perl regex vulnerability - debian - pcre only?
Jonathan Stowe
jns at gellyfish.com
Tue Nov 6 13:25:49 GMT 2007
On Tue, 2007-11-06 at 12:59 +0000, Mike Astle wrote:
> That don't look so good:
>
> ----
>
> "[...] discovered a flaw in Perl's regular
> expression engine. Specially crafted input to a regular expression can
> cause Perl to improperly allocate memory, resulting in the possible
> execution of arbitrary code with the permissions of the user running
> Perl."
>
> https://rhn.redhat.com/errata/RHSA-2007-0966.html
>
> Also...
>
> http://www.debian.org/security/2007/dsa-1399
>
> ----
>
> I only see new pcre3 packages for debian. Is this a problem with just
> pcre or perl itself?
these are separate issues - pcre is a different code base. Also perl
5.8.0 is five years old now, but it would be typical of a software
packager to sit on the patches and not push them upstream.
/J\
--
This signature kills bloggers
More information about the london.pm
mailing list