UbuntuUpdates.org

Package "perl"

Name: perl

Description:

Larry Wall's Practical Extraction and Report Language
Latest version: 5.30.0-9ubuntu0.3
Release: focal (20.04)
Level: updates
Repository: main
Homepage: http://dev.perl.org/perl5/

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Download "perl"

32-bit deb package
64-bit deb package
APT INSTALL

Other versions of "perl" in Focal

Repository Area Version
base main 5.30.0-9build1
security main 5.30.0-9ubuntu0.3

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 5.30.0-9ubuntu0.3 2022-10-19 14:06:27 UTC

  perl (5.30.0-9ubuntu0.3) focal-security; urgency=medium

  * SECURITY UPDATE: Signature verification bypass
    - debian/patches/CVE-2020-16156-1.patch: signature
      verification type CANNOT_VERIFY was not recognized
      in cpan/CPAN/lib/CPAN/Distribution.pm.
    - debia/patches/CVE-2020-16156-2.patch: add two new failure modes
      in cpan/CPAN/lib/CPAN/Distribution.pm.
    - debian/patches/CVE-2020-16156-3.patch: use gpg
      to disentangle data and signature in cpan/CPAN/lib/CPAN/Distribution.pm.
    - debian/patches/CVE-2020-16156-4.patch: replacing die with mydie in
      three spots in cpan/CPAN/lib/CPAN/Distribution.pm.
    - debian/patches/CVE-2020-16156-5.patch: disambiguate the call
      to gpg --output by adding --verify in
      cpan/CPAN/lib/CPAN/Distribution.pm.
    - debian/patches/CVE-2020-16156-6.patch: corrects typo
      in cpan/CPAN/lib/CPAN/Distribution.pm.
    - debian/patches/CVE-2020-16156-7.patch: corrects typo
      in cpan/CPAN/lib/CPAN/Distribution.pm.
    - CVE-2020-16156

 -- Leonidas Da Silva Barbosa <email address hidden> Wed, 05 Oct 2022 07:27:25 -0300
Source diff to previous version
CVE-2020-16156 CPAN 2.28 allows Signature Verification Bypass.

Version: 5.30.0-9ubuntu0.2 2020-10-26 13:07:13 UTC

  perl (5.30.0-9ubuntu0.2) focal-security; urgency=medium

  * SECURITY UPDATE: heap buffer overflow in regex compiler
    - debian/patches/fixes/CVE-2020-10543.patch: prevent integer overflow
      from nested regex quantifiers in regcomp.c.
    - CVE-2020-10543
  * SECURITY UPDATE: regex intermediate language state corruption
    - debian/patches/fixes/CVE-2020-10878-1.patch: extract
      rck_elide_nothing in embed.fnc, embed.h, proto.h, regcomp.c.
    - debian/patches/fixes/CVE-2020-10878-2.patch: use long jumps if there
      is any possibility of overflow in regcomp.c.
    - CVE-2020-10878
  * SECURITY UPDATE: regex intermediate language state corruption
    - debian/patches/fixes/CVE-2020-12723.patch: avoid mutating regexp
      program within GOSUB in embed.fnc, embed.h, proto.h, regcomp.c,
      t/re/pat.t.
    - CVE-2020-12723

 -- Marc Deslauriers <email address hidden> Mon, 19 Oct 2020 06:56:54 -0400
CVE-2020-10543 Perl before 5.30.3 on 32-bit platforms allows a heap-based buffer overflow because nested regular expression quantifiers have an integer overflow.
CVE-2020-10878 Perl before 5.30.3 has an integer overflow related to mishandling of a "PL_regkind[OP(n)] == NOTHING" situation. A crafted regular expression could l
CVE-2020-12723 regcomp.c in Perl before 5.30.3 allows a buffer overflow via a crafted regular expression because of recursive S_study_chunk calls.


About   -   Send Feedback to @ubuntu_updates