On Wed, Jun 01, 2011 at 05:52:17PM +0200, Thijs Kinkhorst wrote: > the following CVE (Common Vulnerabilities & Exposures) id was > published for perl. > > CVE-2011-0761[0]: > | Perl 5.10.x allows context-dependent attackers to cause a denial of > | service (NULL pointer dereference and application crash) by leveraging > | an ability to inject arguments into a (1) getpeername, (2) readdir, > | (3) closedir, (4) getsockname, (5) rewinddir, (6) tell, or (7) telldir > | function call. > > If you fix the vulnerability please also make sure to include the > CVE id in your changelog entry. > > For further information see: > > [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0761 > http://security-tracker.debian.org/tracker/CVE-2011-0761
As some pointed out upstream[0], this is only an issue if an application passes unvalidated input directly into those functions. Do we think this makes this issue not worth fixing in stable/oldstable? Dominic. [0] <http://www.xray.mpe.mpg.de/mailing-lists/perl5-porters/2011-06/msg00027.html> -- Dominic Hargreaves | http://www.larted.org.uk/~dom/ PGP key 5178E2A5 from the.earth.li (keyserver,web,email) -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
