where to go for perl with CVE-2007-5116 patch?

ddick on 2007-11-27T22:45:59

I can't figure out how to get a source version of perl with recent security fixes applied to it, or even get a patch to apply to 5.8.8 or similiar. What am i missing?

---

I just googled for this

btilly on 2007-11-28T04:31:16

I quickly found http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5116 from which I went to https://bugzilla.redhat.com/show_bug.cgi?id=323571 which has a link to https://bugzilla.redhat.com/attachment.cgi?id=255541 which has the patch that Red Hat used.

I don't know why this isn't hasn't been addressed in an official Perl release. (5.8.9 anyone?)

Re:I just googled for this

n1vux on 2007-11-28T22:11:03

Ben,

Google is your friend.

See comment up and over.

Bill

The patch is in ... but not there yet

n1vux on 2007-11-28T22:04:20

Google is your friend. Not only did they report the bug, Google-fu tells me Fix is in 5.10 RC1 and RC2 (haven't looked back into 5.9.x other than 5.9.1, not in).

Nicholas applied the patch to maint-58 on 11/06.

I haven't heard what if any plan there is for a 5.8.9 as you suggest - CPAN regression testing is pretty busy with 5.10-RC2. Vendors / downstream distros are applying the patch to their 5.8.8+, as they should. If you have a security-critical perl app that isn't carefully untainting user-supplied patterns, you might want to build this in too.

ack --perl "ASCII pattern that really is utf8"

should find

t/op/pat.t

if your source is patched, and

ack --cc 'UTF8 mismatch'

should find regcomp.c

However, can't just scan for 'UTF8 mismatch' in `which perl` as it may be in ./lib/auto/re/re.so instead.

Re:The patch is in ... but not there yet

ddick on 2007-11-28T23:58:02

Thanks Bill.

Re:The patch is in ... AND IS there NOW

n1vux on 2007-11-29T19:43:17

You probably already saw the update on frontpage, but just to complete the chain/reference *Patch Announced*.

Google didn't find the 11/15 p5p msg the other day, but it does now.