Skip Menu |

This queue is for tickets about the CPAN CPAN distribution.

Report information
The Basics
Id: 131687
Status: open
Priority: 0/
Queue: CPAN

People
Owner: Nobody in particular
Requestors: noloader [...] gmail.com
Cc:
AdminCc:

Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)



Subject: CPAN uses Bzipr2 1.0.6 with CVE-2019-12900
Date: Wed, 5 Feb 2020 01:22:01 -0500
To: bug-CPAN [...] rt.cpan.org
From: Jeffrey Walton <noloader [...] gmail.com>
According to the head notes in cpan/Compress-Raw-Bzip2/decompress: $ cat cpan/Compress-Raw-Bzip2/decompress.c /*-------------------------------------------------------------*/ /*--- Decompression machinery ---*/ /*--- decompress.c ---*/ /*-------------------------------------------------------------*/ /* ------------------------------------------------------------------ This file is part of bzip2/libbzip2, a program and library for lossless, block-sorting data compression. bzip2/libbzip2 version 1.0.6 of 6 September 2010 Copyright (C) 1996-2010 Julian Seward <jseward@bzip.org> Bzip2 version 1.0.6 has a security defect; see Bzip2 download and CVE-2019-12900 fix (https://sourceware.org/ml/bzip2-devel/2019-q2/msg00015.html)? Perl should update to version 1.0.7 or 1.0.8. Bzip2's new home is Sourceware website (https://www.sourceware.org/bzip2/). Seward lost the Bzip2 website to squatters a couple of years ago. Also see https://github.com/Perl/perl5/issues/17529 and https://github.com/Perl/perl5/issues/17528.
This has already been fixed. Version 2.088, released 31 October 2019, upgraded the bzip2 library to 1.0.8. It was also filed on the wrong queue. This is the queue for the CPAN distribution, but it should be filed on the Compress-Raw-Bzip2 queue.
Subject: Re: [rt.cpan.org #131687] CPAN uses Bzipr2 1.0.6 with CVE-2019-12900
Date: Wed, 5 Feb 2020 04:06:04 -0500
To: bug-CPAN [...] rt.cpan.org
From: Jeffrey Walton <noloader [...] gmail.com>
On Wed, Feb 5, 2020 at 3:57 AM Graham Knop via RT <bug-CPAN@rt.cpan.org> wrote: Show quoted text
> > <URL: https://rt.cpan.org/Ticket/Display.html?id=131687 > > > This has already been fixed. Version 2.088, released 31 October 2019, upgraded the bzip2 library to 1.0.8. It was also filed on the wrong queue. This is the queue for the CPAN distribution, but it should be filed on the Compress-Raw-Bzip2 queue.
Thanks Graham. I'm building Perl 5.30.1 from sources. What do I do to get the updated version of the tool? Is there anything I can do, or do I have to wait for the next Perl release? Forgive my ignorance. I don't use Perl. I'm working with OpenSSL 1.1.x. OpenSSL needs a semi-modern Perl, so I had to build Perl from sources on older machines. Jeff
On Wed Feb 05 04:06:23 2020, noloader@gmail.com wrote: Show quoted text
> On Wed, Feb 5, 2020 at 3:57 AM Graham Knop via RT <bug- > CPAN@rt.cpan.org> wrote:
> > > > <URL: https://rt.cpan.org/Ticket/Display.html?id=131687 > > > > > This has already been fixed. Version 2.088, released 31 October > > 2019, upgraded the bzip2 library to 1.0.8. It was also filed on the > > wrong queue. This is the queue for the CPAN distribution, but it > > should be filed on the Compress-Raw-Bzip2 queue.
> > Thanks Graham. > > I'm building Perl 5.30.1 from sources. What do I do to get the updated > version of the tool? Is there anything I can do, or do I have to wait > for the next Perl release?
You can just install the latest version of the module. The perl distribution comes with a script called cpan. Just run it his using the same account you used to build & install perl. cpan Compress::Raw::Bzip2 Alternatively, download the module source from https://cpan.metacpan.org/authors/id/P/PM/PMQS/Compress-Raw-Bzip2-2.093.tar.gz Unpack the tar.gz file, cd into the new directory & run perl Makefile.PL make test make install