Bug 896715 (CVE-2014-4330) - VUL-1: CVE-2014-4330: perl: stack exhaustion in Data::Dumper
Summary: VUL-1: CVE-2014-4330: perl: stack exhaustion in Data::Dumper
Status: RESOLVED FIXED
Alias: CVE-2014-4330
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P2 - High : Major
Target Milestone: ---
Assignee: Michael Schröder
QA Contact: Security Team bot
URL:
Whiteboard: maint:released:sle11-sp1:59348 maint:...
Keywords: DSLA_REQUIRED, DSLA_SOLUTION_PROVIDED
Depends on:
Blocks:
 
Reported: 2014-09-15 13:24 UTC by Marcus Meissner
Modified: 2018-11-17 23:41 UTC (History)
8 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
0001-perl-122111-don-t-recurse-infinitely-in-Data-Dumper.patch (10.95 KB, patch)
2014-09-15 13:25 UTC, Marcus Meissner 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2014-09-15 13:24:18 UTC 
via security@suse.de, embargoed

Date: Mon, 8 Sep 2014 22:22:32 -0400
From: Ricardo Signes <rjbs@cpan.org>
Subject: [security@suse.de] patch for stack exhaustion in perl

The perl5 development team was given a report of stack memory exhaustion
through deep recursion in the Data::Dumper extension.  We've been asked to
treat this as a security vulnerability, although at present we do not believe
there is anything to exploit beyond crashing.

This report is coming to you later than it should have due entirely to bad task
management at my end.  The reporter will be publishing their findings no sooner
than September 11th, although I have asked them to delay a few days.

The attached patch will be applied to perl's main development branch and a new
release of Data-Dumper will be made along with that posting.  My advice is to
integrate that new release of Data-Dumper.

-- 
rjbs
Comment 1 Marcus Meissner 2014-09-15 13:25:09 UTC 
Created attachment 606365 [details]
0001-perl-122111-don-t-recurse-infinitely-in-Data-Dumper.patch

attached patch
Comment 2 SMASH SMASH 2014-09-15 15:40:11 UTC 
Affected packages:

SLE-10-SP3-TERADATA: perl
SLE-11-SP3: perl
SLE-11-SP3-PRODUCTS: perl
SLE-11-SP3-UPTU: perl
Comment 3 Swamp Workflow Management 2014-09-15 22:00:22 UTC 
bugbot adjusting priority
Comment 4 Marcus Meissner 2014-09-19 07:56:43 UTC 
CVE-2014-4330

public apparently.
Comment 8 Swamp Workflow Management 2014-10-23 19:05:03 UTC 
SUSE-SU-2014:1321-1: An update that solves one vulnerability and has one errata is now available.

Category: security (low)
Bug References: 838333,896715
CVE References: CVE-2014-4330
Sources used:
SUSE Linux Enterprise Software Development Kit 11 SP3 (src):    perl-5.10.0-64.70.1
SUSE Linux Enterprise Server 11 SP3 for VMware (src):    perl-5.10.0-64.70.1
SUSE Linux Enterprise Server 11 SP3 (src):    perl-5.10.0-64.70.1
SUSE Linux Enterprise Desktop 11 SP3 (src):    perl-5.10.0-64.70.1
Comment 9 Sebastian Krahmer 2014-10-27 09:34:23 UTC 
released
Comment 13 Marcus Meissner 2016-06-02 14:29:19 UTC 
This issue was fixed in SLE12 before the initial shipment of SLE12 GA.