perl regex vulnerability - debian - pcre only?

Jonathan Stowe jns at gellyfish.com
Tue Nov 6 13:25:49 GMT 2007


On Tue, 2007-11-06 at 12:59 +0000, Mike Astle wrote:
> That don't look so good:
> 
> ----
> 
> "[...] discovered a flaw in Perl's regular
> expression engine. Specially crafted input to a regular expression can
> cause Perl to improperly allocate memory, resulting in the possible
> execution of arbitrary code with the permissions of the user running
> Perl."
> 
> https://rhn.redhat.com/errata/RHSA-2007-0966.html
> 
> Also...
> 
> http://www.debian.org/security/2007/dsa-1399
> 
> ----
> 
> I only see new pcre3 packages for debian.  Is this a problem with just 
> pcre or perl itself?

these are separate issues - pcre is a different code base.  Also perl
5.8.0 is five years old now, but it would be typical of a software
packager to sit on the patches and not push them upstream.

/J\
-- 
This signature kills bloggers


More information about the london.pm mailing list