CVE-2010-4777

NameCVE-2010-4777
DescriptionThe Perl_reg_numbered_buff_fetch function in Perl 5.10.0, 5.12.0, 5.14.0, and other versions, when running with debugging enabled, allows context-dependent attackers to cause a denial of service (assertion failure and application exit) via crafted input that is not properly handled when using certain regular expressions, as demonstrated by causing SpamAssassin and OCSInventory to crash.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs628836

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
perl (PTS)bullseye5.32.1-4+deb11u3fixed
bullseye (security)5.32.1-4+deb11u4fixed
bookworm5.36.0-7+deb12u1fixed
sid, trixie5.40.0-8fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
perlsource(unstable)5.20.1-1unimportant628836

Notes

Only affects Perl builds with enabled assertions, i.e. the debugperl binary from perl-debug
likely fixed sometime around 5.18, but 5.20 was the version checked

Search for package or bug name: Reporting problems