You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
12:05 < ether> what's up with CVE-2022-48522? CPAN::Audit lists it as an open vulnerability affecting >=5.34.0, saying "In Perl 5.34.0, function S_find_uninit_var in sv.c has a
stack-based crash that can lead to remote code execution or local privilege escalation." and references ...
12:05 < ether> ... https://github.com/Perl/perl5/blob/79a7b254d85a10b65126ad99bf10e70480569d68/sv.c#L16336-L16345
12:05 < ether> but I see no mention of that CVE in any perldeltas
12:05 < ether> is perlsec aware of it?
12:18 < mauke> https://github.com/Perl/perl5/issues/19147 is the only related issue I can find
12:18 < mauke> by which I mean a commit that is in both 5.34.1 and 5.35.5 and touches S_find_uninit_var
12:20 < mauke> https://ubuntu.com/security/CVE-2022-48522 says "This is just an infinite recursion when trying to print a warning message causing the process to run out of stack
space, this has a negligible security impact"
12:20 < mauke> and links to the same github issue I found
12:22 < mauke> "affecting >=5.34.0" is definitely wrong. even the advisory at https://security.netapp.com/advisory/ntap-20230915-0008/ (linked as CONFIRM from
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-48522) says it is already fixed in 5.34.1 and 5.35.5
12:25 < mauke> it's not mentioned in any perldelta because the CVE is from 2023-07-23, long after the fix was released
The text was updated successfully, but these errors were encountered:
Closing as duplicate of briandfoy/cpan-security-advisory#133. All data updates should be in that other repo. When there's something that seems out of date, that just means someone needs to update it.
from irc #p5p:
The text was updated successfully, but these errors were encountered: