FEDORA-2018-d1ba58394e

security update in Fedora 28 for perl

Status: stable a year ago

This release provides Perl 5.26.2 that fixes a heap buffer overflow in the pack() function and two overflows in regular expression engine.

How to install

sudo dnf upgrade --advisory=FEDORA-2018-d1ba58394e

Comments 37

This update has been submitted for testing by ppisar.

ppisar edited this update.

New build(s):

  • perl-5.26.2-410.fc28

Karma has been reset.

ppisar edited this update.

Interesting that this didn't make into testing yet, after 11 days...

This update has been pushed to testing.

Works great! LGTM! =)

karma: +1

works for me

karma: +1

No issues found running some scripts.

karma: +1

No regressions here.

karma: +1 critpath: +1

no regressions noted

karma: +1

lgtm

karma: +1

Works for me.

karma: +1

Could you please push it to Stable? This is a dependency of vim: https://bodhi.fedoraproject.org/updates/FEDORA-2018-fc49e5d1dc in Stable and blocks it from installing.

Works fine! Please push this ASAP, too bad that Bodhi doesn't take into account the dependencies of updates, now we have vim in stable requiring this one here…

karma: +1 critpath: +1

WFM, fixes vim update

karma: +1

Unfortunately, this cannot be pushed, because of:

Cannot submit perl-Module-CoreList ('1', '5.20180414', '1.fc28') to stable since it is older than ('1', '5.20180420', '1.fc28')

besser82 edited this update.

Removed build(s):

  • perl-Module-CoreList-5.20180414-1.fc28

Karma has been reset.

This update has been submitted for testing by besser82.

I've edited the update and give an initial +1 to get that pushed ASAP…

karma: +1 critpath: +1

besser82 edited this update.

besser82 edited this update.

@everyone, who already gave karma to this update:

As I removed the problematic build, karma has been reset to 0. Please give karma again (using Bodhi's web interface) to get that shipped as fast as it can.

karma: +1 critpath: +1

Karma:

karma: +1 critpath: +1

Is there still something blocking this update? It prevents vim-enhanced from installing which is in stable already: Last metadata expiration check: 0:50:24 ago on Wed 09 May 2018 09:14:16 AM CEST. Dependencies resolved.

Problem 1: cannot install the best update candidate for package vim-enhanced-2:8.0.1704-1.fc28.x86_64 - nothing provides perl(:MODULE_COMPAT_5.26.2) needed by vim-enhanced-2:8.0.1788-1.fc28.x86_64 Problem 2: problem with installed package vim-enhanced-2:8.0.1704-1.fc28.x86_64 - package vim-enhanced-2:8.0.1704-1.fc28.x86_64 requires vim-common = 2:8.0.1704-1.fc28, but none of the providers can be installed - cannot install both vim-common-2:8.0.1788-1.fc28.x86_64 and vim-common-2:8.0.1704-1.fc28.x86_64 - cannot install both vim-common-2:8.0.1704-1.fc28.x86_64 and vim-common-2:8.0.1788-1.fc28.x86_64 - cannot install the best update candidate for package vim-common-2:8.0.1704-1.fc28.x86_64 - nothing provides perl(:MODULE_COMPAT_5.26.2) needed by vim-enhanced-2:8.0.1788-1.fc28.x86_64 =================================================================================================================================================================================================================== Package Arch Version Repository Size =================================================================================================================================================================================================================== Skipping packages with conflicts: (add '--best --allowerasing' to command line to force their upgrade): vim-common x86_64 2:8.0.1788-1.fc28 updates 6.4 M Skipping packages with broken dependencies: vim-enhanced x86_64 2:8.0.1788-1.fc28 updates 1.3 M

karma: +1

This update has been submitted for stable by pwalter.

Fixes vim installation.

karma: +1 critpath: +1

hm, any reason this hasn't made it to stable repo?

@markec, read my comment from yesterday. I needed to remove a package from this update set, which prevented it to be pushed. After that, it needed some new karma to be pushed to stable, as it is now queued for.

Thanks, seen that. But still don't see it in stable - how often is push scheduled for?

The push is usually run once a day around the evening hours of UTC. By the time, I'm writing this, the push is already running and this update will be available on most Tier-1 and Tier-2 mirrors around the world within the next 12 hours or so.

Thanks for additional info!

This update has been pushed to stable.

Content Type
RPM
Status
stable
Test Gating
Submitted by
Update Type
security
Update Severity
unspecified
Karma
+8
stable threshold: 1
unstable threshold: -5
Autopush
Enabled
Dates
submitted a year ago
in testing a year ago
in stable a year ago
modified a year ago

Related Bugs 6

00 #1547772 CVE-2018-6913 perl: heap buffer overflow in pp_pack.c
00 #1547779 CVE-2018-6798 perl: heap read overflow in regexec.c
00 #1547783 CVE-2018-6797 perl: heap write overflow in regcomp.c
00 #1567776 CVE-2018-6913 perl: heap buffer overflow in pp_pack.c [fedora-all]
00 #1567777 CVE-2018-6798 perl: heap read overflow in regexec.c [fedora-all]
00 #1567778 CVE-2018-6797 perl: heap write overflow in regcomp.c [fedora-all]

Automated Test Results

Test Cases

00 Test Case Perl sanity