G'day Tux,

++ Thanks for this notification and the CVE information.

Is there any official (or at least detailed) write-ups of these vulnerabilities? I typically just look in "Perl: Security Vulnerabilities, CVEs" but they weren't listed there. I also looked in quite a few other places; many just had "unknown", "not found", or a very minimal description; here's an incomplete list:

• The perldelta pages for the three newly released versions:
  • 5.34.2 perldelta
  • 5.36.2 perldelta
  • 5.38.1 perldelta
• Perl: Products and vulnerabilities
• https://www.cve.org/
• NIST - National Vulnerability Database:
  • https://nvd.nist.gov/vuln/detail/CVE-2023-47038
  • https://nvd.nist.gov/vuln/detail/CVE-2023-47039
• cPanel: Perl CVE-2023-47038 and CVE-2023-47039
  • Some basic information; mostly how it relates to cPanel
• securityonline.info:CVE-2023-47038 & CVE-2023-47039: Two flaws found in Perl programming language
  • The most detailed of what I found; but still only high level descriptions.
  • As an example, CVE-2023-47038 had this sort of level of information: "This vulnerability emerges when a specially crafted regular expression is compiled, leading to a buffer overflow in a heap-allocated buffer"

By way of comparison, these CVEs have, or link to, detailed discussions, workarounds, and such like: "CVE-2023-31484 (CPAN)" and "CVE-2023-31486 (HTTP::Tiny)".

Test::CVE

Somewhat tangentially, as part of my searching I came across the extremely new — its timestamp had "AN HOUR AGO" — Test::CVE authored by your good self.

This looks like something I may add to the list of Standardised Author Tests that I've written for $work.

I do note from the INCENTIVE section:

"The functionality explicitly limits to passive analysis: the is no active scanning of source code to find security vulnerabilities."

Would I be correct in assuming that this would pick up issues with CPAN and HTTP::Tiny, but not a problematic \p{...}?

An affirmative answer would not preclude its use as one of my Standardised Author Tests; I would just want to document this limitation. As an example, another of these types of tests uses Test::MinimumVersion and its limitations are noted.

---

---

Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!

Titles consisting of a single word are discouraged, and in most cases are disallowed outright.

Read Where should I post X? if you're not absolutely sure you're posting in the right place.

Please read these before you post! —

• How do I compose an effective node title?
• How do I post a question effectively?
• Markup in the Monastery

Posts may use any of the Perl Monks Approved HTML tags:

a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr

You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)

	For:		Use:
	&		&
	<		&lt;
	>		&gt;
	[		&#91;
	]		&#93;

Link using PerlMonks shortcuts! What shortcuts can I use for linking?

See Writeup Formatting Tips and other pages linked from there for more info.