SB2018041601 - Debian update for perl

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) Heap-based buffer overflow (CVE-ID: CVE-2018-6797)

The vulnerability allows a local attacker to cause DoS condition or execute arbitrary code on the target system.

The weakness exists in S_regatom() in 'regcomp.c' due to heap-based buffer overflow. A local attacker can exploit a specially crafted regular expression, trigger memory corruption and cause the service to crash or run Perl code.

Successful exploitation of the vulnerability may result in system compromise.

2) Heap-based buffer over-read (CVE-ID: CVE-2018-6798)

The vulnerability allows a local attacker to obtain potentially sensitive information or execute arbitrary code on the target system.

The weakness exists due to heap-based buffer over-read. A local attacker can exploit a specially crafted locale dependent regular expression, trigger memory corruption and gain access to potentially sensitive information or run Perl code.

Successful exploitation of the vulnerability may result in system compromise.

3) Heap-based buffer overflow (CVE-ID: CVE-2018-6913)

The vulnerability allows a local attacker to cause DoS condition or execute arbitrary code on the target system.

The weakness exists due to heap-based buffer overflow. A local attacker can exploit a specially crafted pack() function, trigger memory corruption and cause the service to crash or run Perl code.

Successful exploitation of the vulnerability may result in system compromise.

Remediation

Install update from vendor's website.

References

• https://rt.perl.org/Public/Bug/Display.html?id=132227
• https://rt.perl.org/Public/Bug/Display.html?id=132063
• https://rt.perl.org/Public/Bug/Display.html?id=131844