outdated info for CVE-2022-48522

[karenetheridge]

from irc #p5p:

12:05 < ether> what's up with CVE-2022-48522? CPAN::Audit lists it as an open vulnerability affecting >=5.34.0, saying "In Perl 5.34.0, function S_find_uninit_var in sv.c has a 
               stack-based crash that can lead to remote code execution or local privilege escalation." and references ...
12:05 < ether> ... https://github.com/Perl/perl5/blob/79a7b254d85a10b65126ad99bf10e70480569d68/sv.c#L16336-L16345
12:05 < ether> but I see no mention of that CVE in any perldeltas
12:05 < ether> is perlsec aware of it?
12:18 < mauke> https://github.com/Perl/perl5/issues/19147 is the only related issue I can find
12:18 < mauke> by which I mean a commit that is in both 5.34.1 and 5.35.5 and touches S_find_uninit_var
12:20 < mauke> https://ubuntu.com/security/CVE-2022-48522 says "This is just an infinite recursion when trying to print a warning message causing the process to run out of stack 
               space, this has a negligible security impact"
12:20 < mauke> and links to the same github issue I found
12:22 < mauke> "affecting >=5.34.0" is definitely wrong. even the advisory at https://security.netapp.com/advisory/ntap-20230915-0008/ (linked as CONFIRM from 
               https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-48522) says it is already fixed in 5.34.1 and 5.35.5
12:25 < mauke> it's not mentioned in any perldelta because the CVE is from 2023-07-23, long after the fix was released

[mauke]

briandfoy/cpan-security-advisory#133

[briandfoy]

Closing as duplicate of briandfoy/cpan-security-advisory#133. All data updates should be in that other repo. When there's something that seems out of date, that just means someone needs to update it.