Package: perl Version: 5.30.0-1 Severity: important Tags: security patch fixed-upstream bullseye bookworm trixie X-Debbugs-Cc: t...@security.debian.org
Perl upstream released 5.34.2, 5.36.2 and 5.38.1 today with coordinated fixes for two security issues. One of these (CVE-2023-47039) is specific to Windows, but the other one (CVE-2023-47038) concerns us. We discussed this earlier with Salvatore from the security team and decided that CVE-2023-47038 is non-DSA like other "crafted regular expression crashes" we've handled in the past. It will hence be fixed via point releases for stable and oldstable. CVE-2023-47038 - Write past buffer end via illegal user-defined Unicode property A test case is perl -e 'qr/\p{utf8::_perl_surrogate}/' which crashes on oldstable (bullseye, 5.32), stable (bookworm, 5.36), unstable / testing (5.36) and experimental (5.38). The issue was introduced in the 5.30 cycle, so LTS (buster, 5.28) is not affected. The upstream fixes are at 5.34 https://github.com/Perl/perl5/commit/12c313ce49b36160a7ca2e9b07ad5bd92ee4a010 5.36 https://github.com/Perl/perl5/commit/7047915eef37fccd93e7cd985c29fe6be54650b6 5.38 https://github.com/Perl/perl5/commit/92a9eb3d0d52ec7655c1beb29999a5a5219be664 The 5.34 fix applies to 5.32 as well. I'll start with sid/trixie and handle the *stable updates after that, mainly targeting next bookworm point update on 2023-12-09 as per https://lists.debian.org/debian-project/2023/11/msg00003.html For experimental/5.38, I intend to push 5.38.1 instead of cherry picking the patch. -- Niko Tyni nt...@debian.org