5.40.1-3 CVE-2024-56406

Niko Tyni Sun, 13 Apr 2025 06:36:14 -0700

Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: p...@packages.debian.org, p...@packages.debian.org
Control: affects -1 + src:perl


Hi, please pre-approve the attached one line security fix for sid/trixie
for CVE-2024-56406: Perl 5.34, 5.36, 5.38 and 5.40 are vulnerable to a
heap buffer overflow when transliterating non-ASCII bytes.

  https://lists.security.metacpan.org/cve-announce/msg/28708725/

A DSA update for bookworm is already uploaded and being processed by
the security team.

Thanks for your work,
-- 
Niko Tyni   nt...@debian.org

diff -Nru perl-5.40.1/debian/changelog perl-5.40.1/debian/changelog
--- perl-5.40.1/debian/changelog        2025-02-16 17:16:32.000000000 +0200
+++ perl-5.40.1/debian/changelog        2025-04-12 18:34:34.000000000 +0300
@@ -1,3 +1,9 @@
+perl (5.40.1-3) unstable; urgency=high
+
+  * [SECURITY] CVE-2024-56406: Fix heap-buffer-overflow with tr//
+
+ -- Niko Tyni <nt...@debian.org>  Sat, 12 Apr 2025 18:34:34 +0300
+
 perl (5.40.1-2) unstable; urgency=medium
 
   * Refresh cross support files with 5.40.1-1 results.
diff -Nru perl-5.40.1/debian/patches/fixes/CVE-2024-56406.diff 
perl-5.40.1/debian/patches/fixes/CVE-2024-56406.diff
--- perl-5.40.1/debian/patches/fixes/CVE-2024-56406.diff        1970-01-01 
02:00:00.000000000 +0200
+++ perl-5.40.1/debian/patches/fixes/CVE-2024-56406.diff        2025-04-12 
18:34:34.000000000 +0300
@@ -0,0 +1,31 @@
+From: Karl Williamson <k...@cpan.org>
+Date: Wed, 18 Dec 2024 18:25:29 -0700
+Subject: CVE-2024-56406: Heap-buffer-overflow with tr//
+
+This was due to underallocating needed space.  If the translation forces
+something to become UTF-8 that is initially bytes, that UTF-8 could
+now require two bytes where previously a single one would do.
+
+(cherry picked from commit f93109c8a6950aafbd7488d98e112552033a3686)
+
+commit 385e8759c3ff1e7f7f996bd4ea391074d61d48c1
+Author:     Karl Williamson <k...@cpan.org>
+AuthorDate: 2024-12-18 18:25:29 -0700
+Commit:     Steve Hay <steve.m....@googlemail.com>
+CommitDate: 2025-03-30 11:59:51 +0100
+---
+ op.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/op.c b/op.c
+index 3fc23ec..aeee88e 100644
+--- a/op.c
++++ b/op.c
+@@ -6649,6 +6649,7 @@ S_pmtrans(pTHX_ OP *o, OP *expr, OP *repl)
+                  * same time.  But otherwise one crosses before the other */
+                 if (t_cp < 256 && r_cp_end > 255 && r_cp != t_cp) {
+                     can_force_utf8 = TRUE;
++                    max_expansion = MAX(2, max_expansion);
+                 }
+             }
+ 
diff -Nru perl-5.40.1/debian/patches/series perl-5.40.1/debian/patches/series
--- perl-5.40.1/debian/patches/series   2025-01-19 00:25:46.000000000 +0200
+++ perl-5.40.1/debian/patches/series   2025-04-12 18:34:34.000000000 +0300
@@ -40,3 +40,4 @@
 debian/configure-regen.diff
 fixes/json-pp-options.diff
 fixes/test-harness-bailout.diff
+fixes/CVE-2024-56406.diff

Bug#1102984: unblock/preapproval: perl/5.40.1-3 CVE-2024-56406

Reply via email to