Ubuntu
perl package

[CVE-2008-1927] Perl 5.8.8 vulnerability via UTF-8 regular expression

Bug #221541 reported by Till Ulen
258
Affects Status Importance Assigned to Milestone
Debian
Fix Released
Unknown
perl (Ubuntu)
Fix Released
Undecided
Unassigned
Dapper
Fix Released
Low
Unassigned
Feisty
Fix Released
Low
Unassigned
Gutsy
Fix Released
Low
Unassigned
Hardy
Fix Released
Low
Unassigned

Bug Description

Binary package hint: perl

From the National Vulnerability Database, CVE-2008-1927:

"Double free vulnerability in Perl 5.8.8 allows context-dependent attackers to cause a denial of service (memory corruption and crash) via a crafted regular expression containing UTF8 characters. NOTE: this issue might only be present on certain operating systems."

From the Debian security advisory DSA-1556-1:

"It has been discovered that the Perl interpreter may encounter a buffer
overflow condition when compiling certain regular expressions containing
Unicode characters. This also happens if the offending characters are
contained in a variable reference protected by the \Q...\E quoting
construct. When encountering this condition, the Perl interpreter
typically crashes, but arbitrary code execution cannot be ruled out."

References:
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1927
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1927
http://www.debian.org/security/2008/dsa-1556 (not yet published on the site)

CVE References

Revision history for this message
SwissSign Operations Team (ubuntu-bugs-swisssign) wrote :

Hi
Does anybody know if this is also biting dapper 6.06 LTS? It has perl 5.8.7, though.

thx /markus

Jamie Strandboge (jdstrand)
Changed in perl:
status: New → Confirmed
status: New → Confirmed
status: New → Confirmed
status: New → Confirmed
Revision history for this message
SwissSign Operations Team (ubuntu-bugs-swisssign) wrote :

I can confirm that perl 5.8.7 on dapper is affected.

http://rt.perl.org/rt3/Public/Bug/Display.html?id=48156 claims it's a duplicate of http://rt.perl.org/rt3/Public/Bug/Display.html?id=40641, which has a patch.

Is this going to be addressed anywhere in Ubuntu?

thx /markus

Revision history for this message
Colin Watson (cjwatson) wrote :

According to the Debian bug report, this was fixed upstream in perl 5.10.0, which we have in Intrepid. (I'll leave stable releases to the security team ...)

Changed in perl:
status: New → Fix Released
Revision history for this message
SwissSign Operations Team (ubuntu-bugs-swisssign) wrote :

Yes.

Does anybody know if it is being worked on? Isn't stuff like this supposed to be backported into LTS releases? Or have I misread what LTS means?

Thx

Revision history for this message
Kees Cook (kees) wrote :

This is currently rated as a "low" priority issue. It will be addressed when other Perl issues have collected.

Revision history for this message
Hew (hew) wrote :

Ubuntu Feisty Fawn is no longer supported, so a SRU will not be issued for this release. Marking Feisty as Won't Fix.

Changed in perl:
status: Confirmed → Won't Fix
Revision history for this message
Kees Cook (kees) wrote :

This has been published as a part of http://www.ubuntu.com/usn/usn-700-1

Changed in perl:
status: Confirmed → Fix Released
importance: Undecided → Low
status: Won't Fix → Fix Released
importance: Undecided → Low
status: Confirmed → Fix Released
importance: Undecided → Low
status: Confirmed → Fix Released
importance: Undecided → Low
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.