perl: Multiple vulnerabilities (CVE-2016-1238, CVE-2017-12837, CVE-2017-12883)
CVE-2016-1238: loading of modules from current directory
Fixed In Version:
perl 5.22.3, perl 5.24.1
References:
https://www.nntp.perl.org/group/perl.perl5.porters/2016/07/msg238271.html
https://nvd.nist.gov/vuln/detail/CVE-2016-1238
CVE-2017-12837: Heap-based buffer overflow in the regular expression
compiler in PERL before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1
allows remote attackers to cause a denial of service (crash) via a
crafted regular expression with the case-insensitive modifier.
References:
https://rt.perl.org/Public/Bug/Display.html?id=131582
https://nvd.nist.gov/vuln/detail/CVE-2017-12837
Patches:
maint-5.26:
https://perl5.git.perl.org/perl.git/commitdiff/66288bb3f44c8aa5122e5f40d8cfc0eada8b1695
maint-5.24:
https://perl5.git.perl.org/perl.git/commitdiff/f7e5417e7bffba03947b66e4d8622d7c220f2876
CVE-2017-12883: Buffer overflow in the regular expression parser in
PERL before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1 allows remote
attackers to cause a denial of service (crash) or leak data from memory
via vectors involving use of RExC_parse in the vFAIL macro.
References:
https://rt.perl.org/Public/Bug/Display.html?id=131598
https://nvd.nist.gov/vuln/detail/CVE-2017-12883
Patches:
maint-5.26:
https://perl5.git.perl.org/perl.git/commitdiff/2692dda97731c37082a0075eff50d741901c665f
maint-5.24:
https://perl5.git.perl.org/perl.git/commitdiff/40b3cdad3649334585cee8f4630ec9a025e62be6
(from redmine: issue id 7896, created on 2017-09-25, closed on 2017-10-24)
- Relations:
- child #7897 (closed)
- child #7898 (closed)
- child #7899 (closed)
- child #7900 (closed)
- child #7901 (closed)