CVE-2010-4777

NameCVE-2010-4777
DescriptionThe Perl_reg_numbered_buff_fetch function in Perl 5.10.0, 5.12.0, 5.14.0, and other versions, when running with debugging enabled, allows context-dependent attackers to cause a denial of service (assertion failure and application exit) via crafted input that is not properly handled when using certain regular expressions, as demonstrated by causing SpamAssassin and OCSInventory to crash.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium
Debian Bugs628836

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
perl (PTS)stretch5.24.1-3+deb9u7fixed
stretch (security)5.24.1-3+deb9u5fixed
buster5.28.1-6+deb10u1fixed
bullseye5.32.1-4+deb11u2fixed
bullseye (security)5.32.1-4+deb11u1fixed
bookworm, sid5.34.0-4fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
perlsource(unstable)5.20.1-1unimportant628836

Notes

Only affects Perl builds with enabled assertions, i.e. the debugperl binary from perl-debug
likely fixed sometime around 5.18, but 5.20 was the version checked
Search for package or bug name: Reporting problems