Debian has issued an advisory on April 14: https://www.debian.org/security/2018/dsa-4172 I'd guess these were fixed in perl 5.26.2 recently uploaded to Cauldron, but that should be verified. Debian has commit links for the fixes: https://security-tracker.debian.org/tracker/CVE-2018-6797 https://security-tracker.debian.org/tracker/CVE-2018-6798 https://security-tracker.debian.org/tracker/CVE-2018-6913 As Debian notes, Mageia 5 not vulnerable to CVE-2018-6798, it was deemed to difficult to fix CVE-2018-6797 there, but we can borrow their patch for CVE-2018-6913.
Ubuntu has issued an advisory for this on April 16: https://usn.ubuntu.com/3625-1/
Fedora has issued advisories for this on April 21: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/2YHV7AMX7Y5TBFZ2AJSYOXKOY24LXMHI/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/OCXHRWSBTCW72IS7QJZ6DVME7KY3SM6O/ So, perl-Module-CoreList may also be affected.
openSUSE has issued an advisory for this on April 26: https://lists.opensuse.org/opensuse-updates/2018-04/msg00075.html
http://pkgsubmit.mageia.org/ - perl-5.22.3-3.2 submitted there.
(In reply to David Walser from comment #2) > Fedora has issued advisories for this on April 21: > https://lists.fedoraproject.org/archives/list/package-announce@lists. > fedoraproject.org/thread/2YHV7AMX7Y5TBFZ2AJSYOXKOY24LXMHI/ > https://lists.fedoraproject.org/archives/list/package-announce@lists. > fedoraproject.org/thread/OCXHRWSBTCW72IS7QJZ6DVME7KY3SM6O/ > > So, perl-Module-CoreList may also be affected. perl-Module-CoreList update is only needed to support perl 5.24.4 or 5.26.2.
Build system is stuck. perl-5.22.3-3.2.mga6 perl-base-5.22.3-3.2.mga6 perl-devel-5.22.3-3.2.mga6 perl-doc-5.22.3-3.2.mga6 from perl-5.22.3-3.2.mga6.src.rpm
Advisory: ======================== Updated perl packages fix security vulnerabilities: Brian Carpenter reported that a crafted regular expression could cause a heap buffer write overflow, with control over the bytes written (CVE-2018-6797). Nguyen Duc Manh reported that matching a crafted locale dependent regular expression can cause a heap-based buffer over-read and potentially information disclosure (CVE-2018-6798). GwanYeong Kim reported that 'pack()' could cause a heap buffer write overflow with a large item count (CVE-2018-6913). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6797 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6798 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6913 https://www.debian.org/security/2018/dsa-4172 ======================== Updated packages in core/updates_testing: ======================== perl-5.22.3-3.2.mga6 perl-base-5.22.3-3.2.mga6 perl-devel-5.22.3-3.2.mga6 perl-doc-5.22.3-3.2.mga6 from perl-5.22.3-3.2.mga6.src.rpm
CC: (none) => shlomifAssignee: shlomif => qa-bugs
Blocks: (none) => 22992
Mageia 6, x86_64 Started PoC hunting. To late to carry on tonight.
CC: (none) => tarazed25
Belatedly. :-(( Mageia 6, x86_64 Downloaded PoCs. Before the update: ================== CVE-2018-6797 https://rt.perl.org/Public/Bug/Display.html?id=132227 $ perl 132227b.pl panic: reg_node overrun trying to emit 0, 10c642c>=10c642c at 132227b.pl line 1. CVE-2018-6798 https://rt.perl.org/Public/Bug/Display.html?id=132063 $ perl -e '$x="(?il)\x{100}|\x{100}"; "\xff" =~ /$x/;' Operation "pattern match (m//)" returns its argument for non-Unicode code point 0xD040000000000000 at -e line 1. Does not look like the output upstream but in that case perl had been compiled with asan support. Their test aborted after delivering this message: ==11464==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000001b3a at pc 0x000000c66a61 bp 0x7ffd2e7fafb0 sp 0x7ffd2e7fafa8 READ of size 1 at 0x602000001b3a thread T0 However... the modified test at https://bugzilla.redhat.com/show_bug.cgi?id=1547779 reproduces the valgrind output. $ valgrind -- perl -e '"\xff" =~ /(?il)\x{100}|\x{100}/;' CVE-2018-6913 https://rt.perl.org/Public/Bug/Display.html?id=131844 $ perl S_pack_rec_heap_PoC Invalid type 'K' in pack at S_pack_rec_heap_PoC line 1. The upstream test uses asan and produces an abort. There is also a note that this reproduces only on 32-bit systems so it is probaby not relevant. Not too keen on switching to virtualbox on this one. Updated the packages. After the update: ================= $ perl 132227b.pl panic: reg_node overrun trying to emit 0, 16c842c>=16c842c at 132227b.pl line 1. $ perl -e '$x="(?il)\x{100}|\x{100}"; "\xff" =~ /$x/;' $ $ perl S_pack_rec_heap_PoC Invalid type 'K' in pack at S_pack_rec_heap_PoC line 1. We have not learnt very much from that exercise. Tried out some perl scripts lying around. nemux.pl generated newmux.aiff. Lewis's onecheck.pl retrieved information on current isos from bcd.mageia.org. Followed Herman's lead and put MCC through its paces. No problems.
Whiteboard: (none) => MGA6-64-OK
@ David Asking for feedback because Len's specific PoC tests for CVE-2018-6797 and CVE-2018-6913 showed no change (that for CVE-2018-6798 *did*). We had a case recently where one patch of several got left out. Can we confirm that the relevant patches *are* in the code? And if so, please validate. Advisory done.
Keywords: (none) => advisory, feedbackCC: (none) => lewyssmith
Yep, it's good. Thanks.
Keywords: feedback => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0241.html
Status: NEW => RESOLVEDResolution: (none) => FIXED