Bug 174684
Summary: | CVE-2005-3962 Perl integer overflow issue | ||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Josh Bressers <bressers> | ||||||||||||||
Component: | perl | Assignee: | Jason Vas Dias <jvdias> | ||||||||||||||
Status: | CLOSED CURRENTRELEASE | QA Contact: | David Lawrence <dkl> | ||||||||||||||
Severity: | medium | Docs Contact: | |||||||||||||||
Priority: | medium | ||||||||||||||||
Version: | 4 | CC: | perl-devel | ||||||||||||||
Target Milestone: | --- | Keywords: | Security | ||||||||||||||
Target Release: | --- | ||||||||||||||||
Hardware: | All | ||||||||||||||||
OS: | Linux | ||||||||||||||||
Whiteboard: | impact=moderate,source=fulldisclosure,public=20051201,reported=20051201 | ||||||||||||||||
Fixed In Version: | FC5 | Doc Type: | Bug Fix | ||||||||||||||
Doc Text: | Story Points: | --- | |||||||||||||||
Clone Of: | Environment: | ||||||||||||||||
Last Closed: | 2006-09-22 02:19:21 UTC | Type: | --- | ||||||||||||||
Regression: | --- | Mount Type: | --- | ||||||||||||||
Documentation: | --- | CRM: | |||||||||||||||
Verified Versions: | Category: | --- | |||||||||||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||||||||||
Embargoed: | |||||||||||||||||
Attachments: |
|
Description
Josh Bressers
2005-12-01 13:32:39 UTC
Created attachment 121681 [details]
Proposed patch
Created attachment 121694 [details]
upstream patch #26240 for this issue
Now applying with perl-5.8.6-18 for FC-4 Fixed with perl-5.8.6-18 in FC-4; perl-5.8.7-0.8.fc5 in FC-5. From User-Agent: XML-RPC perl-5.8.6-18 has been pushed for FC4, which should resolve this issue. If these problems are still present in this version, then please make note of it in this bug report. From User-Agent: XML-RPC perl-5.8.5-18.FC3 has been pushed for FC3, which should resolve this issue. If these problems are still present in this version, then please make note of it in this bug report. Created attachment 121776 [details]
upstream patch #26244
Upstream revised their fix of patch #26240 :-(
Created attachment 122039 [details]
Latest upstream patch for this issue
The upstream perl maintainers have combined the above patch #26244 with other sprintf improvements to deal with Sys::Syslog security vulnerabilities, which are also the subject of CVE-2005-3912 ( CVE-2005-3962 has now been raised on this specific integer overflow issue ). It is recommended to apply upstream patches 26235 to 26240 inclusive and 26244 to solve these issues - I've attached the patches sent by Nicholas Clark, the upstream perl maintainer, to this bug. Created attachment 122040 [details] Upstream patches 26283 The complete set of upstream patches for this issue have been integrated as the official upstream patches #26283 and #26284, attached. Respinning perl packages to incorporate new upstream fixes for CVE-2005-3912 and CVE-2005-3962 Created attachment 122041 [details]
Upstream patch 26284
From User-Agent: XML-RPC perl-5.8.6-22 has been pushed for FC4, which should resolve this issue. If these problems are still present in this version, then please make note of it in this bug report. Closing bugs in MODIFIED state from prior Fedora releases. If this bug persists in a current Fedora release (such as Fedora Core 5 or later), please reopen and set the version appropriately. |