Package name
perl
Date
2013-04-10
Advisory ID
MDVSA-2013:113
Affected versions
MBS1 x86_64

Problem description

Updated perl packages fix security vulnerability:

It was discovered that Perl's 'x' string repeat operator is vulnerable
to a heap-based buffer overflow. An attacker could use this to execute
arbitrary code (CVE-2012-5195).

The _compile function in Maketext.pm in the Locale::Maketext
implementation in Perl before 5.17.7 does not properly handle
backslashes and fully qualified method names during compilation of
bracket notation, which allows context-dependent attackers to execute
arbitrary commands via crafted input to an application that accepts
translation strings from users (CVE-2012-6329).

In order to prevent an algorithmic complexity attack against
its hashing mechanism, perl will sometimes recalculate keys and
redistribute the contents of a hash. This mechanism has made perl
robust against attacks that have been demonstrated against other
systems. Research by Yves Orton has recently uncovered a flaw in the
rehashing code which can result in pathological behavior. This flaw
could be exploited to carry out a denial of service attack against
code that uses arbitrary user input as hash keys. Because using
user-provided strings as hash keys is a very common operation,
we urge users of perl to update their perl executable as soon
as possible. Updates to address this issue have bene pushed to
main-5.8, maint-5.10, maint-5.12, maint-5.14, and maint-5.16 branches
today. Vendors* were informed of this problem two weeks ago and
are expected to be shipping updates today (or otherwise very soon)
(CVE-2013-1667).

Updated packages

MBS1 x86_64

 e010dd5d07ad358f78a421e97d158cc5  mbs1/x86_64/perl-5.14.2-8.1.mbs1.x86_64.rpm
 2b935278aa38f3ed01fb4859036fc17a  mbs1/x86_64/perl-base-5.14.2-8.1.mbs1.x86_64.rpm
 8b2791b988a751ad818bbae21854bfe4  mbs1/x86_64/perl-devel-5.14.2-8.1.mbs1.x86_64.rpm
 54a4521ed44b8728a1fa8af387d1e9c2  mbs1/x86_64/perl-doc-5.14.2-8.1.mbs1.noarch.rpm
 c7d0a40057c4ec1d24baa9b605dea7cd  mbs1/x86_64/perl-Locale-Maketext-1.220.0-2.1.mbs1.noarch.rpm 
 1e7634153853dabcec48738081b1c2ec  mbs1/SRPMS/perl-5.14.2-8.1.mbs1.src.rpm
 e1790a3f5f3c579ce1e5e0cb43cb6b08  mbs1/SRPMS/perl-Locale-Maketext-1.220.0-2.1.mbs1.src.rpm

References