August 2021 - perl-devel - Fedora Mailing-Lists

[Bug 1877427] New: perl-dbi: Risk of memory corruption with many arguments in DBI method dispatch

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1877427 Bug ID: 1877427 Summary: perl-dbi: Risk of memory corruption with many arguments in DBI method dispatch Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team(a)redhat.com Reporter: psampaio(a)redhat.com CC: caillon+fedoraproject(a)gmail.com, hhorak(a)redhat.com, john.j5live(a)gmail.com, jorton(a)redhat.com, jplesnik(a)redhat.com, kasal(a)ucw.cz, perl-devel(a)lists.fedoraproject.org, perl-maint-list(a)redhat.com, ppisar(a)redhat.com, rhughes(a)redhat.com, rstrode(a)redhat.com, sandmann(a)redhat.com Target Milestone: --- Classification: Other A flaw was foundin perl-dbi before version 1.632. Using many arguments to methods for Callbacks may lead to memory corruption. Upstream patch: https://github.com/perl5-dbi/dbi/commit/a8b98e988d6ea2946f5f56691d6d5ead5... -- You are receiving this mail because: You are on the CC list for the bug.

2 years, 6 months

1
6
0 / 0

[Bug 1877421] New: perl-dbi: Old API functions vulnerable to overflow

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1877421 Bug ID: 1877421 Summary: perl-dbi: Old API functions vulnerable to overflow Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team(a)redhat.com Reporter: psampaio(a)redhat.com CC: caillon+fedoraproject(a)gmail.com, hhorak(a)redhat.com, john.j5live(a)gmail.com, jorton(a)redhat.com, jplesnik(a)redhat.com, kasal(a)ucw.cz, perl-devel(a)lists.fedoraproject.org, perl-maint-list(a)redhat.com, ppisar(a)redhat.com, rhughes(a)redhat.com, rstrode(a)redhat.com, sandmann(a)redhat.com Target Milestone: --- Classification: Other A flaw was found in perl-dbi before version 1.643. Old API functions might be vulnerable to overflowing potentially causing memory corruption. References: https://github.com/perl5-dbi/dbi/commit/00e2ec459b55b72ee5703c1bd8e6cf57f... -- You are receiving this mail because: You are on the CC list for the bug.

2 years, 6 months

1
8
0 / 0

[Bug 1877409] New: perl-dbi: Buffer overlfow on an overlong DBD class name

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1877409 Bug ID: 1877409 Summary: perl-dbi: Buffer overlfow on an overlong DBD class name Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: low Priority: low Assignee: security-response-team(a)redhat.com Reporter: psampaio(a)redhat.com CC: caillon+fedoraproject(a)gmail.com, hhorak(a)redhat.com, john.j5live(a)gmail.com, jorton(a)redhat.com, jplesnik(a)redhat.com, kasal(a)ucw.cz, perl-devel(a)lists.fedoraproject.org, perl-maint-list(a)redhat.com, ppisar(a)redhat.com, rhughes(a)redhat.com, rstrode(a)redhat.com, sandmann(a)redhat.com Target Milestone: --- Classification: Other A flaw was found in perl-dbi before version 1.643. A buffer overflow on via an overlong DBD class name in dbih_setup_handle function may lead to data be written past the intended limit. Upstream patch: https://github.com/perl5-dbi/dbi/commit/36f2a2c5fea36d7d47d6871e420286643... -- You are receiving this mail because: You are on the CC list for the bug.

2 years, 6 months

1
12
0 / 0

[Bug 1877405] New: perl-dbi: NULL profile dereference in dbi_profile()

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1877405 Bug ID: 1877405 Summary: perl-dbi: NULL profile dereference in dbi_profile() Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: low Priority: low Assignee: security-response-team(a)redhat.com Reporter: psampaio(a)redhat.com CC: caillon+fedoraproject(a)gmail.com, hhorak(a)redhat.com, john.j5live(a)gmail.com, jorton(a)redhat.com, jplesnik(a)redhat.com, kasal(a)ucw.cz, perl-devel(a)lists.fedoraproject.org, perl-maint-list(a)redhat.com, ppisar(a)redhat.com, rhughes(a)redhat.com, rstrode(a)redhat.com, sandmann(a)redhat.com Target Milestone: --- Classification: Other A flaw was found in perl-dbi. hv_fetch() documentation requires checking for NULL and the code does that. But then calls SvOK(profile) uncoditionally two lines later lead to a null profile dereference. Upstream patch: https://github.com/perl5-dbi/dbi/commit/eca7d7c8f43d96f6277e86d1000e842eb... -- You are receiving this mail because: You are on the CC list for the bug.

2 years, 6 months

1
8
0 / 0

[Bug 1877402] New: perl-dbi: Memory corruption in XS functions when Perl stack is reallocated

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1877402 Bug ID: 1877402 Summary: perl-dbi: Memory corruption in XS functions when Perl stack is reallocated Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team(a)redhat.com Reporter: psampaio(a)redhat.com CC: caillon+fedoraproject(a)gmail.com, hhorak(a)redhat.com, john.j5live(a)gmail.com, jorton(a)redhat.com, jplesnik(a)redhat.com, kasal(a)ucw.cz, perl-devel(a)lists.fedoraproject.org, perl-maint-list(a)redhat.com, ppisar(a)redhat.com, rhughes(a)redhat.com, rstrode(a)redhat.com, sandmann(a)redhat.com Target Milestone: --- Classification: Other A flaw was found in perl-dbi. Macro ST(*) returns pointer to Perl stack. Other Perl functions which use Perl stack (e.g. eval) may reallocate Perl stack and therefore pointer returned by ST(*) macro is invalid which may lead to memory corruption. Upstream patch: https://github.com/perl5-dbi/dbi/commit/ea99b6aafb437db53c28fd40d5eafbe11... -- You are receiving this mail because: You are on the CC list for the bug.

2 years, 6 months

1
11
0 / 0

[Bug 1980682] New: Upgrade perl-Data-GUID to 0.050

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1980682 Bug ID: 1980682 Summary: Upgrade perl-Data-GUID to 0.050 Product: Fedora Version: rawhide Status: NEW Component: perl-Data-GUID Assignee: rc040203(a)freenet.de Reporter: jplesnik(a)redhat.com QA Contact: extras-qa(a)fedoraproject.org CC: jplesnik(a)redhat.com, paul(a)city-fan.org, perl-devel(a)lists.fedoraproject.org, rc040203(a)freenet.de Target Milestone: --- Classification: Fedora Latest Fedora delivers 0.049 version. Upstream released 0.050. When you have free time, please upgrade it. -- You are receiving this mail because: You are on the CC list for the bug.

2 years, 6 months

1
6
0 / 0

[Bug 1917521] New: Upgrade perl-Calendar-Simple to 2.0.1

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1917521 Bug ID: 1917521 Summary: Upgrade perl-Calendar-Simple to 2.0.1 Product: Fedora Version: rawhide Status: NEW Component: perl-Calendar-Simple Assignee: rc040203(a)freenet.de Reporter: jplesnik(a)redhat.com QA Contact: extras-qa(a)fedoraproject.org CC: lxtnow(a)gmail.com, perl-devel(a)lists.fedoraproject.org, rc040203(a)freenet.de Target Milestone: --- Classification: Fedora Latest Fedora delivers 2.0.0 version. Upstream released 2.0.1. When you have free time, please upgrade it. -- You are receiving this mail because: You are on the CC list for the bug.

2 years, 6 months

1
6
0 / 0

[Bug 1829902] New: Upgrade perl-Algorithm-Dependency to 1.112

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1829902 Bug ID: 1829902 Summary: Upgrade perl-Algorithm-Dependency to 1.112 Product: Fedora Version: rawhide Status: NEW Component: perl-Algorithm-Dependency Assignee: rc040203(a)freenet.de Reporter: jplesnik(a)redhat.com QA Contact: extras-qa(a)fedoraproject.org CC: lkundrak(a)v3.sk, lxtnow(a)gmail.com, perl-devel(a)lists.fedoraproject.org, rc040203(a)freenet.de Target Milestone: --- Classification: Fedora Latest Fedora delivers 1.111 version. Upstream released 1.112. When you have free time, please upgrade it. -- You are receiving this mail because: You are on the CC list for the bug.

2 years, 6 months

1
6
0 / 0

[Bug 1961865] New: perl-Net-CIDR-Lite: Incorrect handling of IP address with leading zeros in IP octets

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1961865 Bug ID: 1961865 Summary: perl-Net-CIDR-Lite: Incorrect handling of IP address with leading zeros in IP octets Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team(a)redhat.com Reporter: thoger(a)redhat.com CC: paul(a)city-fan.org, perl-devel(a)lists.fedoraproject.org, pzhukov(a)redhat.com, steve(a)silug.org Target Milestone: --- Classification: Other It was discovered that the perl Net-CIDR-Lite module did not correctly handle IP addresses with IP octets containing leading zeros. Leading zeros were ignored, while the underlying system can treat such octets as octal numbers and interpret them differently. For example, IP address of 010.0.0.1 was considered by Net-CIDR-Lite to be the same address as 10.0.0.1, while system may consider it to be IP address 8.0.0.1. Reference: https://blog.urth.org/2021/03/29/security-issues-in-perl-ip-address-distr... This issue was fixed in Net-CIDR-Lite version 0.22 via this change: https://metacpan.org/diff/file?target=STIGTSP/Net-CIDR-Lite-0.22/Lite.pm&... An example of a potentially vulnerable use case can be found in the SpamAssassin's URILocalBL plugin: https://svn.apache.org/viewvc/spamassassin/tags/spamassassin_release_3_4_... It allows checking URLs extracted from emails against locally defined blacklist of IP ranges. IP addresses to check are typically obtained by resolving host names used in URLs. However, URLs with IP addresses can be used directly. Hence, this issue could potentially lead to a bypass of the defined blacklist. Note that this plugin does not seem to be affected due to the use of a strict regular expression used to determine if URL contains host name or IP address. That regular expression does not consider addresses with leading zeros as valid IP addresses and performs their resolution, translating the IP string to how system interprets it. -- You are receiving this mail because: You are on the CC list for the bug.

2 years, 6 months

1
4
0 / 0

[Bug 1949278] New: perl-Net-Stomp-0.61 is available

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1949278 Bug ID: 1949278 Summary: perl-Net-Stomp-0.61 is available Product: Fedora Version: rawhide Status: NEW Component: perl-Net-Stomp Keywords: FutureFeature, Triaged Assignee: lkundrak(a)v3.sk Reporter: upstream-release-monitoring(a)fedoraproject.org QA Contact: extras-qa(a)fedoraproject.org CC: filip(a)andresovi.net, lkundrak(a)v3.sk, perl-devel(a)lists.fedoraproject.org, scenek(a)gmail.com Target Milestone: --- Classification: Fedora Latest upstream release: 0.61 Current version/release in rawhide: 0.60-5.fc34 URL: http://search.cpan.org/dist/Net-Stomp/ Please consult the package updates policy before you issue an update to a stable branch: https://docs.fedoraproject.org/en-US/fesco/Updates_Policy/ More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. Based on the information from anitya: https://release-monitoring.org/project/3166/ -- You are receiving this mail because: You are on the CC list for the bug.

2 years, 7 months

1
5
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

perl-devel August 2021