Bug 21752 - perl new security issues CVE-2017-12837 and CVE-2017-12883
Summary: perl new security issues CVE-2017-12837 and CVE-2017-12883
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-64-OK MGA6-32-OK
Keywords: advisory, validated_update
Depends on:
Blocks: 19051
  Show dependency treegraph
 
Reported: 2017-09-21 23:47 CEST by David Walser
Modified: 2018-01-03 16:51 CET (History)
4 users (show)

See Also:
Source RPM: perl-5.26.1-0.4.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2017-09-21 23:47:58 CEST
Debian has issued an advisory today (September 21):
https://www.debian.org/security/2017/dsa-3982

Mageia 5 and Mageia 6 are also affected.
David Walser 2017-09-21 23:48:03 CEST

Whiteboard: (none) => MGA6TOO, MGA5TOO

Comment 1 Marja Van Waes 2017-09-22 10:55:19 CEST
Assigning to the registered maintainer.

Assignee: bugsquad => shlomif
CC: (none) => marja11

Comment 2 David Walser 2017-10-02 23:48:26 CEST
Fedora has issued an advisory for this today (October 2):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/UOKIACN6UTXROW3HWROMUCE52VWGRIHH/
Comment 3 Shlomi Fish 2017-10-03 11:26:58 CEST
According to https://metacpan.org/changes/distribution/perl these two issues were fixed in 5.26.1 which is now in cauldron. Setting the keywords accordingly.

Whiteboard: MGA6TOO, MGA5TOO => MGA5TOO
Version: Cauldron => 6

Comment 4 Shlomi Fish 2017-10-03 12:10:48 CEST
perl-5.22.3-3.1.mga6 submitted to 6 core/updates-testing - please test after it is built - http://pkgsubmit.mageia.org/ .
Comment 5 David Walser 2017-10-03 16:10:38 CEST
Thanks Shlomi.  For Mageia 5, can you do anything about the issues in Bug 19051?
Comment 6 David Walser 2017-10-03 16:11:41 CEST
Built for this update:
perl-5.20.1-8.7.mga5
perl-base-5.20.1-8.7.mga5
perl-devel-5.20.1-8.7.mga5
perl-doc-5.20.1-8.7.mga5
perl-5.22.3-3.1.mga6
perl-base-5.22.3-3.1.mga6
perl-devel-5.22.3-3.1.mga6
perl-doc-5.22.3-3.1.mga6

from SRPMS:
perl-5.20.1-8.7.mga5.src.rpm
perl-5.22.3-3.1.mga6.src.rpm
Comment 7 Frédéric "LpSolit" Buclin 2017-10-19 12:24:35 CEST
Shouldn't this bug be assigned to QA?
Comment 8 Shlomi Fish 2017-10-19 14:02:13 CEST
(In reply to Frédéric Buclin from comment #7)
> Shouldn't this bug be assigned to QA?

yes, it should be.
Comment 9 David Walser 2017-10-19 15:05:10 CEST
Shlomi, please see Comment 5.
Comment 10 David Walser 2017-12-27 03:35:41 CET
Shlomi, it'd be great if you could help finish fixing the issues from Bug 19051.

Blocks: (none) => 19051

Comment 11 David Walser 2017-12-30 01:05:50 CET
Mageia 5 will be handled in Bug 19051 (still waiting on fixes for some modules).

Advisory:
========================

Updated perl packages fix security vulnerabilities:

Jakub Wilk reported a heap buffer overflow flaw in the regular expression
compiler, allowing a remote attacker to cause a denial of service via a
specially crafted regular expression with the case-insensitive modifier
(CVE-2017-12837).

Jakub Wilk reported a buffer over-read flaw in the regular expression parser,
allowing a remote attacker to cause a denial of service or information leak
(CVE-2017-12883).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12837
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12883
https://www.debian.org/security/2017/dsa-3982
========================

Updated packages in core/updates_testing:
========================
perl-5.22.3-3.1.mga6
perl-base-5.22.3-3.1.mga6
perl-devel-5.22.3-3.1.mga6
perl-doc-5.22.3-3.1.mga6

from perl-5.22.3-3.1.mga6.src.rpm

Assignee: shlomif => qa-bugs
CC: (none) => shlomif
Whiteboard: MGA5TOO => (none)

Comment 12 Dave Hodgins 2018-01-03 15:40:32 CET
Just testing that packages like drakrpm still work.

Validating the update.

Keywords: (none) => validated_update
Whiteboard: (none) => MGA6-64-OK MGA6-32-OK
CC: (none) => davidwhodgins, sysadmin-bugs

Dave Hodgins 2018-01-03 16:03:53 CET

Keywords: (none) => advisory

Comment 13 Mageia Robot 2018-01-03 16:51:42 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0049.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.