ESB-2018.1144 - [Debian] perl: Multiple vulnerabilities 2018-04-16

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.1144
                           perl security update
                               16 April 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           perl
Publisher:         Debian
Operating System:  Debian GNU/Linux 9
                   Debian GNU/Linux 8
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Denial of Service               -- Remote with User Interaction
                   Access Confidential Data        -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-6913 CVE-2018-6798 CVE-2018-6797

Reference:         ESB-2018.1142

Original Bulletin: 
   http://www.debian.org/security/2018/dsa-4172

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-4172-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
April 14, 2018                        https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : perl
CVE ID         : CVE-2018-6797 CVE-2018-6798 CVE-2018-6913

Multiple vulnerabilities were discovered in the implementation of the
Perl programming language. The Common Vulnerabilities and Exposures
project identifies the following problems:

CVE-2018-6797

    Brian Carpenter reported that a crafted regular expression
    could cause a heap buffer write overflow, with control over the
    bytes written.

CVE-2018-6798

    Nguyen Duc Manh reported that matching a crafted locale dependent
    regular expression could cause a heap buffer read overflow and
    potentially information disclosure.

CVE-2018-6913

    GwanYeong Kim reported that 'pack()' could cause a heap buffer write
    overflow with a large item count.

For the oldstable distribution (jessie), these problems have been fixed
in version 5.20.2-3+deb8u10. The oldstable distribution (jessie) update
contains only a fix for CVE-2018-6913.

For the stable distribution (stretch), these problems have been fixed in
version 5.24.1-3+deb9u3.

We recommend that you upgrade your perl packages.

For the detailed security status of perl please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/perl

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlrSJTJfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0T63A//bmaSFtOfByDsOdENtprgwt0+3HqtASPA6zShzILnmYmt2nri4t2Q1QI1
znDrsP0+CS+6ja1+MqLr3b2TyUGwBJLUiW13wxaXcSjZTPaWcz1DfAN/v/Tna82E
sPM+R/HdhHi/BQJ04FVR5J/m9+XtVTAdkezBVXHjR9UXZRn31TWB1D6Seod/c2OZ
9xnsij8g12yfrzEDO/7BFXi4j4zd70Gh6dyPMT8kmBMar07dC+OkINzRRYg10BS4
HMGfh+P63JS+1pW/PaNWgJR+dMU+a6XQopHo/H5Vp1iFdtNsS/fYuZj2s7M9IiSr
lW7mL4wnuaV0nWele9t3ED7tdOhOzlURpBV0sXaRUPl1pMHK+0EoPnrJ62NcmOSZ
zUJQnV31g6W1GJsDj/vnIlLl3D9xxxO+7RfQ4ONnunroz9KqUF2m6TkPX/Asn5Bq
sDlYI6H8HiGdknEhii695NCqD4l92k/N2jTMTs3q3seSeKHyKsH2e1GI2Q9JBi3z
FkEaFbxeRn3vkxcWxcP8fz/Hvyp13GKhVGwDh7BFb0MaQT4sdkZdzJw2oVflr1FK
sEphKhQxvQZHy8aV4zmnvoVoquabcEQGPDjGp+w6kC0QQSZioVm8IEOC6K29wUEh
QQKrioZ2yj7BydSlowlww3VravIlVZ7oh3BaGm/nBkj5WSjJeaI=
=Oclt
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWtQO8Ix+lLeg9Ub1AQj/Vw//YevqrdiABKHoyyFCktmF8HO8PzN6xsje
EJHe2Gw/KB5/ka4U7JJrgqsiCsC8npQkW37ydKLOWak/ZF0in5M8QSEhNpLTOL9R
Hl1A2seKsAzqIJrx2H0LsyTy+je4b6HduDBBSwXDl8ycE+cmn4oLh3bDNH4BpKSD
bkJ0uuqYJgHdIvstUM32TlQ7I8HiJMK4zbyPCg+T6GrH2+USmqW+7fhNxqNu8U6j
D2fnCUXlFEHmkurHz+VjHqnxN8Jcol7toxKs0bb0McJj8atpjHMv1LVMY4LfV0YI
kWsVwcd5yU5+xupUPxRgws9Pqhqgqrhvr0fvn8y4g03azRyqlo6TIy4hUFnPpjMk
wZDV0N9xQZ/v9JGVxM6k+HzLzxoB77gHhRIJwX1UfP4Kg/jS21C6EqonM5oe4XiT
bkbEyOzcbQHP/DY4EuyyaZdCfkoYYorM94kGAm/82GHmQRQSzxEwUNb9IGLTuNh3
fAlclQCxCnfjThpxA2OqeYTKx281yXdAP7UDvbFez+ZRaI44H49/sF0gBzj6tGKR
0jMOJEVdBDKpBcnt1a4gmItxPdlbYni3MHn/dlgVlNvmSntzB5KRQ9Qofhabna10
REgpTw90IJpqfs3rO5CK9TiC37UXtI6O4qD4y/CXYYthTL9wnLsURiH9+i8z0zeA
+YLz1EQTxJA=
=NJxM
-----END PGP SIGNATURE-----

« Back to bulletins