severity 637376 important thanks On Sun, Aug 21, 2011 at 06:52:28PM +0300, Niko Tyni wrote: > retitle 637376 perl: [CVE-2011-2939] Encode security: Unicode.xs!decode_xs > n-byte heap-overflow > thanks > > On Wed, Aug 10, 2011 at 06:52:43PM +0100, Dominic Hargreaves wrote: > > Package: perl > > Version: 5.12.4-3 > > Severity: grave > > Tags: security > > Justification: user security hole > > > > Encode 2.44 has been released with the following change: > > > > ! Unicode/Unicode.xs > > Addressed the following: > > Date: Fri, 22 Jul 2011 13:58:43 +0200 > > From: Robert Zacek <za...@avast.com> > > To: perl5-security-rep...@perl.org > > Subject: Unicode.xs!decode_xs n-byte heap-overflow > > > I haven't seen any further details about this one, but setting severity > > to grave for now. > > Quoting Josh Bresser in > http://www.openwall.com/lists/oss-security/2011/08/19/17 > > > I'm going to assign this CVE-2011-2939. It looks like a single byte > > overflow. It's probably not exploitable (even as a DoS), but to play it > > safe, I'm assigning this ID.
I get the impression that upstream agrees with this low potential for exploitability, so I'm lowering the severity of this bug. I suggest we wait for upstream to make stable releases including the fix before pushing this out to squeeze/lenny (I had a look at lenny and the code is, as Niko mentioned, completely different), so it's unlikely that this problem exists in the same form, there. -- Dominic Hargreaves | http://www.larted.org.uk/~dom/ PGP key 5178E2A5 from the.earth.li (keyserver,web,email) -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
