XPost: linux.debian.devel.release
This is a multi-part MIME message sent by reportbug.
Package: release.debian.org
Severity: normal
User:
release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc:
perl@packages.debian.org,
perl@packages.debian.org
Control: affects -1 + src:perl
Hi, please pre-approve the attached one line security fix for sid/trixie
for CVE-2024-56406: Perl 5.34, 5.36, 5.38 and 5.40 are vulnerable to a
heap buffer overflow when transliterating non-ASCII bytes.
https://lists.security.metacpan.org/cve-announce/msg/28708725/
A DSA update for bookworm is already uploaded and being processed by
the security team.
Thanks for your work,
--
Niko Tyni
ntyni@debian.org
diff -Nru perl-5.40.1/debian/changelog perl-5.40.1/debian/changelog
--- perl-5.40.1/debian/changelog 2025-02-16 17:16:32.000000000 +0200
+++ perl-5.40.1/debian/changelog 2025-04-12 18:34:34.000000000 +0300
@@ -1,3 +1,9 @@
+perl (5.40.1-3) unstable; urgency=high
+
+ * [SECURITY] CVE-2024-56406: Fix heap-buffer-overflow with tr//
+
+ -- Niko Tyni <
ntyni@debian.org> Sat, 12 Apr 2025 18:34:34 +0300
+
perl (5.40.1-2) unstable; urgency=medium
* Refresh cross support files with 5.40.1-1 results.
diff -Nru perl-5.40.1/debian/patches/fixes/CVE-2024-56406.diff perl-5.40.1/debian/patches/fixes/CVE-2024-56406.diff
--- perl-5.40.1/debian/patches/fixes/CVE-2024-56406.diff 1970-01-01 02:00:00.000000000 +0200
+++ perl-5.40.1/debian/patches/fixes/CVE-2024-56406.diff 2025-04-12 18:34:34.000000000 +0300
@@ -0,0 +1,31 @@
+From: Karl Williamson <
khw@cpan.org>
+Date: Wed, 18 Dec 2024 18:25:29 -0700
+Subject: CVE-2024-56406: Heap-buffer-overflow with tr//
+
+This was due to underallocating needed space. If the translation forces +something to become UTF-8 that is initia