Bug 794535 (CVE-2012-5195) - VUL-1: CVE-2012-5195: perl: memory corruption
Summary: VUL-1: CVE-2012-5195: perl: memory corruption
Status: RESOLVED FIXED
Alias: CVE-2012-5195
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other openSUSE 13.2
: P4 - Low : Minor
Target Milestone: ---
Assignee: Michael Schröder
QA Contact: Security Team bot
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-12-14 12:35 UTC by Matthias Weckbecker
Modified: 2015-07-20 11:08 UTC (History)
5 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Matthias Weckbecker 2012-12-14 12:35:03 UTC 
We have recently been notified about a MM issue with Perl. This was originally
reported [1] to oss-sec by Tim Brown.

[1] http://seclists.org/oss-sec/2012/q4/140
Comment 1 Matthias Weckbecker 2012-12-14 12:45:38 UTC 
Looking some more into this I think it matches to the following debian report:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=689314
Comment 2 Matthias Weckbecker 2012-12-14 13:11:53 UTC 
Note: This issue does not affect any SLE.
Comment 3 Michael Schröder 2012-12-14 14:54:38 UTC 
Oh well. We should fix this the next time we release a perl update.
Comment 4 Matthias Weckbecker 2012-12-14 19:42:54 UTC 
It does not need any fixing (see comment #1). Maybe just openSUSE at some later
point in time. And that's what VUL-1 means bascially. :)
Comment 6 Michael Schröder 2012-12-17 10:29:53 UTC 
Older versions of perl (like the ones used in SLES) didn't call memset.
Comment 7 Victor Pereira 2015-07-20 11:08:30 UTC 
reproducer  

perl -le 'print "v"x(2**31+1) ."=1"'

openSUSE 13.1 and 13.2 are already fixed.