oss-sec mailing list archives
Re: CVE-2024-56406: Perl 5.34, 5.36, 5.38 and 5.40 are vulnerable to a heap buffer overflow when transliterating non-ASCII bytes
From: Stig Palmquist <stig () stig io>
Date: Sun, 13 Apr 2025 21:32:31 +0200
On 2025-04-13 16:47, Solar Designer wrote: [..]
As it was mentioned in the advance notification to distros, the issue was introduced in: https://github.com/Perl/perl5/commit/a311ee08b6781f83a7785f578a26bbc21a7ae457 which is part of tags v5.33.1 to v5.41.10, so I guess those versions are also affected. The fix commit is effectively a revert of the bug commit.
Hi Alexander,
Thank you for the feedback. We only considered release branches for the
affected versions.
To fix this, the CVE record has been updated to take into account
development versions and release candidates:
Versions: from 5.41.0 through 5.41.10
from 5.39.0 before 5.40.2-RC1
from 5.33.1 before 5.38.4-RC1
Best,
--
Stig Palmquist
Current thread:
- CVE-2024-56406: Perl 5.34, 5.36, 5.38 and 5.40 are vulnerable to a heap buffer overflow when transliterating non-ASCII bytes Stig Palmquist (Apr 13)
- Re: CVE-2024-56406: Perl 5.34, 5.36, 5.38 and 5.40 are vulnerable to a heap buffer overflow when transliterating non-ASCII bytes Solar Designer (Apr 13)
- Re: CVE-2024-56406: Perl 5.34, 5.36, 5.38 and 5.40 are vulnerable to a heap buffer overflow when transliterating non-ASCII bytes Stig Palmquist (Apr 13)
- Re: CVE-2024-56406: Perl 5.34, 5.36, 5.38 and 5.40 are vulnerable to a heap buffer overflow when transliterating non-ASCII bytes Solar Designer (Apr 13)