perl-modperl mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dominic Hargreaves <...@earth.li>
Subject perl/hash_attack.t fails with 5.10.1 + CVE-2013-1667 fix
Date Tue, 12 Mar 2013 23:51:07 GMT
Hello,

When trying to fix this issue in Debian stable, I found that the
patch at

http://svn.apache.org/viewvc?view=revision&revision=1455340

does not stop the test failing when applied to 2.0.4 (as currently
found in Debian stable) and built against the current perl package
in Debian stable (5.10 + the rehashing fix). t/logs/error_log simply says:

[Tue Mar 12 21:09:23 2013] [error] [client 127.0.0.1] Failed to mount the hash collision attack
at /home/dom/working/pkg-perl/git/libapache2-mod-perl2/t/response/TestPerl/hash_attack.pm
line 112, <fh00003Makefile> line 1.\n

This is the change:

http://perl5.git.perl.org/perl.git/commitdiff/f14269908e5f8b4cab4b55643d7dd9de577e7918

which differs a bit from that applied to 5.14:

http://perl5.git.perl.org/perl.git/commitdiff/d59e31fc729d8a39a774f03bc6bc457029a7aef2

although interestingly both test changes are identical.

Help to pin down this difference in behaviour would be appreciated.

The source for the package in question is at

http://anonscm.debian.org/gitweb/?p=pkg-perl/packages/libapache2-mod-perl2.git;a=shortlog;h=refs/heads/dom/squeeze-702821

Thanks,
Dominic.

-- 
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)

Mime
View raw message