| Summary: | perl new security issue CVE-2023-47038 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | Nicolas Salguero <nicolas.salguero> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | andrewsfarm, fri, marja11, sysadmin-bugs, tarazed25 |
| Version: | 9 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://www.openwall.com/lists/oss-security/2023/12/01/1 | ||
| Whiteboard: | MGA9-64-OK MGA9-32-OK | ||
| Source RPM: | perl-5.36.0-1.mga9.src.rpm | CVE: | CVE-2023-47038 |
| Status comment: | |||
|
Description
Nicolas Salguero
2023-12-04 11:05:06 CET
Nicolas Salguero
2023-12-04 11:06:00 CET
Source RPM:
(none) =>
perl-5.38.0-2.mga10.src.rpm Suggested advisory: ======================== The updated packages fix a security vulnerability: Write past buffer end via illegal user-defined Unicode property. (CVE-2023-47038) References: https://www.openwall.com/lists/oss-security/2023/12/01/1 ======================== Updated packages in core/updates_testing: ======================== perl-5.36.0-1.1.mga9 perl-base-5.36.0-1.1.mga9 perl-devel-5.36.0-1.1.mga9 perl-doc-5.36.0-1.1.mga9 from SRPM: perl-5.36.0-1.1.mga9.src.rpm Source RPM:
perl-5.38.0-2.mga10.src.rpm =>
perl-5.36.0-1.mga9.src.rpm Mageia9 x86_64 The comments accessed via the CVE link talk about a write buffer overflow vulnerability affecting Windows systems so it is probably out of our jurisdiction. Clean update. $ locate .pl | wc -l 4569 $ clock.pl launched the Date, Clock and Time Zone Settings gui. Checked 'Enable Network Time Protocol' and was asked to install chrony. Chose Europe All Servers pool. Found an old PoC which creates an aiff file. Ran it to see what happens: $ perl nemux.pl [*] Making AIFF file: "nemux.aiff" [*] Done... AIFF File Size: 21672 Is it over? ... Hello? ... Did we win? (cit.) [+] You can test it on OSX and Linux with Audacity - linux command line /usr/bin/audacity namux.aiff [+] You can test it on OSX Windows and Linux - with Adobe Audition Note: Adobe Audition will trigger the bug just when it scans the directory that contains this aiff file Marco Romano @nemux_ $ ll *.aiff -rw-r--r-- 1 lcl lcl 21672 Jan 30 17:59 nemux.aiff audacity did not recognise the type of the file but it could be imported as raw data and showed audio file characteristics. MCC/drakconf has a lot of perl dependencies so ran that to exercise perl. Installed perl-ImageMagick and ran a local example.pl file which applied a set of transformations of a test image and generated a 5x15 mosaic image of all of them. Everything seems to work. CC:
(none) =>
tarazed25
Marja Van Waes
2024-01-30 21:16:59 CET
CC:
(none) =>
marja11
Marja Van Waes
2024-01-30 21:18:50 CET
Keywords:
(none) =>
advisory
katnatek
2024-01-31 03:06:23 CET
CC:
(none) =>
andrewsfarm Updated without issues urpmi family still works MCC works mga9-64 OK here Updated perl and ran some MCC parts: nothing but the usual noise in the terminal from were i launched it. @katnaktek: what arch did you test? This being important system package (i e for out tools), I think we need 32 bit tests too? CC:
(none) =>
fri (In reply to Morgan Leijström from comment #5) > @katnaktek: what arch did you test? > > This being important system package (i e for out tools), I think we need 32 > bit tests too? Tested in real hardware mageia 9 x86_64 I will test later in i586 Tested in Real Hardware Mageia 9 i586 lxqt I update this packages before test the packages for kernel 6.6 MCC and urpmi family works as always
katnatek
2024-02-03 00:45:54 CET
Whiteboard:
MGA9-64-OK =>
MGA9-64-OK MGA9-32-OK Thanks for the tests. Validating. Keywords:
(none) =>
validated_update An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0021.html Resolution:
(none) =>
FIXED |