Skip Menu |

This queue is for tickets about the Compress-Raw-Zlib CPAN distribution.

Report information
The Basics
Id: 123245
Status: resolved
Priority: 0/
Queue: Compress-Raw-Zlib
People
Owner: Nobody in particular
Requestors: ncopa [...] alpinelinux.org
Cc:
AdminCc:
Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: 2.075

History Show all quoted text
  Wed Oct 11 06:27:32 2017 ncopa [...] alpinelinux.org - Ticket created
Subject: perl 5.26.1 is vulnerable to CVE-2016-9843, CVE-2016-9841, CVE-2016-9840, CVE-2016-9842
Date: Wed, 11 Oct 2017 12:19:24 +0200
To: bug-Compress-Raw-Zlib [...] rt.cpan.org
From: Natanael Copa <ncopa [...] alpinelinux.org>
Hi, The recent perl 5.26.1 release is vulnerable to: CVE-2016-9843, CVE-2016-9841, CVE-2016-9840, CVE-2016-9842 This is because perl bundles the old and vulnerable copy of zlib 1.2.8. If it would be possible to build it using system zlib, then it would not been any problem, but that does not seem to be the case. This was discovered by a security scanner that flagged Zlib.so shipped with perl 5.26.1. To verify: strings /usr/lib/perl5/core_perl/auto/Compress/Raw/Zlib/Zlib.so | grep -w 1.2.8 1.2.8 deflate 1.2.8 Copyright 1995-2013 Jean-loup Gailly and Mark Adler inflate 1.2.8 Copyright 1995-2013 Mark Adler The bundled zlib version is vulnerable. Thanks! -nc
  Sun Oct 22 18:33:07 2017 jkeenan [...] cpan.org - Correspondence added
On Wed Oct 11 06:27:32 2017, ncopa@alpinelinux.org wrote: Show quoted text
> Hi, > > The recent perl 5.26.1 release is vulnerable to: > > CVE-2016-9843, CVE-2016-9841, CVE-2016-9840, CVE-2016-9842 > > This is because perl bundles the old and vulnerable copy of zlib > 1.2.8. > > If it would be possible to build it using system zlib, then it would > not been any problem, but that does not seem to be the case. > > > This was discovered by a security scanner that flagged Zlib.so shipped > with perl 5.26.1. > > To verify: > strings /usr/lib/perl5/core_perl/auto/Compress/Raw/Zlib/Zlib.so | grep > -w 1.2.8 > > 1.2.8 > deflate 1.2.8 Copyright 1995-2013 Jean-loup Gailly and Mark Adler > inflate 1.2.8 Copyright 1995-2013 Mark Adler > > > The bundled zlib version is vulnerable. > > Thanks! > > -nc
Reference: http://zlib.net/, where the most recent version of zlib is 1.2.11, released January 15, 2017. The page states: "Due to the bug fixes, any installations of 1.2.9 or 1.2.10 should be immediately replaced with 1.2.11." Thank you very much. Jim Keenan
  Sun Oct 22 18:33:07 2017 The RT System itself - Status changed from 'new' to 'open'
  Tue Nov 14 13:59:14 2017 pmqs [...] cpan.org - Fixed in 2.075 added
  Tue Nov 14 13:59:14 2017 pmqs [...] cpan.org - Correspondence added
Updated module to ship with zlib 1.2.11. Closing issue.
  Tue Nov 14 13:59:14 2017 pmqs [...] cpan.org - Status changed from 'open' to 'resolved'
  Tue Nov 14 14:08:44 2017 jkeenan [...] cpan.org - Correspondence added
On Sun Oct 22 18:33:07 2017, JKEENAN wrote: Show quoted text
> On Wed Oct 11 06:27:32 2017, ncopa@alpinelinux.org wrote:
> > Hi, > > > > The recent perl 5.26.1 release is vulnerable to: > > > > CVE-2016-9843, CVE-2016-9841, CVE-2016-9840, CVE-2016-9842 > > > > This is because perl bundles the old and vulnerable copy of zlib > > 1.2.8. > > > > If it would be possible to build it using system zlib, then it would > > not been any problem, but that does not seem to be the case. > > > > > > This was discovered by a security scanner that flagged Zlib.so > > shipped > > with perl 5.26.1. > > > > To verify: > > strings /usr/lib/perl5/core_perl/auto/Compress/Raw/Zlib/Zlib.so | > > grep > > -w 1.2.8 > > > > 1.2.8 > > deflate 1.2.8 Copyright 1995-2013 Jean-loup Gailly and Mark Adler > > inflate 1.2.8 Copyright 1995-2013 Mark Adler > > > > > > The bundled zlib version is vulnerable. > > > > Thanks! > > > > -nc
> > Reference: http://zlib.net/, where the most recent version of zlib is > 1.2.11, released January 15, 2017. The page states: "Due to the bug > fixes, any installations of 1.2.9 or 1.2.10 should be immediately > replaced with 1.2.11." > > Thank you very much. > Jim Keenan
In https://rt.cpan.org/Ticket/Display.html?id=123358#txn-1757600, the maintainer indicated that he has uploaded a new version (2.075) to CPAN. Accordingly, I will shortly be merging this into Perl 5 blead. Thank you very much. Jim Keenan