Skip Menu |
 

This queue is for tickets about the Compress-Raw-Zlib CPAN distribution.

Report information
The Basics
Id: 123245
Status: resolved
Priority: 0/
Queue: Compress-Raw-Zlib

People
Owner: Nobody in particular
Requestors: ncopa [...] alpinelinux.org
Cc:
AdminCc:

Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: 2.075



Subject: perl 5.26.1 is vulnerable to CVE-2016-9843, CVE-2016-9841, CVE-2016-9840, CVE-2016-9842
Date: Wed, 11 Oct 2017 12:19:24 +0200
To: bug-Compress-Raw-Zlib [...] rt.cpan.org
From: Natanael Copa <ncopa [...] alpinelinux.org>
Download (untitled) / with headers
text/plain 679b
Hi, The recent perl 5.26.1 release is vulnerable to: CVE-2016-9843, CVE-2016-9841, CVE-2016-9840, CVE-2016-9842 This is because perl bundles the old and vulnerable copy of zlib 1.2.8. If it would be possible to build it using system zlib, then it would not been any problem, but that does not seem to be the case. This was discovered by a security scanner that flagged Zlib.so shipped with perl 5.26.1. To verify: strings /usr/lib/perl5/core_perl/auto/Compress/Raw/Zlib/Zlib.so | grep -w 1.2.8 1.2.8 deflate 1.2.8 Copyright 1995-2013 Jean-loup Gailly and Mark Adler inflate 1.2.8 Copyright 1995-2013 Mark Adler The bundled zlib version is vulnerable. Thanks! -nc
On Wed Oct 11 06:27:32 2017, ncopa@alpinelinux.org wrote: Show quoted text
> Hi, > > The recent perl 5.26.1 release is vulnerable to: > > CVE-2016-9843, CVE-2016-9841, CVE-2016-9840, CVE-2016-9842 > > This is because perl bundles the old and vulnerable copy of zlib > 1.2.8. > > If it would be possible to build it using system zlib, then it would > not been any problem, but that does not seem to be the case. > > > This was discovered by a security scanner that flagged Zlib.so shipped > with perl 5.26.1. > > To verify: > strings /usr/lib/perl5/core_perl/auto/Compress/Raw/Zlib/Zlib.so | grep > -w 1.2.8 > > 1.2.8 > deflate 1.2.8 Copyright 1995-2013 Jean-loup Gailly and Mark Adler > inflate 1.2.8 Copyright 1995-2013 Mark Adler > > > The bundled zlib version is vulnerable. > > Thanks! > > -nc
Reference: http://zlib.net/, where the most recent version of zlib is 1.2.11, released January 15, 2017. The page states: "Due to the bug fixes, any installations of 1.2.9 or 1.2.10 should be immediately replaced with 1.2.11." Thank you very much. Jim Keenan
Updated module to ship with zlib 1.2.11. Closing issue.
Download (untitled) / with headers
text/plain 1.3k
On Sun Oct 22 18:33:07 2017, JKEENAN wrote: Show quoted text
> On Wed Oct 11 06:27:32 2017, ncopa@alpinelinux.org wrote:
> > Hi, > > > > The recent perl 5.26.1 release is vulnerable to: > > > > CVE-2016-9843, CVE-2016-9841, CVE-2016-9840, CVE-2016-9842 > > > > This is because perl bundles the old and vulnerable copy of zlib > > 1.2.8. > > > > If it would be possible to build it using system zlib, then it would > > not been any problem, but that does not seem to be the case. > > > > > > This was discovered by a security scanner that flagged Zlib.so > > shipped > > with perl 5.26.1. > > > > To verify: > > strings /usr/lib/perl5/core_perl/auto/Compress/Raw/Zlib/Zlib.so | > > grep > > -w 1.2.8 > > > > 1.2.8 > > deflate 1.2.8 Copyright 1995-2013 Jean-loup Gailly and Mark Adler > > inflate 1.2.8 Copyright 1995-2013 Mark Adler > > > > > > The bundled zlib version is vulnerable. > > > > Thanks! > > > > -nc
> > Reference: http://zlib.net/, where the most recent version of zlib is > 1.2.11, released January 15, 2017. The page states: "Due to the bug > fixes, any installations of 1.2.9 or 1.2.10 should be immediately > replaced with 1.2.11." > > Thank you very much. > Jim Keenan
In https://rt.cpan.org/Ticket/Display.html?id=123358#txn-1757600, the maintainer indicated that he has uploaded a new version (2.075) to CPAN. Accordingly, I will shortly be merging this into Perl 5 blead. Thank you very much. Jim Keenan


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.