Debian: New perl packages fix denial of service
Posted by Benjamin D. Thomas   
Debian It has been discovered that the Perl interpreter may encounter a buffer overflow condition when compiling certain regular expressions containing Unicode characters. This also happens if the offending characters are contained in a variable reference protected by the \Q...\E quoting construct. When encountering this condition, the Perl interpreter typically crashes, but arbitrary code execution cannot be ruled out.
- ------------------------------------------------------------------------
Debian Security Advisory DSA-1556-1                  security@debian.org
http://www.debian.org/security/                           Florian Weimer
April 24, 2008                        http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package        : perl
Vulnerability  : heap buffer overflow
Problem type   : local (remote)
Debian-specific: no
CVE Id         : CVE-2008-1927
Debian Bug     : 454792

It has been discovered that the Perl interpreter may encounter a buffer
overflow condition when compiling certain regular expressions containing
Unicode characters.  This also happens if the offending characters are
contained in a variable reference protected by the \Q...\E quoting
construct.  When encountering this condition, the Perl interpreter
typically crashes, but arbitrary code execution cannot be ruled out.

For the stable distribution (etch), this problem has been fixed in
version 5.8.8-7etch2.

The unstable distribution (sid) will be fixed soon.

We recommend that you upgrade your perl packages.

Upgrade instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch
- -------------------------------

Source archives:

  http://security.debian.org/pool/updates/main/p/perl/perl_5.8.8-7etch2.dsc
    Size/MD5 checksum:     1033 a76db5d6c1c52e969641f262971d671b
  http://security.debian.org/pool/updates/main/p/perl/perl_5.8.8-7etch2.diff.gz
    Size/MD5 checksum:    96868 456e57f3e1d3c9ec432175496a646030
  http://security.debian.org/pool/updates/main/p/perl/perl_5.8.8.orig.tar.gz
    Size/MD5 checksum: 12829188 b8c118d4360846829beb30b02a6b91a7

Architecture independent packages:

  http://security.debian.org/pool/updates/main/p/perl/perl-modules_5.8.8-7etch2_all.deb
    Size/MD5 checksum:  2313432 dbbb5c3c64e2384db97b4b487610bc5e
  http://security.debian.org/pool/updates/main/p/perl/perl-doc_5.8.8-7etch2_all.deb
    Size/MD5 checksum:  7348546 ed4582d9dede3e6c429d7501c3111e72
  http://security.debian.org/pool/updates/main/p/perl/libcgi-fast-perl_5.8.8-7etch2_all.deb
    Size/MD5 checksum:    40980 b0ff6226ffb342f1e2c8c53c32caf5b3

alpha architecture (DEC Alpha)

  http://security.debian.org/pool/updates/main/p/perl/perl-debug_5.8.8-7etch2_alpha.deb
    Size/MD5 checksum:  2928386 41db11aedf1d642eb51480cc470a8224
  http://security.debian.org/pool/updates/main/p/perl/libperl5.8_5.8.8-7etch2_alpha.deb
    Size/MD5 checksum:     1010 b69362a76dd48c17fbaff2359ec70265
  http://security.debian.org/pool/updates/main/p/perl/libperl-dev_5.8.8-7etch2_alpha.deb
    Size/MD5 checksum:   821430 ea7cb927f31fa3af3126b59f6d4eaa6f
  http://security.debian.org/pool/updates/main/p/perl/perl-suid_5.8.8-7etch2_alpha.deb
    Size/MD5 checksum:    36236 221645a1bfb73e770341721b33ba8b85
  http://security.debian.org/pool/updates/main/p/perl/perl_5.8.8-7etch2_alpha.deb
    Size/MD5 checksum:  4149744 1259a2a2bd2a85bfcf64479cc85e199b
  http://security.debian.org/pool/updates/main/p/perl/perl-base_5.8.8-7etch2_alpha.deb
    Size/MD5 checksum:   879670 defb0e74374d71b16b438b874ba13a8b

amd64 architecture (AMD x86_64 (AMD64))

  http://security.debian.org/pool/updates/main/p/perl/perl-suid_5.8.8-7etch2_amd64.deb
    Size/MD5 checksum:    32800 22480b2f4bded243ae1f621f0fe59fef
  http://security.debian.org/pool/updates/main/p/perl/perl-base_5.8.8-7etch2_amd64.deb
    Size/MD5 checksum:   808850 61e1d09c98fb1fb5f12483ae9f63ab79
  http://security.debian.org/pool/updates/main/p/perl/libperl-dev_5.8.8-7etch2_amd64.deb
    Size/MD5 checksum:   630448 81613abb6e184e1ff68f673b3b08f3bd
  http://security.debian.org/pool/updates/main/p/perl/perl_5.8.8-7etch2_amd64.deb
    Size/MD5 checksum:  4238138 f1ecc46e8ea9796aae6c7874c283c57d
  http://security.debian.org/pool/updates/main/p/perl/perl-debug_5.8.8-7etch2_amd64.deb
    Size/MD5 checksum:  2734908 3ca5eb6e7cc032d82753d33ad83b4a01
  http://security.debian.org/pool/updates/main/p/perl/libperl5.8_5.8.8-7etch2_amd64.deb
    Size/MD5 checksum:     1010 25a444e727fd3a6d204bc6a536dfa30d

arm architecture (ARM)

  http://security.debian.org/pool/updates/main/p/perl/perl-debug_5.8.8-7etch2_arm.deb
    Size/MD5 checksum:  2547782 215f4806d209971c26a9e2512ed167de
  http://security.debian.org/pool/updates/main/p/perl/perl-base_5.8.8-7etch2_arm.deb
    Size/MD5 checksum:   759522 2ccda175882dbc65cde4daa434732548
  http://security.debian.org/pool/updates/main/p/perl/libperl-dev_5.8.8-7etch2_arm.deb
    Size/MD5 checksum:   561950 a2acd57d7f18526aed26b050231154ba
  http://security.debian.org/pool/updates/main/p/perl/perl-suid_5.8.8-7etch2_arm.deb
    Size/MD5 checksum:    30340 beae7b26e01fd5b0a4d8b5db515649f0
  http://security.debian.org/pool/updates/main/p/perl/libperl5.8_5.8.8-7etch2_arm.deb
    Size/MD5 checksum:     1010 d1e558624e4e24aee24890df02555be5
  http://security.debian.org/pool/updates/main/p/perl/perl_5.8.8-7etch2_arm.deb
    Size/MD5 checksum:  3409080 a4b034d2ffc6a29beda68107b2080e01

hppa architecture (HP PA RISC)

  http://security.debian.org/pool/updates/main/p/perl/perl-debug_5.8.8-7etch2_hppa.deb
    Size/MD5 checksum:  2735266 e1af1045ebc3795f553d32add1d76d64
  http://security.debian.org/pool/updates/main/p/perl/perl-suid_5.8.8-7etch2_hppa.deb
    Size/MD5 checksum:    33196 a7514f8ff72218d50b6c79762fdd52c0
  http://security.debian.org/pool/updates/main/p/perl/perl-base_5.8.8-7etch2_hppa.deb
    Size/MD5 checksum:   869350 f3436a83fc1201da8f603cb27f996b35
  http://security.debian.org/pool/updates/main/p/perl/libperl5.8_5.8.8-7etch2_hppa.deb
    Size/MD5 checksum:     1014 deef1f78fc7d8c7171ec154090c62ed5
  http://security.debian.org/pool/updates/main/p/perl/libperl-dev_5.8.8-7etch2_hppa.deb
    Size/MD5 checksum:   693972 1bbba786896bff50ceac5d58dcfc6c37
  http://security.debian.org/pool/updates/main/p/perl/perl_5.8.8-7etch2_hppa.deb
    Size/MD5 checksum:  4195310 04541825adc3460e914bd3079174959f

i386 architecture (Intel ia32)

  http://security.debian.org/pool/updates/main/p/perl/perl-debug_5.8.8-7etch2_i386.deb
    Size/MD5 checksum:  2491262 c99e05f4ae2cc54041eb0c47b9d43d14
  http://security.debian.org/pool/updates/main/p/perl/libperl5.8_5.8.8-7etch2_i386.deb
    Size/MD5 checksum:   526958 91c2e4ff10f98219b062bc930d800bb9
  http://security.debian.org/pool/updates/main/p/perl/perl-suid_5.8.8-7etch2_i386.deb
    Size/MD5 checksum:    32074 fa1e0caf1940a0ff8665b82a2d2f26e3
  http://security.debian.org/pool/updates/main/p/perl/perl_5.8.8-7etch2_i386.deb
    Size/MD5 checksum:  3583758 2dbf25e51b8cf7a082f7afd04427ffdc
  http://security.debian.org/pool/updates/main/p/perl/libperl-dev_5.8.8-7etch2_i386.deb
    Size/MD5 checksum:   585400 133aee0f403d7c31abb59c32600de5c9
  http://security.debian.org/pool/updates/main/p/perl/perl-base_5.8.8-7etch2_i386.deb
    Size/MD5 checksum:   760350 5864e59b250a597ea524357e603decbc

ia64 architecture (Intel ia64)

  http://security.debian.org/pool/updates/main/p/perl/perl-suid_5.8.8-7etch2_ia64.deb
    Size/MD5 checksum:    51282 930868ee78bf728282c2c779ae0e439e
  http://security.debian.org/pool/updates/main/p/perl/perl-base_5.8.8-7etch2_ia64.deb
    Size/MD5 checksum:  1153370 04a4c670d2ba5470234cd60e16362c12
  http://security.debian.org/pool/updates/main/p/perl/libperl-dev_5.8.8-7etch2_ia64.deb
    Size/MD5 checksum:   977470 a572348ac95a6050529871738a09eb45
  http://security.debian.org/pool/updates/main/p/perl/perl-debug_5.8.8-7etch2_ia64.deb
    Size/MD5 checksum:  3364140 078fce96136de4f893678630237be8fa
  http://security.debian.org/pool/updates/main/p/perl/perl_5.8.8-7etch2_ia64.deb
    Size/MD5 checksum:  4335648 a96e0ee84c4024a0b49b61b7c7fb0b4b
  http://security.debian.org/pool/updates/main/p/perl/libperl5.8_5.8.8-7etch2_ia64.deb
    Size/MD5 checksum:     1014 c7f68e8b50d41aade5a7a3cdf75d4373

mips architecture (MIPS (Big Endian))

  http://security.debian.org/pool/updates/main/p/perl/perl-debug_5.8.8-7etch2_mips.deb
    Size/MD5 checksum:  2781044 f5e48f307a9bbc84d68c7f474e5a2541
  http://security.debian.org/pool/updates/main/p/perl/perl-suid_5.8.8-7etch2_mips.deb
    Size/MD5 checksum:    32222 1b5f5a124882606ceb2b4f5801081e7f
  http://security.debian.org/pool/updates/main/p/perl/libperl5.8_5.8.8-7etch2_mips.deb
    Size/MD5 checksum:     1010 7b177e038a86893333a0ef2951489cbb
  http://security.debian.org/pool/updates/main/p/perl/libperl-dev_5.8.8-7etch2_mips.deb
    Size/MD5 checksum:   693726 64abc926643ec3fa1dc3189948491772
  http://security.debian.org/pool/updates/main/p/perl/perl-base_5.8.8-7etch2_mips.deb
    Size/MD5 checksum:   785736 8a67775aaba9228bc9c1b100f2f5f3d1
  http://security.debian.org/pool/updates/main/p/perl/perl_5.8.8-7etch2_mips.deb
    Size/MD5 checksum:  3678816 6b60afdd9010bac0d2a9f353ba5d249b

mipsel architecture (MIPS (Little Endian))

  http://security.debian.org/pool/updates/main/p/perl/perl-base_5.8.8-7etch2_mipsel.deb
    Size/MD5 checksum:   784398 fd31742e635dd9c0fe468c6bfa5a0d40
  http://security.debian.org/pool/updates/main/p/perl/perl-debug_5.8.8-7etch2_mipsel.deb
    Size/MD5 checksum:  2729530 c91ec6207992ff835d3f7eaf4e188a76
  http://security.debian.org/pool/updates/main/p/perl/perl-suid_5.8.8-7etch2_mipsel.deb
    Size/MD5 checksum:    32336 52f9c48eaf781eb3c1356705f7ae143f
  http://security.debian.org/pool/updates/main/p/perl/perl_5.8.8-7etch2_mipsel.deb
    Size/MD5 checksum:  3413324 0fe5f12ac26b6dfb335d55db699a0cc6
  http://security.debian.org/pool/updates/main/p/perl/libperl-dev_5.8.8-7etch2_mipsel.deb
    Size/MD5 checksum:   687108 54d8b8b5c7ab9ddd96cc1eb00174a5ba
  http://security.debian.org/pool/updates/main/p/perl/libperl5.8_5.8.8-7etch2_mipsel.deb
    Size/MD5 checksum:     1016 72acf47685af2821bcd7120c3288d16f

powerpc architecture (PowerPC)

  http://security.debian.org/pool/updates/main/p/perl/perl-suid_5.8.8-7etch2_powerpc.deb
    Size/MD5 checksum:    32908 377ca57ed879c2d325dfbd2ece75d3f3
  http://security.debian.org/pool/updates/main/p/perl/perl-debug_5.8.8-7etch2_powerpc.deb
    Size/MD5 checksum:  2709324 0f9215154a4caba359525de6b92a7a9c
  http://security.debian.org/pool/updates/main/p/perl/libperl-dev_5.8.8-7etch2_powerpc.deb
    Size/MD5 checksum:   653286 7a9fdda2a07cbcf721f2200de30cbb12
  http://security.debian.org/pool/updates/main/p/perl/perl_5.8.8-7etch2_powerpc.deb
    Size/MD5 checksum:  3824700 23d8303bbba2cb597fa250b4caa0a565
  http://security.debian.org/pool/updates/main/p/perl/libperl5.8_5.8.8-7etch2_powerpc.deb
    Size/MD5 checksum:     1006 644993449bbeb42ae0f145d46d422431
  http://security.debian.org/pool/updates/main/p/perl/perl-base_5.8.8-7etch2_powerpc.deb
    Size/MD5 checksum:   810628 3082d54b4866297abf981f5bd4b45521

s390 architecture (IBM S/390)

  http://security.debian.org/pool/updates/main/p/perl/libperl5.8_5.8.8-7etch2_s390.deb
    Size/MD5 checksum:     1012 f2ddd8fcaa8cc11d8472da9719ddf757
  http://security.debian.org/pool/updates/main/p/perl/perl-debug_5.8.8-7etch2_s390.deb
    Size/MD5 checksum:  2796222 45bb1fa51a3420a040373c3671fa0466
  http://security.debian.org/pool/updates/main/p/perl/perl-base_5.8.8-7etch2_s390.deb
    Size/MD5 checksum:   823028 733c85331bb3327f4c8a1bec6e231091
  http://security.debian.org/pool/updates/main/p/perl/perl_5.8.8-7etch2_s390.deb
    Size/MD5 checksum:  4099882 7e7c3d76475f2a488070d2e9538a9f3f
  http://security.debian.org/pool/updates/main/p/perl/perl-suid_5.8.8-7etch2_s390.deb
    Size/MD5 checksum:    33094 7740f1d01184c5931e943bdb0aa00185
  http://security.debian.org/pool/updates/main/p/perl/libperl-dev_5.8.8-7etch2_s390.deb
    Size/MD5 checksum:   633506 3dd38df3fedd8f6a9d8bec505bc9f60b


  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org