CVE request:Perl bug #48156

[Jonathan Smith <smithj () freethemallocs com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Florian Weimer wrote:
| Debian will release a security update for Perl bug #48156.  This looks a
| bit like a heap overflow in valgrind.  I consider the DoS vector
| important enough (which manifest on i386), so I haven't checked if it is
| exploitable beyond that.
|
| This is just a heads-up, in case someone else wants to release an
| update.  The issue itself is already public (also via Debian bug
| #454792).

Thanks for the info. Since this is already public, I'm CCing oss-security.

I've reproduced the crash on rPath Linux 2, with perl 5.8.8. On rPL 1,
perl 5.8.7 does not crash, but valgrind shows overflows.

So, we'll probably need a CVE. Steve?

        smithj

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)

iEYEARECAAYFAkgL8UkACgkQCG91qXPaRek4EQCfQfem29oadZ+DVJoSK/Ti0weA
//0AnRICT5rf/KGfvOfJ+bxDg69k6bDj
=bTwa
-----END PGP SIGNATURE-----