Bug#341542: marked as done (Integer overflow in perl's format string code)

[Debian Bug Tracking System]

Your message dated Sat, 10 Dec 2005 08:02:14 -0800
with message-id <[EMAIL PROTECTED]>
and subject line Bug#341542: fixed in perl 5.8.7-9
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 1 Dec 2005 09:45:38 +0000
>From [EMAIL PROTECTED] Thu Dec 01 01:45:38 2005
Return-path: <[EMAIL PROTECTED]>
Received: from inutil.org ([193.22.164.111] 
helo=vserver151.vserver151.serverflex.de)
        by spohr.debian.org with esmtp (Exim 4.50)
        id 1Ehl0T-0003Wv-W9
        for [EMAIL PROTECTED]; Thu, 01 Dec 2005 01:45:38 -0800
Received: from wlan-client-332.informatik.uni-bremen.de ([134.102.117.82] 
helo=localhost.localdomain)
        by vserver151.vserver151.serverflex.de with esmtpsa 
(TLS-1.0:RSA_AES_256_CBC_SHA:32)
        (Exim 4.50)
        id 1Ehl0I-0005Hy-BS
        for [EMAIL PROTECTED]; Thu, 01 Dec 2005 10:45:26 +0100
Received: from jmm by localhost.localdomain with local (Exim 4.60)
        (envelope-from <[EMAIL PROTECTED]>)
        id 1Ehl0A-0001Vz-3U; Thu, 01 Dec 2005 10:45:18 +0100
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Moritz Muehlenhoff <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: Integer overflow in perl's format string code
X-Mailer: reportbug 3.17
Date: Thu, 01 Dec 2005 10:45:18 +0100
X-Debbugs-Cc: Debian Security Team <[EMAIL PROTECTED]>
Message-Id: <[EMAIL PROTECTED]>
X-SA-Exim-Connect-IP: 134.102.117.82
X-SA-Exim-Mail-From: [EMAIL PROTECTED]
X-SA-Exim-Scanned: No (on vserver151.vserver151.serverflex.de); SAEximRunCond 
expanded to false
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
        (1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level: 
X-Spam-Status: No, hits=-11.0 required=4.0 tests=BAYES_00,HAS_PACKAGE,
        X_DEBBUGS_CC autolearn=ham version=2.60-bugs.debian.org_2005_01_02

Package: perl
Version: 5.8.7-8
Severity: grave
Tags: security
Justification: user security hole

An integer overflow in perl's format string code may allow remote code
execution in application using that specific functionality. Please see
http://www.dyadsecurity.com/perl-0002.html for more details and a patch.

Cheers,
        Moritz

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.14-2-686
Locale: LANG=C, [EMAIL PROTECTED] (charmap=ISO-8859-15)

Versions of packages perl depends on:
ii  libc6                         2.3.5-8.1  GNU C Library: Shared libraries an
ii  libdb4.3                      4.3.29-1   Berkeley v4.3 Database Libraries [
ii  libgdbm3                      1.8.3-2    GNU dbm database routines (runtime
ii  perl-base                     5.8.7-8    The Pathologically Eclectic Rubbis
ii  perl-modules                  5.8.7-8    Core Perl modules

Versions of packages perl recommends:
ii  perl-doc                      5.8.7-8    Perl documentation

-- no debconf information

---------------------------------------
Received: (at 341542-close) by bugs.debian.org; 10 Dec 2005 16:11:08 +0000
>From [EMAIL PROTECTED] Sat Dec 10 08:11:08 2005
Return-path: <[EMAIL PROTECTED]>
Received: from katie by spohr.debian.org with local (Exim 4.50)
        id 1El7As-0001Hn-7Z; Sat, 10 Dec 2005 08:02:14 -0800
From: Brendan O'Dea <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
X-Katie: $Revision: 1.60 $
Subject: Bug#341542: fixed in perl 5.8.7-9
Message-Id: <[EMAIL PROTECTED]>
Sender: Archive Administrator <[EMAIL PROTECTED]>
Date: Sat, 10 Dec 2005 08:02:14 -0800
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
        (1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level: 
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER 
        autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-CrossAssassin-Score: 3

Source: perl
Source-Version: 5.8.7-9

We believe that the bug you reported is fixed in the latest version of
perl, which is due to be installed in the Debian FTP archive:

libcgi-fast-perl_5.8.7-9_all.deb
  to pool/main/p/perl/libcgi-fast-perl_5.8.7-9_all.deb
libperl-dev_5.8.7-9_powerpc.deb
  to pool/main/p/perl/libperl-dev_5.8.7-9_powerpc.deb
libperl-dev_5.8.7-9_sparc.deb
  to pool/main/p/perl/libperl-dev_5.8.7-9_sparc.deb
libperl5.8_5.8.7-9_powerpc.deb
  to pool/main/p/perl/libperl5.8_5.8.7-9_powerpc.deb
libperl5.8_5.8.7-9_sparc.deb
  to pool/main/p/perl/libperl5.8_5.8.7-9_sparc.deb
perl-base_5.8.7-9_powerpc.deb
  to pool/main/p/perl/perl-base_5.8.7-9_powerpc.deb
perl-base_5.8.7-9_sparc.deb
  to pool/main/p/perl/perl-base_5.8.7-9_sparc.deb
perl-debug_5.8.7-9_powerpc.deb
  to pool/main/p/perl/perl-debug_5.8.7-9_powerpc.deb
perl-debug_5.8.7-9_sparc.deb
  to pool/main/p/perl/perl-debug_5.8.7-9_sparc.deb
perl-doc_5.8.7-9_all.deb
  to pool/main/p/perl/perl-doc_5.8.7-9_all.deb
perl-modules_5.8.7-9_all.deb
  to pool/main/p/perl/perl-modules_5.8.7-9_all.deb
perl-suid_5.8.7-9_powerpc.deb
  to pool/main/p/perl/perl-suid_5.8.7-9_powerpc.deb
perl-suid_5.8.7-9_sparc.deb
  to pool/main/p/perl/perl-suid_5.8.7-9_sparc.deb
perl_5.8.7-9.diff.gz
  to pool/main/p/perl/perl_5.8.7-9.diff.gz
perl_5.8.7-9.dsc
  to pool/main/p/perl/perl_5.8.7-9.dsc
perl_5.8.7-9_powerpc.deb
  to pool/main/p/perl/perl_5.8.7-9_powerpc.deb
perl_5.8.7-9_sparc.deb
  to pool/main/p/perl/perl_5.8.7-9_sparc.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Brendan O'Dea <[EMAIL PROTECTED]> (supplier of updated perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat, 10 Dec 2005 16:43:02 +1100
Source: perl
Binary: perl-base libcgi-fast-perl libperl-dev perl-debug perl-modules perl 
libperl5.8 perl-suid perl-doc
Architecture: all powerpc source sparc 
Version: 5.8.7-9
Distribution: unstable
Urgency: high
Maintainer: Brendan O'Dea <[EMAIL PROTECTED]>
Changed-By: Brendan O'Dea <[EMAIL PROTECTED]>
Description: 
 libcgi-fast-perl - CGI::Fast Perl module
 libperl-dev - Perl library: development files
 libperl5.8 - Shared Perl library
 perl       - Larry Wall's Practical Extraction and Report Language
 perl-base  - The Pathologically Eclectic Rubbish Lister
 perl-debug - Debug-enabled Perl interpreter
 perl-doc   - Perl documentation
 perl-modules - Core Perl modules
 perl-suid  - Runs setuid Perl scripts
Closes: 337050 341542 342526
Changes: 
 perl (5.8.7-9) unstable; urgency=high
 .
   * SECURITY [CVE-2005-3962] (closes: #341542):
     + Apply upstream fixes to prevent buffer overflows in
       printf/sprintf caused by malicious format strings.
     + Update Sys::Syslog to 0.09, which only uses the message as a
       format string to sprintf when additional arguments are given.
 .
   * Remove -Dusemymalloc from perl-debug (added for #178243: to
     enable PERL_DEBUGGING_MSTATS), as this causes debugperl to break with
     compiled modules.  Closes: #337050, #342526).
 .
   * Skip Math::Complex tests 267 and 487, failing due to non-IEEE fp
     rounding rules in the kernel fp emulation.
Files: 
 0cb75e58b5258a1a8cbe1d8c29b13af6 789734 perl required 
perl-base_5.8.7-9_sparc.deb
 16b50ad2b518e9e6def3bf4c59876db4 599732 libdevel optional 
libperl-dev_5.8.7-9_sparc.deb
 2843fe34d99e16a606dad441d2475f99 1006 libs optional 
libperl5.8_5.8.7-9_sparc.deb
 60026c5e5b8d0abd81362815b00ac425 32002 perl optional 
perl-suid_5.8.7-9_powerpc.deb
 7d280fa65b84de57e3f6c104d2fa1bec 815130 perl required 
perl-base_5.8.7-9_powerpc.deb
 a52d4764de79657af2c2d21ead9aa9ef 2600454 perl optional 
perl-debug_5.8.7-9_powerpc.deb
 ab1105f9fbe4c56478f13a41ec3ab4c1 158037 perl standard perl_5.8.7-9.diff.gz
 b4bd7ec466841f99d017503e3f54346d 3687004 perl standard perl_5.8.7-9_powerpc.deb
 bb95cd71de44fec4e983e50dc17cb0db 656678 libdevel optional 
libperl-dev_5.8.7-9_powerpc.deb
 c94a09a814123ac769a7c0a5aa4a77c3 3706524 perl standard perl_5.8.7-9_sparc.deb
 cbb87eb516ff203cf9d29686365dcbcd 2488996 perl optional 
perl-debug_5.8.7-9_sparc.deb
 d1a9e3be96e3229050dee6c869a97bd7 2325654 perl standard 
perl-modules_5.8.7-9_all.deb
 d5302bd6f81834738f5f1f2ccf8d28cd 39432 perl optional 
libcgi-fast-perl_5.8.7-9_all.deb
 dc2b710ada6016c2832faefe951d57d5 1006 libs optional 
libperl5.8_5.8.7-9_powerpc.deb
 e1e32d3c547d09377f99bcb956cdc2cb 29962 perl optional 
perl-suid_5.8.7-9_sparc.deb
 f14606e874ca421f3a5bff858ff692a8 7209130 doc optional perl-doc_5.8.7-9_all.deb
 bcc7c76577fc920ceed85bf2b1f02675 717 perl standard perl_5.8.7-9.dsc

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDmvsz8NyOALKMWZURAjQOAKDCKwJbnSOv5kAl+9SoaWBzhbExeACfWWP+
8u326Zb1gpyPOldYgShcbAg=
=/RrY
-----END PGP SIGNATURE-----


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]