+++ This bug was initially created as a clone of Bug #22913 +++ Debian has issued an advisory on April 14: https://www.debian.org/security/2018/dsa-4172 I'd guess these were fixed in perl 5.26.2 recently uploaded to Cauldron, but that should be verified. Debian has commit links for the fixes: https://security-tracker.debian.org/tracker/CVE-2018-6797 https://security-tracker.debian.org/tracker/CVE-2018-6798 https://security-tracker.debian.org/tracker/CVE-2018-6913 As Debian notes, Mageia 5 not vulnerable to CVE-2018-6798, it was deemed to difficult to fix CVE-2018-6797 there, but we can borrow their patch for CVE-2018-6913. Adding Debian's patch I get the following failure, which appears to not be related to the new patch. Is it because the BS has networking disabled now? Can we disable these two tests? # Failed test ''IO::Socket->new( Domain => AF_INET )' isa 'IO::Socket::IP'' # at t/15io-socket.t line 20. # 'IO::Socket->new( Domain => AF_INET )' isn't defined # Failed test ''IO::Socket->new( Domain => AF_INET6 )' isa 'IO::Socket::IP'' # at t/15io-socket.t line 45. # 'IO::Socket->new( Domain => AF_INET6 )' isn't defined # error was Name or service not known # Looks like you failed 2 tests of 4. ../cpan/IO-Socket-IP/t/15io-socket.t .............................. Dubious, test returned 2 (wstat 512, 0x200) Failed 2/4 subtests Test Summary Report ------------------- ../cpan/IO-Socket-IP/t/15io-socket.t (Wstat: 512 Tests: 4 Failed: 2) Failed tests: 1, 3 Non-zero exit status: 2 ../cpan/IO-Socket-IP/t/16v6only.t (Wstat: 5632 Tests: 0 Failed: 0) Non-zero exit status: 22 Parse errors: No plan found in TAP output
Status comment: (none) => Fix checked into SVN, unrelated test error when building
I think we can disable them for now.
Thanks! Advisory: ======================== Updated perl packages fix security vulnerability: GwanYeong Kim reported that 'pack()' could cause a heap buffer write overflow with a large item count (CVE-2018-6913). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6913 https://www.debian.org/security/2018/dsa-4172 ======================== Updated packages in core/updates_testing: ======================== perl-5.20.1-8.8.mga5 perl-base-5.20.1-8.8.mga5 perl-devel-5.20.1-8.8.mga5 perl-doc-5.20.1-8.8.mga5 from perl-5.20.1-8.8.mga5.src.rpm
I forgot to assign to QA.
Status comment: Fix checked into SVN, unrelated test error when building => (none)CC: (none) => shlomifAssignee: shlomif => qa-bugs
MGA5-32 on Dell Latitude D600 Xfce No installation issues Tested by closing MCC, starting it again and running thru its different components : Software, Hardware, Shared networking, Local disk, System. All seems OK.
Whiteboard: (none) => MGA5-32-OKCC: (none) => herman.viaene
Mageia 6, x86_64 Downloaded PoCs. Before the update: ================== CVE-2018-6797 https://rt.perl.org/Public/Bug/Display.html?id=132227 $ perl 132227b.pl panic: reg_node overrun trying to emit 0, 10c642c>=10c642c at 132227b.pl line 1. CVE-2018-6798 https://rt.perl.org/Public/Bug/Display.html?id=132063 $ perl -e '$x="(?il)\x{100}|\x{100}"; "\xff" =~ /$x/;' Operation "pattern match (m//)" returns its argument for non-Unicode code point 0xD040000000000000 at -e line 1. Does not look like the output upstream but in that case perl had been compiled with asan support. Their test aborted after delivering this message: ==11464==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000001b3a at pc 0x000000c66a61 bp 0x7ffd2e7fafb0 sp 0x7ffd2e7fafa8 READ of size 1 at 0x602000001b3a thread T0 However... the modified test at https://bugzilla.redhat.com/show_bug.cgi?id=1547779 reproduces the valgrind output. $ valgrind -- perl -e '"\xff" =~ /(?il)\x{100}|\x{100}/;' CVE-2018-6913 https://rt.perl.org/Public/Bug/Display.html?id=131844 $ perl S_pack_rec_heap_PoC Invalid type 'K' in pack at S_pack_rec_heap_PoC line 1. The upstream test uses asan and produces an abort. There is also a note that this reproduces only on 32-bit systems so it is probaby not relevant. Not too keen on switching to virtualbox on this one. Updated the packages. After the update: ================= $ perl 132227b.pl panic: reg_node overrun trying to emit 0, 16c842c>=16c842c at 132227b.pl line 1. $ perl -e '$x="(?il)\x{100}|\x{100}"; "\xff" =~ /$x/;' $ $ perl S_pack_rec_heap_PoC Invalid type 'K' in pack at S_pack_rec_heap_PoC line 1. We have not learnt very much from that exercise. Tried out some perl scripts lying around. nemux.pl generated newmux.aiff. Lewis's onecheck.pl retrieved information on current isos from bcd.mageia.org. Followed Herman's lead and put MCC through its paces. No problems.
Whiteboard: MGA5-32-OK => MGA5-32-OK MGA6-64-OKCC: (none) => tarazed25
@Len: did you not notice that this bug is Mageia 5 only? Regret your work.
Keywords: (none) => advisory, validated_updateWhiteboard: MGA5-32-OK MGA6-64-OK => MGA5-32-OKCC: (none) => sysadmin-bugs
@Lewis; No - thanks ;-(, typical of steam-rollering on, not looking to left or right. Too many problems ex-Mageia, hopefully less than yours.
Second thoughts - maybe my report was intended for bug 22913. It is just too confusing having two perl updates open at one time. So, I shall attach it to the other bug because it was almost certainly intended for it.
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0247.html
Status: NEW => RESOLVEDResolution: (none) => FIXED