[Munich-pm] Perl and CVE-2022-23852
Harald Jörg
haj at posteo.de
Mi Feb 2 06:11:16 PST 2022
Hello Osman,
you write:
> Does any one know if Perl is also effected by the vulnerability going
> around under the CVE-2022-23852 .
>
> https://nvd.nist.gov/vuln/detail/CVE-2022-23852
>
> We have the Cpan module https://metacpan.org/pod/XML::Parser::Expat
> . But not sure if this or any other module is relaying on the libexpat
XML::Parser is using libexpat - but does not ship it. So yes, Perl
programs might be affected, but there's nothing Perl nor the module can
do about it.
Whether Perl programs are affected depends on whether libexpat on your
platform has been built with a nonzero value for XML_CONTEXT_BYTES.
Since it is nonzero per default, this is likely the case if you are
using libexpat as provided by a Linux distribution.
The bug has been fixed in libexpat 2.4.4 yesterday, so your best bet is
to monitor when your Linux distribution ships a fixed package (or build
your own libexpat from source).
--
Cheers,
haj
Mehr Informationen über die Mailingliste Munich-pm