ESB-2018.3718 - [Win][UNIX/Linux][Debian] perl: Multiple vulnerabilities 2018-11-30

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.3718
                           perl security update
                             30 November 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           perl
Publisher:         Debian
Operating System:  Debian GNU/Linux 9
                   UNIX variants (UNIX, Linux, OSX)
                   Windows
Impact/Access:     Execute Arbitrary Code/Commands -- Unknown/Unspecified
                   Access Privileged Data          -- Unknown/Unspecified
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-18314 CVE-2018-18313 CVE-2018-18312
                   CVE-2018-18311  

Original Bulletin: 
   http://www.debian.org/security/2018/dsa-4347

Comment: This advisory references vulnerabilities in products which run on 
         platforms other than Debian. It is recommended that administrators 
         running perl check for an updated version of the software for their
         operating system.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-4347-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
November 29, 2018                     https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : perl
CVE ID         : CVE-2018-18311 CVE-2018-18312 CVE-2018-18313 CVE-2018-18314

Multiple vulnerabilities were discovered in the implementation of the
Perl programming language. The Common Vulnerabilities and Exposures
project identifies the following problems:

CVE-2018-18311

    Jayakrishna Menon and Christophe Hauser discovered an integer
    overflow vulnerability in Perl_my_setenv leading to a heap-based
    buffer overflow with attacker-controlled input.

CVE-2018-18312

    Eiichi Tsukata discovered that a crafted regular expression could
    cause a heap-based buffer overflow write during compilation,
    potentially allowing arbitrary code execution.

CVE-2018-18313

    Eiichi Tsukata discovered that a crafted regular expression could
    cause a heap-based buffer overflow read during compilation which
    leads to information leak.

CVE-2018-18314

    Jakub Wilk discovered that a specially crafted regular expression
    could lead to a heap-based buffer overflow.

For the stable distribution (stretch), these problems have been fixed in
version 5.24.1-3+deb9u5.

We recommend that you upgrade your perl packages.

For the detailed security status of perl please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/perl

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlwAY45fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0SexQ/+OyRsCOK4ZPjoe/mZD6nYcTZskjNu6o0XbV0dUwqGLz3+ztWAitThvLqw
OdbVmhPD9OBPXEw/CEGG/AzCzy+TTuo4B6CEevTviEq2ACS6MHWpXYk98qSLE+4a
1S+MO+kmziz1NKDJ11/7mUcS+hAoeCSbKpwkcBztyMqgMrbNpzOnlsNcXwu7kiTc
TMrTrTh8a/AWYN/IZITUN742STKODbdb86Zmypl6ecdOCY0kQLlrVbSH9SaEUr0v
y0R8dvl0g87lq+ipxhU2IiDzBgymf5HagvCAKcnUKWylPg/Dgtj3f7VjaK1I9cr0
GMpTCFoxw6fHsi221JzTKCYLjRC+kd0eQ+XbJmT1Djw5MBnkToNAQrvne7otNu2r
VM+pV8Iizze/UiGD33VOYCA9ukzExtQVk1aqXd7jb+s0GC3bThHwApkI2pWIH422
u8fZ4nlc4TBFXzKznT7GHiPMCLL3VxxAeOD0KPrL87Z+XIZTd2ZnuAtbTt3gpDY7
rmlKsCq7ovGYOMqzmT7sNrBG0dTUogDK+pqfsDw780kmlric5/lhpTROBIj1l/Sn
XN3ja2TsEwQyyzHd+tjBVxyGygawsa662PeZoL9B6iWGdSeoOhGjDHFXgyNJR4/7
49pvIdcgt0AxftuwlfN4W0h+8rhRFxNggFpC2dtGLZPhXfYI++s=
=tA1+
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXACCzWaOgq3Tt24GAQjKwRAAw9QCkrWBOtbBx4GZy2pIh5pQtOImdSjm
DvNRVytwV640wFwhsZn7ikDj0nWpZ2vf9t79ItwBLl2r1NE0vxzlKzwD6ZB1qR+a
vMffdnOG63UHN/EHu6JyWhnNxuGqATdu+a6OS1fgX9aTLVxQhVdRyMPZwjg6z1re
UMWaWrZZACzyTFOgZC6QVNw2asldRtN0RCxUc/oYIwpOvY2w6cexxAFEVxyQVjEv
XTCRcKpLPv6qPOQ/aAzalP9egA3ot0kfjEWJPjzHmpvsSQux9UWgwkwJzOn90y9w
xByMxMbnst5QX812kL47WOtwoNgsNzMmgUCLw7rDT/yCL7JPnUphSfdue+w8cx17
p9I/og/dh/Nn3F2scqvz+xRjsPYsX0vaDf7Un5xYTAbGjT8/Mu0CiMI2DBb2nfLz
3ILAwsUBqJcEzkybNP81ZzkfIFgzswu+oC5GyM5AsGj8pA0cEXQ+xYUtVfSISzVZ
xPb1Hk7IijO7FqN3ggKV0U0WvI+DXIyd7CLoJNapcZOhRn9bradbF9bIlSmhgw8t
hzVMlbSuiSddnFY2ZoJXu6qxoW5YiBgepZ9zqG3JwY2YEQeiishNW9J6DOwmyWNg
Feoqsm6NhbLygo4T17YEJMX/s1SC86OfhV4U2BLbqp8Jvx5aUbM6n55M0URMF9D7
WFaoB2QLBao=
=fNJB
-----END PGP SIGNATURE-----

« Back to bulletins