CVE-2023-47038 was announced here: https://www.openwall.com/lists/oss-security/2023/12/01/1 Mageia 9 is also affected.
Source RPM: (none) => perl-5.38.0-2.mga10.src.rpmWhiteboard: (none) => MGA9TOOStatus comment: (none) => Fixed upstream in 5.38.2 and 5.36.3
Assigning to Perl group.
Assignee: bugsquad => perl
Suggested advisory: ======================== The updated packages fix a security vulnerability: Write past buffer end via illegal user-defined Unicode property. (CVE-2023-47038) References: https://www.openwall.com/lists/oss-security/2023/12/01/1 ======================== Updated packages in core/updates_testing: ======================== perl-5.36.0-1.1.mga9 perl-base-5.36.0-1.1.mga9 perl-devel-5.36.0-1.1.mga9 perl-doc-5.36.0-1.1.mga9 from SRPM: perl-5.36.0-1.1.mga9.src.rpm
Source RPM: perl-5.38.0-2.mga10.src.rpm => perl-5.36.0-1.mga9.src.rpmVersion: Cauldron => 9Status: NEW => ASSIGNEDAssignee: perl => qa-bugsCVE: (none) => CVE-2023-47038Status comment: Fixed upstream in 5.38.2 and 5.36.3 => (none)Whiteboard: MGA9TOO => (none)
Mageia9 x86_64 The comments accessed via the CVE link talk about a write buffer overflow vulnerability affecting Windows systems so it is probably out of our jurisdiction. Clean update. $ locate .pl | wc -l 4569 $ clock.pl launched the Date, Clock and Time Zone Settings gui. Checked 'Enable Network Time Protocol' and was asked to install chrony. Chose Europe All Servers pool. Found an old PoC which creates an aiff file. Ran it to see what happens: $ perl nemux.pl [*] Making AIFF file: "nemux.aiff" [*] Done... AIFF File Size: 21672 Is it over? ... Hello? ... Did we win? (cit.) [+] You can test it on OSX and Linux with Audacity - linux command line /usr/bin/audacity namux.aiff [+] You can test it on OSX Windows and Linux - with Adobe Audition Note: Adobe Audition will trigger the bug just when it scans the directory that contains this aiff file Marco Romano @nemux_ $ ll *.aiff -rw-r--r-- 1 lcl lcl 21672 Jan 30 17:59 nemux.aiff audacity did not recognise the type of the file but it could be imported as raw data and showed audio file characteristics. MCC/drakconf has a lot of perl dependencies so ran that to exercise perl. Installed perl-ImageMagick and ran a local example.pl file which applied a set of transformations of a test image and generated a 5x15 mosaic image of all of them. Everything seems to work.
CC: (none) => tarazed25Whiteboard: (none) => MGA9-64-OK
CC: (none) => marja11URL: (none) => https://www.openwall.com/lists/oss-security/2023/12/01/1
Keywords: (none) => advisory
CC: (none) => andrewsfarm
Updated without issues urpmi family still works MCC works
mga9-64 OK here Updated perl and ran some MCC parts: nothing but the usual noise in the terminal from were i launched it. @katnaktek: what arch did you test? This being important system package (i e for out tools), I think we need 32 bit tests too?
CC: (none) => fri
(In reply to Morgan Leijström from comment #5) > @katnaktek: what arch did you test? > > This being important system package (i e for out tools), I think we need 32 > bit tests too? Tested in real hardware mageia 9 x86_64 I will test later in i586
Tested in Real Hardware Mageia 9 i586 lxqt I update this packages before test the packages for kernel 6.6 MCC and urpmi family works as always
Whiteboard: MGA9-64-OK => MGA9-64-OK MGA9-32-OK
Thanks for the tests. Validating.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0021.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED