Bug#631529: Missing fix for CVE-2010-1447

Tue, 28 Jun 2011 04:30:23 -0700 

On Mon, Jun 27, 2011 at 07:01:24PM +0200, Moritz Mühlenhoff wrote:
> On Sun, Jun 26, 2011 at 08:49:12AM +0300, Niko Tyni wrote:
> > On Sat, Jun 25, 2011 at 12:09:03PM +0100, Dominic Hargreaves wrote:
> > > On Fri, Jun 24, 2011 at 06:56:40PM +0200, Moritz Muehlenhoff wrote:
> > > > Package: perl
> > > > Severity: grave
> > > > Tags: security
> > > > 
> > > > Hi Perl maintainers,
> > > > it turns out that CVE-2010-1447 is still missing in Lenny and
> > > > Squeeze. It was originally attributed to Postgres, but it
> > > > was later found out that Perl is affected as well.
> > > > 
> > > > The attached patch is still needed in both Lenny and Squeeze.
> > > 
> > > Thanks for pointing this out. I'll verify the patch and prepare packages;
> > > do you want them uploaded to security-master ASAP?
> > 
> > Please note that this is probably going to break libpetal-perl and no
> > fix is available. See #582805.
> 
> But this software must've already been broken with the initial Safe.pm fix for
> Lenny/Squeeze? (5.10.0-19lenny3 / CVE-2010-1168)

No, it's really this fix for CVE-2010-1447 that breaks it.

I've verified on both Lenny and Squeeze that libpetal-perl_2.19-1
builds fine without CVE-2010-1447.patch, but applying the patch
manually to /usr/lib/perl/5.10/Safe.pm (or, in the squeeze case,
/usr/share/perl/5.10/Safe.pm) makes the libpetal-perl test suite crash
and burn.

I see I left the CVE-2010-1168 update at Safe-2.25 precisely because of
this; quoting myself in #582978:

  Upstream is now at 2.27, which has further related changes and was also
  bundled with Perl 5.12.1. However, it causes regressions in (at least)
  libpetal-perl (#582805) and libtext-micromason-perl (#582892). These
  two regressions don't happen with 2.25. 

See also my mail to t...@security.debian.org in January 2011 with
CVE-2010-1168 in the subject and
 Message-ID: <20110114185338.GA25109@madeleine.local.invalid>


Fortunately libtext-micromason-perl isn't a problem in this context:
  - it's not in Lenny at all 
  - the Squeeze package got fixed in time, and I've verified the it still
    builds with CVE-2010-1447.patch

-- 
Niko Tyni   nt...@debian.org



--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to