion failure with certain regular expressions
Date: Wed, 01 Jun 2011 19:21:50 +0100
Package: perl-debug
Severity: important

Tags: security

<https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-4777>

Confirmed by Moritz on lenny and squeeze with debugperl from perl-debug
only; therefore it doesn't need a DSA.

Apparently fixed in 5.14.




Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#628836; Package perl-debug. (Thu, 02 Jun 2011 16:09:08 GMT) (full text, mbox, link).


Acknowledgement sent to Niko Tyni <ntyni@debian.org>:
Extra info received and forwarded to list. (Thu, 02 Jun 2011 16:09:08 GMT) (full text, mbox, link).


Message #10 received at 628836@bugs.debian.org (full text, mbox, reply):

From: Niko Tyni <ntyni@debian.org>
To: 628836@bugs.debian.org
Subject: Re: Bug#628836: perl-debug: CVE-2010-4777 perl: assertion failure with certain regular expressions
Date: Thu, 2 Jun 2011 19:05:11 +0300
forwarded 628836 http://rt.perl.org/rt3/Public/Bug/Display.html?id=76538
thanks

On Wed, Jun 01, 2011 at 07:21:50PM +0100, Dominic Hargreaves wrote:
> Package: perl-debug
> Severity: important
> 
> Tags: security
> 
> <https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-4777>
> 
> Confirmed by Moritz on lenny and squeeze with debugperl from perl-debug
> only; therefore it doesn't need a DSA.
> 
> Apparently fixed in 5.14.

Michael Schroeder noted in [perl #76538] that this still fails on 5.14.0
with -DDEBUGGING (our /usr/bin/debugperl from perl-debug):

#!/usr/bin/debugperl
my @x = ("AX=B","AAAAAAX=");
utf8::upgrade($x[1]);
for (@x) {
m{^([^=]+?)X\s*=.+$};
print "-> $1\n";
}

-- 
Niko Tyni   ntyni@debian.org




Set Bug forwarded-to-address to 'http://rt.perl.org/rt3/Public/Bug/Display.html?id=76538'. Request was from Niko Tyni <ntyni@debian.org> to control@bugs.debian.org. (Thu, 02 Jun 2011 16:09:10 GMT) (full text, mbox, link).


Added tag(s) security. Request was from Dominic Hargreaves <dom@earth.li> to control@bugs.debian.org. (Fri, 10 Jun 2011 19:57:04 GMT) (full text, mbox, link).


Added tag(s) fixed-upstream. Request was from bts-link-upstream@lists.alioth.debian.org to control@bugs.debian.org. (Mon, 02 Mar 2015 17:00:23 GMT) (full text, mbox, link).


Reply sent to Dominic Hargreaves <dom@earth.li>:
You have taken responsibility. (Fri, 01 Apr 2016 23:09:14 GMT) (full text, mbox, link).


Notification sent to Dominic Hargreaves <dom@earth.li>:
Bug acknowledged by developer. (Fri, 01 Apr 2016 23:09:14 GMT) (full text, mbox, link).


Message #21 received at 628836-done@bugs.debian.org (full text, mbox, reply):

From: Dominic Hargreaves <dom@earth.li>
To: Niko Tyni <ntyni@debian.org>, 628836-done@bugs.debian.org
Subject: Re: Bug#628836: perl-debug: CVE-2010-4777 perl: assertion failure with certain regular expressions
Date: Sat, 2 Apr 2016 00:05:41 +0100
Version: 5.18.0-1

On Thu, Jun 02, 2011 at 07:05:11PM +0300, Niko Tyni wrote:
> forwarded 628836 http://rt.perl.org/rt3/Public/Bug/Display.html?id=76538
> thanks
> 
> On Wed, Jun 01, 2011 at 07:21:50PM +0100, Dominic Hargreaves wrote:
> > Package: perl-debug
> > Severity: important
> > 
> > Tags: security
> > 
> > <https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-4777>
> > 
> > Confirmed by Moritz on lenny and squeeze with debugperl from perl-debug
> > only; therefore it doesn't need a DSA.
> > 
> > Apparently fixed in 5.14.
> 
> Michael Schroeder noted in [perl #76538] that this still fails on 5.14.0
> with -DDEBUGGING (our /usr/bin/debugperl from perl-debug):
> 
> #!/usr/bin/debugperl
> my @x = ("AX=B","AAAAAAX=");
> utf8::upgrade($x[1]);
> for (@x) {
> m{^([^=]+?)X\s*=.+$};
> print "-> $1\n";
> }

Subsequent discussions suggest that this is now fixed, in 5.18.0
if not 5.14.0. Closing.

Dominic.



Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sat, 30 Apr 2016 07:34:16 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 15:13:12 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.