Bug 34209 - perl new security issues CVE-2024-56406 and CVE-2025-40909
Summary: perl new security issues CVE-2024-56406 and CVE-2025-40909
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA9-64-OK
Keywords: advisory, validated_update
: 34333 (view as bug list)
Depends on:
Blocks: 31852
  Show dependency treegraph
 
Reported: 2025-04-22 11:38 CEST by Nicolas Salguero
Modified: 2025-11-12 22:32 CET (History)
3 users (show)

See Also:
Source RPM: perl-5.36.0-1.1.mga9.src.rpm
CVE: CVE-2023-31484, CVE-2024-56406, CVE-2025-40909
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2025-04-22 11:38:12 CEST 
CVE-2024-56406 was announced here:
https://openwall.com/lists/oss-security/2025/04/13/3
Nicolas Salguero 2025-04-22 11:38:38 CEST

CVE: (none) => CVE-2024-56406
Whiteboard: (none) => MGA9TOO
Source RPM: (none) => perl-5.40.1-1.mga10.src.rpm, perl-5.36.0-1.1.mga9.src.rpm

Comment 1 Nicolas Salguero 2025-04-22 12:11:49 CEST 
Debian has issued an advisory on April 13:
https://lists.debian.org/debian-security-announce/2025/msg00064.html
Comment 2 Nicolas Salguero 2025-04-22 13:50:03 CEST 
Ubuntu has issued an advisory on April 14:
https://ubuntu.com/security/notices/USN-7434-1
Comment 4 Lewis Smith 2025-04-22 21:51:01 CEST 
This may be the patch:

https://github.com/Perl/perl5/commit/87f42aa0e0096e9a346c9672aa3a0bd3bef8c1dd.patch

Over to Perl maintainers.

Assignee: bugsquad => perl

Comment 5 Nicolas Salguero 2025-05-26 08:43:52 CEST 
CVE-2025-40909 was announced here:
https://www.openwall.com/lists/oss-security/2025/05/22/2
https://www.openwall.com/lists/oss-security/2025/05/23/1

CVE: CVE-2024-56406 => CVE-2024-56406, CVE-2025-40909
Summary: perl new security issue CVE-2024-56406 => perl new security issues CVE-2024-56406 and CVE-2025-40909

Comment 6 Nicolas Salguero 2025-06-02 10:27:55 CEST 
*** Bug 34333 has been marked as a duplicate of this bug. ***
Comment 7 Nicolas Salguero 2025-06-02 10:29:12 CEST 
Patch linked in: https://openwall.com/lists/oss-security/2025/05/30/4
Comment 8 Nicolas Salguero 2025-06-02 10:31:10 CEST 
Follow up: https://www.openwall.com/lists/oss-security/2025/06/02/2
Nicolas Salguero 2025-11-10 15:09:07 CET

Whiteboard: MGA9TOO => (none)
Source RPM: perl-5.40.1-1.mga10.src.rpm, perl-5.36.0-1.1.mga9.src.rpm => perl-5.36.0-1.1.mga9.src.rpm
Version: Cauldron => 9

Nicolas Salguero 2025-11-10 15:51:22 CET

Blocks: (none) => 31852

Comment 9 Nicolas Salguero 2025-11-10 15:55:39 CET 
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS. (CVE-2023-31484)

Perl is vulnerable to a heap buffer overflow when transliterating non-ASCII bytes. (CVE-2024-56406)

Perl threads have a working directory race condition where file operations may target unintended paths. (CVE-2025-40909)

References:
https://bugs.mageia.org/show_bug.cgi?id=31852
https://www.openwall.com/lists/oss-security/2023/04/29/1
https://ubuntu.com/security/notices/USN-6112-1
https://openwall.com/lists/oss-security/2025/04/13/3
https://lists.debian.org/debian-security-announce/2025/msg00064.html
https://ubuntu.com/security/notices/USN-7434-1
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/USJDDXS5I35D7CEPDILLJIEUAZOXW7YF/
https://www.openwall.com/lists/oss-security/2025/05/22/2
https://www.openwall.com/lists/oss-security/2025/05/23/1
https://openwall.com/lists/oss-security/2025/05/30/4
https://www.openwall.com/lists/oss-security/2025/06/02/2
========================

Updated packages in core/updates_testing:
========================
perl-5.36.0-1.2.mga9
perl-base-5.36.0-1.2.mga9
perl-devel-5.36.0-1.2.mga9
perl-doc-5.36.0-1.2.mga9

from SRPM:
perl-5.36.0-1.2.mga9.src.rpm

Status: NEW => ASSIGNED
CVE: CVE-2024-56406, CVE-2025-40909 => CVE-2023-31484, CVE-2024-56406, CVE-2025-40909
Assignee: perl => qa-bugs

katnatek 2025-11-11 00:20:02 CET

Keywords: (none) => advisory

Comment 10 katnatek 2025-11-12 02:43:32 CET 
Tested with some other perl in testing

LC_ALL=C urpmi /home/katnatek/qa-testing/x86_64/perl*

installing perl-5.36.0-1.2.mga9.x86_64.rpm perl-base-5.36.0-1.2.mga9.x86_64.rpm perl-doc-5.36.0-1.2.mga9.noarch.rpm from /home/katnatek/qa-testing/x86_64
Preparing...                     ####################################################################################################
      1/3: perl-base             ####################################################################################################
      2/3: perl                  ####################################################################################################
      3/3: perl-doc              ####################################################################################################
      1/3: removing perl-doc-2:5.36.0-1.1.mga9.noarch
                                 ####################################################################################################
      2/3: removing perl-2:5.36.0-1.1.mga9.x86_64
                                 ####################################################################################################
      3/3: removing perl-base-2:5.36.0-1.1.mga9.x86_64
                                 ####################################################################################################
restarting urpmi
Packages perl-5.36.0-1.2.mga9.x86_64, perl-doc-5.36.0-1.2.mga9.noarch, perl-base-5.36.0-1.2.mga9.x86_64 are already installed
Marking perl as manually installed, it won't be auto-orphaned
Marking perl-doc as manually installed, it won't be auto-orphaned
Marking perl-base as manually installed, it won't be auto-orphaned
writing /var/lib/rpm/installed-through-deps.list
To satisfy dependencies, the following packages are going to be installed:
  Package                        Version      Release       Arch    
(medium "Core Release")
  perl-Archive-Zip               1.680.0      2.mga9        noarch  
  perl-CPAN-Checksums            2.140.0      2.mga9        noarch  
  perl-CPAN-Perl-Releases        5.202.302.2> 1.mga9        noarch  
  perl-Compress-Bzip2            2.280.0      4.mga9        x86_64  
  perl-Data-Compare              1.270.0      3.mga9        noarch  
  perl-Expect                    1.350.0      6.mga9        noarch  
  perl-File-Find-Rule            0.340.0      5.mga9        noarch  
  perl-File-HomeDir              1.6.0        2.mga9        noarch  
  perl-File-Which                1.270.0      2.mga9        noarch  
  perl-IO-Tty                    1.170.0      1.mga9        x86_64  
  perl-Log-Dispatch              2.700.0      2.mga9        noarch  
  perl-Log-Log4perl              1.570.0      1.mga9        noarch  
  perl-Mail-Sender               0.903.0      4.mga9        noarch  
  perl-Mail-Sendmail             0.800.0      5.mga9        noarch  
  perl-Module-Signature          0.880.0      2.mga9        noarch  
  perl-Number-Compare            0.30.0       10.mga9       noarch  
  perl-Text-Glob                 0.110.0      4.mga9        noarch  
  perl-XML-DOM                   1.460.0      4.mga9        noarch  
  perl-XML-RegExp                0.40.0       10.mga9       noarch  
  perl-YAML-Syck                 1.340.0      4.mga9        x86_64  
  perl-libxml-perl               0.80.0       11.mga9       noarch  
  systemtap-sdt-devel            4.8          2.mga9        x86_64  
(command line)
  perl-CPAN                      2.340.0      1.1.mga9      noarch  
  perl-HTTP-Tiny                 0.82.0       1.1.mga9      noarch  
  perl-YAML-LibYAML              0.860.0      1.1.mga9      x86_64  
  perl-devel                     5.36.0       1.2.mga9      x86_64  
7.2MB of additional disk space will be used.
2.2MB of packages will be retrieved.
Proceed with the installation of the 26 packages? (Y/n) y


    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/systemtap-sdt-devel-4.8-2.mga9.x86_64.rpm
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/perl-Mail-Sender-0.903.0-4.mga9.noarch.rpm       
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/perl-CPAN-Checksums-2.140.0-2.mga9.noarch.rpm    
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/perl-XML-RegExp-0.40.0-10.mga9.noarch.rpm        
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/perl-Expect-1.350.0-6.mga9.noarch.rpm            
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/perl-Number-Compare-0.30.0-10.mga9.noarch.rpm    
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/perl-CPAN-Perl-Releases-5.202.302.200-1.mga9.noarch.rpm
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/perl-Module-Signature-0.880.0-2.mga9.noarch.rpm  
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/perl-Mail-Sendmail-0.800.0-5.mga9.noarch.rpm     
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/perl-Text-Glob-0.110.0-4.mga9.noarch.rpm         
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/perl-Archive-Zip-1.680.0-2.mga9.noarch.rpm       
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/perl-Data-Compare-1.270.0-3.mga9.noarch.rpm      
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/perl-XML-DOM-1.460.0-4.mga9.noarch.rpm           
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/perl-File-Find-Rule-0.340.0-5.mga9.noarch.rpm    
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/perl-Compress-Bzip2-2.280.0-4.mga9.x86_64.rpm    
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/perl-libxml-perl-0.80.0-11.mga9.noarch.rpm       
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/perl-Log-Log4perl-1.570.0-1.mga9.noarch.rpm      
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/perl-Log-Dispatch-2.700.0-2.mga9.noarch.rpm      
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/perl-IO-Tty-1.170.0-1.mga9.x86_64.rpm            
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/perl-File-Which-1.270.0-2.mga9.noarch.rpm        
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/perl-File-HomeDir-1.6.0-2.mga9.noarch.rpm        
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/perl-YAML-Syck-1.340.0-4.mga9.x86_64.rpm         
installing /home/katnatek/qa-testing/x86_64/perl-devel-5.36.0-1.2.mga9.x86_64.rpm                                                     
/var/cache/urpmi/rpms/perl-CPAN-Perl-Releases-5.202.302.200-1.mga9.noarch.rpm
/var/cache/urpmi/rpms/perl-XML-RegExp-0.40.0-10.mga9.noarch.rpm
/var/cache/urpmi/rpms/perl-Expect-1.350.0-6.mga9.noarch.rpm
/var/cache/urpmi/rpms/perl-CPAN-Checksums-2.140.0-2.mga9.noarch.rpm
/var/cache/urpmi/rpms/perl-YAML-Syck-1.340.0-4.mga9.x86_64.rpm
/var/cache/urpmi/rpms/perl-libxml-perl-0.80.0-11.mga9.noarch.rpm
/var/cache/urpmi/rpms/perl-Log-Dispatch-2.700.0-2.mga9.noarch.rpm
/home/katnatek/qa-testing/x86_64/perl-YAML-LibYAML-0.860.0-1.1.mga9.x86_64.rpm
/var/cache/urpmi/rpms/perl-Mail-Sendmail-0.800.0-5.mga9.noarch.rpm
/var/cache/urpmi/rpms/perl-Archive-Zip-1.680.0-2.mga9.noarch.rpm
/var/cache/urpmi/rpms/perl-Number-Compare-0.30.0-10.mga9.noarch.rpm
/var/cache/urpmi/rpms/perl-Module-Signature-0.880.0-2.mga9.noarch.rpm
/home/katnatek/qa-testing/x86_64/perl-HTTP-Tiny-0.82.0-1.1.mga9.noarch.rpm
/var/cache/urpmi/rpms/systemtap-sdt-devel-4.8-2.mga9.x86_64.rpm
/var/cache/urpmi/rpms/perl-Mail-Sender-0.903.0-4.mga9.noarch.rpm
/var/cache/urpmi/rpms/perl-IO-Tty-1.170.0-1.mga9.x86_64.rpm
/var/cache/urpmi/rpms/perl-File-Which-1.270.0-2.mga9.noarch.rpm
/var/cache/urpmi/rpms/perl-File-HomeDir-1.6.0-2.mga9.noarch.rpm
/var/cache/urpmi/rpms/perl-Compress-Bzip2-2.280.0-4.mga9.x86_64.rpm
/var/cache/urpmi/rpms/perl-Log-Log4perl-1.570.0-1.mga9.noarch.rpm
/home/katnatek/qa-testing/x86_64/perl-CPAN-2.340.0-1.1.mga9.noarch.rpm
/var/cache/urpmi/rpms/perl-XML-DOM-1.460.0-4.mga9.noarch.rpm
/var/cache/urpmi/rpms/perl-File-Find-Rule-0.340.0-5.mga9.noarch.rpm
/var/cache/urpmi/rpms/perl-Text-Glob-0.110.0-4.mga9.noarch.rpm
/var/cache/urpmi/rpms/perl-Data-Compare-1.270.0-3.mga9.noarch.rpm
Preparing...                     ####################################################################################################
     1/26: perl-Text-Glob        ####################################################################################################
     2/26: perl-Compress-Bzip2   ####################################################################################################
     3/26: perl-File-Which       ####################################################################################################
     4/26: perl-Module-Signature ####################################################################################################
     5/26: perl-File-HomeDir     ####################################################################################################
     6/26: perl-IO-Tty           ####################################################################################################
     7/26: perl-Expect           ####################################################################################################
     8/26: perl-Mail-Sender      ####################################################################################################
     9/26: systemtap-sdt-devel   ####################################################################################################
    10/26: perl-HTTP-Tiny        ####################################################################################################
    11/26: perl-Number-Compare   ####################################################################################################
    12/26: perl-File-Find-Rule   ####################################################################################################
    13/26: perl-Data-Compare     ####################################################################################################
    14/26: perl-CPAN-Checksums   ####################################################################################################
    15/26: perl-Archive-Zip      ####################################################################################################
    16/26: perl-Mail-Sendmail    ####################################################################################################
    17/26: perl-Log-Dispatch     ####################################################################################################
    18/26: perl-YAML-LibYAML     ####################################################################################################
    19/26: perl-libxml-perl      ####################################################################################################
    20/26: perl-YAML-Syck        ####################################################################################################
    21/26: perl-XML-RegExp       ####################################################################################################
    22/26: perl-XML-DOM          ####################################################################################################
    23/26: perl-Log-Log4perl     ####################################################################################################
    24/26: perl-CPAN-Perl-Releases
                                 ####################################################################################################
    25/26: perl-CPAN             ####################################################################################################
    26/26: perl-devel            ####################################################################################################

The restart of urpmi and the end of installation without issues are good signal
mcc works OK after the update
Comment 11 Herman Viaene 2025-11-12 17:22:52 CET 
MGA9-64 server Plasma Wayland on Compaq H000SB
No installation issues.
As stated above, run thru a number of MCC features, no problem seen.
So OK for me.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA9-64-OK

Comment 12 Thomas Andrews 2025-11-12 19:19:59 CET 
Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 13 Mageia Robot 2025-11-12 22:32:11 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2025-0274.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.