[3.5] perl: Multiple vulnerabilities (CVE-2017-12837, CVE-2017-12883)
CVE-2017-12837: Heap-based buffer overflow in the regular expression
compiler in PERL before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1
allows remote attackers to cause a denial of service (crash) via a
crafted regular expression with the case-insensitive modifier.
References:
https://rt.perl.org/Public/Bug/Display.html?id=131582
https://nvd.nist.gov/vuln/detail/CVE-2017-12837
Patches:
maint-5.26:
https://perl5.git.perl.org/perl.git/commitdiff/66288bb3f44c8aa5122e5f40d8cfc0eada8b1695
maint-5.24:
https://perl5.git.perl.org/perl.git/commitdiff/f7e5417e7bffba03947b66e4d8622d7c220f2876
CVE-2017-12883: Buffer overflow in the regular expression parser in
PERL before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1 allows remote
attackers to cause a denial of service (crash) or leak data from memory
via vectors involving use of RExC_parse in the vFAIL macro.
References:
https://rt.perl.org/Public/Bug/Display.html?id=131598
https://nvd.nist.gov/vuln/detail/CVE-2017-12883
Patches:
maint-5.26:
https://perl5.git.perl.org/perl.git/commitdiff/2692dda97731c37082a0075eff50d741901c665f
maint-5.24:
https://perl5.git.perl.org/perl.git/commitdiff/40b3cdad3649334585cee8f4630ec9a025e62be6
(from redmine: issue id 7899, created on 2017-09-25, closed on 2017-10-24)
- Relations:
- parent #7896 (closed)
- Changesets:
- Revision c088ac63 by Natanael Copa on 2017-10-10T09:27:53Z:
main/perl: security upgrade to 5.24.3 (CVE-2017-12837,CVE-2017-12883)
fixes #7899