Mandriva issued this advisory today (January 18): http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:008 MDV 2011 has the same version of Perl as Mageia 1 and their update includes patches for these issues. We also have an update candidate in updates_testing with fixes for CVE-2011-3507 and CVE-2011-2939, but there doesn't appear to have been a bug filed for it yet.
CC: (none) => fundawang
It appears the update candidate addresses the issues for this bug, and the 3507 in the changelog is a typo. (3507 is for oracle sun products suite, 3597 is for perl). Hopefully it can be re-built fixing the changelog. Other than that it is ready for testing pending confirmation from Funda Wang who built it.
Yes, I've updated the patch name. Pleas test it. And, for CVE-2011-3597, please update perl-Digest-1.160.0-2.1.mga1.noarch.rpm also.
CC: (none) => dmorganecAssignee: bugsquad => qa-bugs
Funda can you supply an update advisory please. Thanks.
Created attachment 1425 [details] Test script for CVE-2011-3597 Script from https://rt.cpan.org/Public/Bug/Display.html?id=71390#txn-983600 Before updating ... ./test.py I own you Can't locate object method "new" via package "Digest::MD5;print qq[I own you\n]" at /usr/lib/perl5/5.12.3/Digest.pm line 44. After updating ... ./test.py Can't locate Digest/MD5;print qq[I own you\n].pm in @INC (@INC contains: /usr/lib/perl5/site_perl/5.12.3/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.12.3 /usr/lib/perl5/vendor_perl/5.12.3/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.12.3 /usr/lib/perl5/5.12.3/i386-linux-thread-multi /usr/lib/perl5/5.12.3 /usr/lib/perl5/site_perl /usr/lib/perl5/vendor_perl/5.12.2 /usr/lib/perl5/vendor_perl/5.12.2/i386-linux-thread-multi /usr/lib/perl5/vendor_perl .) at /usr/lib/perl5/vendor_perl/5.12.3/Digest.pm line 40 Testing of the digest complete on i586.
Attachment 1425 mime type: application/octet-stream => text/plain
Advisory: ======================== Updated perl packages fix security vulnerabilities: Off-by-one error in the decode_xs function in Unicode/Unicode.xs in the Encode module before 2.44, as used in Perl before 5.15.6, might allow context-dependent attackers to cause a denial of service (memory corruption) via a crafted Unicode string, which triggers a heap-based buffer overflow (CVE-2011-2939). Eval injection in the Digest module before 1.17 for Perl allows context-dependent attackers to execute arbitrary commands via the new constructor (CVE-2011-3597). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2939 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3597 http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:008 ======================== Updated packages in core/updates_testing: ======================== perl-5.12.3-4.2.mga1 perl-Digest-1.160.0-2.1.mga1 perl-base-5.12.3-4.2.mga1 perl-devel-5.12.3-4.2.mga1 perl-doc-5.12.3-4.2.mga1 from SRPMS: perl-5.12.3-4.2.mga1.src.rpm perl-Digest-1.160.0-2.1.mga1.src.rpm
We still need confirmation of testing on x86-64 for this security update.
CC: (none) => davidwhodgins
Testing complete x86_64 with script from comment 4 and rpmdrake. There are other perl SRPM's in updates_testing, are they part of this update or just missing bug reports? Update validated. Please see comment 5 for advisory & srpm's. Could sysadmin please push to update, thankyou! Maybe wait for confirmation of srpm's before pushing, but this is a security update.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugsHardware: i586 => All
I can confirm that the other perl packages are not related to this. perl-Gtk2-MozEmbed says "Rebuild against New xulrunner" from dmorgan. It looks like it should have been pushed with last xulrunner/firefox update. perl-PAR says "add upstream patch to fix CVE-2011-5060" from Funda Wang. perl-PAR-Packer says "add upstream patch to fix CVE-2011-4114" from Funda Wang.
Thanks David :)
Bug 4313 filed for perl PAR module issues.
update pushed
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED