Bug 1217084 (CVE-2023-47038) - VUL-0: CVE-2023-47038: perl: Write past buffer end via illegal user-defined Unicode property
Summary: VUL-0: CVE-2023-47038: perl: Write past buffer end via illegal user-defined U...
Status: NEW
Alias: CVE-2023-47038
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Michael Schröder
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/384694/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-47038:4.5:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2023-11-13 13:54 UTC by SMASH SMASH
Modified: 2023-11-29 12:12 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Comment 4 Michael Schröder 2023-11-24 13:03:18 UTC 
Marcus, could you please attach the 5.38.0 patch?
Comment 5 Marcus Meissner 2023-11-27 08:14:21 UTC 
https://metacpan.org/release/PEVANS/perl-5.38.1/view/pod/perldelta.pod

CVE-2023-47038 - Write past buffer end via illegal user-defined Unicode property

This vulnerability was reported directly to the Perl security team by Nathan Mills the.true.nathan.mills@gmail.com.

A crafted regular expression when compiled by perl 5.30.0 through 5.38.0 can cause a one-byte attacker controlled buffer overflow in a heap allocated buffer.
Comment 6 Marcus Meissner 2023-11-27 08:14:56 UTC 
(In reply to Michael Schröder from comment #4)
> Marcus, could you please attach the 5.38.0 patch?

sorry, was on sickleave last week and missed this. I also seem to have deleted the report email.
but it should now be available from upstream.
Comment 7 Michael Schröder 2023-11-27 13:12:53 UTC 
No need, we'll update to 5.38.1
Comment 8 Michael Schröder 2023-11-29 11:46:00 UTC 
Make that 5.38.2 ...