Bug 8253 - perl new security issue CVE-2012-5195
: perl new security issue CVE-2012-5195
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: i586 Linux
: Normal Severity: major
: ---
Assigned To: QA Team
:
: http://lwn.net/Vulnerabilities/527725/
: has_procedure mga2-64-OK MGA2-32-OK
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2012-11-30 17:33 CET by David Walser
Modified: 2012-12-07 13:10 CET (History)
4 users (show)

See Also:
Source RPM: perl-5.16.2-2.mga3.src.rpm
CVE:


Attachments

Description David Walser 2012-11-30 17:33:57 CET
Ubuntu has issued an advisory on November 29:
http://www.ubuntu.com/usn/usn-1643-1/

It's not clear which versions are affected, but Ubuntu has a link to the upstream patch and also notes that the Debian bug has a reproducer:
http://people.canonical.com/~ubuntu-security/cve/2012/CVE-2012-5195.html

The other CVEs in the advisory include the perl-CGI vulnerability that we just fixed, as well as low severity vulnerabilities in perl-Digest and perl-Encode that only impact Mageia 1 (they were fixed upstream in the versions we have in Mageia 2).
Comment 1 Jerome Quelin 2012-12-03 10:21:57 CET
mageia 1 no longer supported.
Comment 2 Jerome Quelin 2012-12-03 12:48:29 CET
doesn't affect perl 5.16, so cauldron is safe.
Comment 3 Jerome Quelin 2012-12-03 13:11:29 CET
fixed in perl-5.14.2-8.mga2, currently being built.
qa: please validate & push to updates.
Comment 4 David Walser 2012-12-03 15:31:10 CET
Thanks Jerome!

Advisory:
========================

Updated perl packages fix security vulnerability:

It was discovered that Perl's 'x' string repeat operator is vulnerable to a
heap-based buffer overflow. An attacker could use this to execute arbitrary
code (CVE-2012-5195).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5195
http://www.ubuntu.com/usn/usn-1643-1/
========================

Updated packages in core/updates_testing:
========================
perl-5.14.2-8.mga2
perl-base-5.14.2-8.mga2
perl-devel-5.14.2-8.mga2
perl-doc-5.14.2-8.mga2

from perl-5.14.2-8.mga2.src.rpm
Comment 5 claire robinson 2012-12-03 20:17:57 CET
PoC: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=689314

Before
------

$ perl -le 'print "v"x(2**31+1) ."=1"'
Segmentation fault

After
-----

$ perl -le 'print "v"x(2**31+1) ."=1"'
panic: memory wrap at -e line 1.
Comment 6 Dave Hodgins 2012-12-03 23:00:15 CET
Testing complete on Mageia 2 i586 and x86-64.

Unlike Comment 5, I'm getting "Out of memory", with perl-5.14.2-7.mga2,
rather then a segfault.  Same with perl-5.14.2-8.mga2.

For testing, I'm just checking that perl programs such as mgaapplet, rpmdrake,
and diskdrake are working.

Could someone from the sysadmin team push the srpm
perl-5.14.2-8.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates.

Advisory: Updated perl packages fix security vulnerability:

It was discovered that Perl's 'x' string repeat operator is vulnerable to a
heap-based buffer overflow. An attacker could use this to execute arbitrary
code (CVE-2012-5195).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5195
http://www.ubuntu.com/usn/usn-1643-1/

https://bugs.mageia.org/show_bug.cgi?id=8253
Comment 7 David Walser 2012-12-03 23:50:01 CET
On Mageia 1, I get "Out of memory!" with the current version, and after rebuilding it with the patch.  Strange.

Anyway, I've checked the patch into Mageia 1 SVN if anyone ever wants it.
Comment 8 Thomas Backlund 2012-12-07 13:10:14 CET
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0352

Note You need to log in before you can comment on or make changes to this bug.