Your message dated Mon, 01 Jun 2026 16:18:37 +0000
with message-id <[email protected]>
and subject line Bug#1138633: fixed in libsereal-decoder-perl 5.006+ds-1
has caused the Debian Bug report #1138633,
regarding libsereal-decoder-perl: CVE-2026-8796
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1138633: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1138633
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libsereal-decoder-perl
Version: 5.004+ds-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for libsereal-decoder-perl.
CVE-2026-8796[0]:
| Sereal::Decoder versions before 5.005 for Perl allow heap out-of-
| bounds read via crafted input. In Perl/Decoder/srl_decoder.c,
| srl_read_object() and srl_read_hash() process a COPY tag, a back-
| reference whose target byte the decoder re-decodes as a fresh tag.
| When that target byte matches the SHORT_BINARY pattern (an inline
| string whose length is encoded in the low bits of the tag), the
| resulting read is not bounded to precede the COPY tag's own offset
| and can run past the end of the input buffer. An attacker controlled
| COPY offset can land inside a previously decoded value rather than
| on a tag boundary, planting a byte that the decoder reads as a
| SHORT_BINARY tag and consuming up to 31 following bytes from the
| heap as a class name (OBJECT path) or hash key (HASH path).
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-8796
https://www.cve.org/CVERecord?id=CVE-2026-8796
[1] https://lists.security.metacpan.org/cve-announce/msg/40571630/
[2]
https://github.com/Sereal/Sereal/commit/303a2c69cdba80bf37a3ff43461e0aa78198a7a3
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libsereal-decoder-perl
Source-Version: 5.006+ds-1
Done: gregor herrmann <[email protected]>
We believe that the bug you reported is fixed in the latest version of
libsereal-decoder-perl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
gregor herrmann <[email protected]> (supplier of updated libsereal-decoder-perl
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 01 Jun 2026 17:53:10 +0200
Source: libsereal-decoder-perl
Architecture: source
Version: 5.006+ds-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Perl Group <[email protected]>
Changed-By: gregor herrmann <[email protected]>
Closes: 1138633
Changes:
libsereal-decoder-perl (5.006+ds-1) unstable; urgency=medium
.
* Team upload.
* Import upstream version 5.006+ds.
- Fix Out-of-bounds Read (CVE-2026-8796).
Closes: #1138633
* Refresh fix_typo.patch (offset).
* Bump versioned build dependency on libzstd-dev.
* Declare compliance with Debian Policy 4.7.4.
* Remove «Rules-Requires-Root: no», which is the current default.
* Remove «Priority: optional», which is the current default.
* Drop unneeded version constraints from (build) dependencies.
Checksums-Sha1:
f4d81f54d87e326b5b182edeb3c57ff9625067f3 2726
libsereal-decoder-perl_5.006+ds-1.dsc
1e119a8bba3014dbe5569b57cf14d99fa79629f7 338024
libsereal-decoder-perl_5.006+ds.orig.tar.xz
6b51cdce94ad711ab5c920a22e6055ea6aa5e1ea 7132
libsereal-decoder-perl_5.006+ds-1.debian.tar.xz
Checksums-Sha256:
7b8186ccd9e7cb4f7931c4acbe165775b0578509412fe752d062bcce166ff5f5 2726
libsereal-decoder-perl_5.006+ds-1.dsc
cb9fc15fc44f2a5ef83fac19ebc3cce4e37c2867acc3ce5c395e9644005dca48 338024
libsereal-decoder-perl_5.006+ds.orig.tar.xz
ae7d38ff42f2903e8cc53daca6bc9caa6be4812669f754b3c1f68739cf28d73d 7132
libsereal-decoder-perl_5.006+ds-1.debian.tar.xz
Files:
2998f59cbc96bd269bdee46221f38648 2726 perl optional
libsereal-decoder-perl_5.006+ds-1.dsc
37b45ca1b528fb04c940852b839c533d 338024 perl optional
libsereal-decoder-perl_5.006+ds.orig.tar.xz
6692aebd90dc77922251ab9c41c5d1fa 7132 perl optional
libsereal-decoder-perl_5.006+ds-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEE0eExbpOnYKgQTYX6uzpoAYZJqgYFAmodq/ZfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEQx
RTEzMTZFOTNBNzYwQTgxMDREODVGQUJCM0E2ODAxODY0OUFBMDYACgkQuzpoAYZJ
qgbJ2g//TJoy/sRjoRfx1Zn01iYKBGnbPEYou9voDvLIh1Rk8isQwToivmNCtTQJ
rvEiMOYmeuz6Mtg1QYwTEBXcq2oyiDoowBV+nxzYrkhHBH04OA6Y2Uu8RohI66Zo
+pGTklpwuIdmlzn5ba1Whs68eE6OYi4urII0tEsfYbslb6g3T2hY2ydhp9NDZJ3m
tORff4SwCPU6UCo74AuqPaNmme/BCxp8AXwdM5ogh47WnoLi2tN0ToEoVv+G8UoB
a5eIMNUgx5iyCKPppLMCaidstK7zgoOFong5RbDopR2MpHFhBzXWYimekCtOPxWP
jzBqV/1SEJJqD9AH4fFDRTjs+2D63sK9XkKipMgZguJK48yygLvXNtwXJxiKmiAB
0rw48Rh4vmc3lfkfD9aZZjQMNdUK7qyQlUqwTqd7aalKAfTYWXmaY002Eqt0LBhl
2QHCRR/CC3aIwSR1TT64OHu3yliEELrELPHNYZ+6415ESI5jrNinUy8ji5QZpkvK
X2pha8TzanIUPeng82SBvup12OxShrUkg9ZejhU8+NPUJ9Vte9ab49qyiWHP41Ic
GEbyTt9pVlMsFbdd7TvsUl1+x0iVqyKehmlgme/ltnSgBg13qPWqzZ+tbUyjZAis
25eVUd5zWXVfXB9HPWdbBsYUxiq5Nu1vKqZhAtFQfL9PSlR6U+k=
=Olk7
-----END PGP SIGNATURE-----
pgpKQLQfBp3nr.pgp
Description: PGP signature
--- End Message ---
