Bug#532736: marked as done (CVE-2009-1391: Buffer overflow in Compress::Raw::Zlib)

[Debian Bug Tracking System]

Your message dated Fri, 12 Jun 2009 21:18:01 +0000
with message-id <e1mfe8p-0008mt...@ries.debian.org>
and subject line Bug#532736: fixed in perl 5.10.0-23
has caused the Debian Bug report #532736,
regarding CVE-2009-1391: Buffer overflow in Compress::Raw::Zlib
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
532736: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=532736
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: perl
Version: 5.10.0-19
Severity: grave
Tags: security
Justification: user security hole

A security vulnverability was found in Compress::Raw::Zlib:

Compress::Raw::Zlib versions before 2.017 contain a buffer overflow in
inflate(). A badly formed zlib-stream can trigger this buffer overflow and cause
the perl process at least to hang or to crash.

This causes a remote DoS in amavisd-new.

The perl package in lenny and sid contains Compress::Raw::Zlib 2.008.
There is also a separate package libcompress-raw-zlib-perl

More information can be found at
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-1391

--- End Message ---

--- Begin Message ---

Source: perl
Source-Version: 5.10.0-23

We believe that the bug you reported is fixed in the latest version of
perl, which is due to be installed in the Debian FTP archive:

libcgi-fast-perl_5.10.0-23_all.deb
  to pool/main/p/perl/libcgi-fast-perl_5.10.0-23_all.deb
perl-doc_5.10.0-23_all.deb
  to pool/main/p/perl/perl-doc_5.10.0-23_all.deb
perl-modules_5.10.0-23_all.deb
  to pool/main/p/perl/perl-modules_5.10.0-23_all.deb
perl_5.10.0-23.diff.gz
  to pool/main/p/perl/perl_5.10.0-23.diff.gz
perl_5.10.0-23.dsc
  to pool/main/p/perl/perl_5.10.0-23.dsc



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 532...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Niko Tyni <nt...@debian.org> (supplier of updated perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 12 Jun 2009 21:26:18 +0300
Source: perl
Binary: perl-base libcgi-fast-perl perl-doc perl-modules perl-debug perl-suid 
libperl5.10 libperl-dev perl
Architecture: all source 
Version: 5.10.0-23
Distribution: unstable
Urgency: high
Maintainer: Brendan O'Dea <b...@debian.org>
Changed-By: Niko Tyni <nt...@debian.org>
Closes: 526974 532736
Description:
 libcgi-fast-perl - CGI::Fast Perl module
 libperl5.10 - Shared Perl library
 libperl-dev - Perl library: development files
 perl-base  - minimal Perl system
 perl-debug - Debug-enabled Perl interpreter
 perl-doc   - Perl documentation
 perl       - Larry Wall's Practical Extraction and Report Language
 perl-modules - Core Perl modules
 perl-suid  - Runs setuid Perl scripts
Changes:
 perl (5.10.0-23) unstable; urgency=high
 .
   * Don't try to check nonexistent .ph files: the kFreeBSD port
     doesn't have <asm/termios.h>. (Closes: #526974)
   * [SECURITY] CVE-2009-1391: Fix a buffer overflow in Compress::Raw::Zlib.
     (Closes: #532736)
Checksums-Sha1: 
 223d75a94fc3ff8abb3b3be2ca2185fd6a10cc75 8218660 perl-doc_5.10.0-23_all.deb
 53aab37e52a350cd4b173f3ce4e2603206f7b2b8 167952 perl_5.10.0-23.diff.gz
 6e3fe2367ab8b786860eada2cd464211807553ca 48486 
libcgi-fast-perl_5.10.0-23_all.deb
 83abcb070c2a50ec8999d624498172514bc8df0f 3198274 perl-modules_5.10.0-23_all.deb
 f2ec44c921ec746bad5b314fde6b80500536c00f 1340 perl_5.10.0-23.dsc
Checksums-Sha256: 
 1c83b9fd8632353e4baaacdf5c4ba7be8d3bca64a17a3d66f9c3bdeec43b6b73 1340 
perl_5.10.0-23.dsc
 300d0d63b25f10393799f7c0a67912da443c86d46c88ab8faf6d2bfce5e9013a 3198274 
perl-modules_5.10.0-23_all.deb
 6f5c898d9e45b6350cd52340f064a407dada671792bb74016fe3f9837f51849f 48486 
libcgi-fast-perl_5.10.0-23_all.deb
 7a216d6bc0586f78353d8891e94485d0b32300dd703830764ecada25500ee4c6 167952 
perl_5.10.0-23.diff.gz
 c85c085c3314f43016193ea88868cf27324f1d2f40a13dd8e654ef35d0a96446 8218660 
perl-doc_5.10.0-23_all.deb
Files: 
 02b34ce32c57629fa3990cdba7a25e5f 8218660 doc optional 
perl-doc_5.10.0-23_all.deb
 1e10d9c6f54742c615ee7d95d0fdf149 1340 perl standard perl_5.10.0-23.dsc
 90aae52e1002fa12767de88890157d8a 48486 perl optional 
libcgi-fast-perl_5.10.0-23_all.deb
 ae4cd5a66b5bb45066353a35268fb3a2 3198274 perl standard 
perl-modules_5.10.0-23_all.deb
 f21b58a0cabb10c348e8b055ebc032aa 167952 perl standard perl_5.10.0-23.diff.gz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkoyp1MACgkQiyizGWoHLTnZjwCbBpDWlMYJmzX3sMicYlAscuSI
n5kAoIlUf/nKAV/g0Ybdn1Gx3c+3oXdH
=U1GT
-----END PGP SIGNATURE-----

--- End Message ---