NVD description: In Perl 5.34.0, function S_find_uninit_var in sv.c has a stack-based crash that can lead to remote code execution or local privilege escalation. References: https://nvd.nist.gov/vuln/detail/CVE-2022-48522 https://github.com/Perl/perl5/blob/79a7b254d85a10b65126ad99bf10e70480569d68/sv.c#L16336-L16345
According to Debian [1] this "might be related to https://bugs.launchpad.net/ubuntu/+source/perl/+bug/2032667 which is just a infinite recursion exhausting the stack, with negligible security impact." Upstream issue & fix: https://github.com/Perl/perl5/issues/19147 https://github.com/Perl/perl5/commit/23cca2d1f4544cb47f1124d98c308ce1f31f09a6 (v5.35.5) [1] https://security-tracker.debian.org/tracker/CVE-2022-48522
Due to comment: https://bugs.launchpad.net/ubuntu/+source/perl/+bug/2032667/comments/1 The code was broken around devel release 5.33.1. It was fixed around 5.35.5 and also added to 5.34.1. RHEL 8 and RHEL 9 contain only perl versions 5.26, 5.30, 5.32. These version are not affected. I was not able to reproduce the issue there. I reproduced it only with perl 5.34.0.
Yes, Just verified our codebase against the patch, indeed we are not affected, you can close the bugs. I am setting NOT-AFFECTED. Thanks.