1492091 – (CVE-2017-12837) CVE-2017-12837 perl: Heap buffer overflow in regular expression compiler

Bug 1492091 (CVE-2017-12837) - CVE-2017-12837 perl: Heap buffer overflow in regular expression compiler

Summary: CVE-2017-12837 perl: Heap buffer overflow in regular expression compiler

Keywords:
Status:	CLOSED WONTFIX
Alias:	CVE-2017-12837
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1492094
Blocks:	1489904 1492097
TreeView+	depends on / blocked

Reported:	2017-09-15 12:44 UTC by Adam Mariš
Modified:	2021-02-17 01:29 UTC (History)
CC List:	17 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	A heap write buffer overflow was found in perl's S_regatom() function, which is used in the compilation of regular expressions, resulting in the crash of the perl interpreter. An attacker, able to provide a specially crafted regular expression, could cause a denial of service.
Clone Of:
Environment:
Last Closed:	2017-09-25 15:37:50 UTC
Embargoed:

Attachments	(Terms of Use)

Description Adam Mariš 2017-09-15 12:44:58 UTC

Compiling certain regular expression patterns with the case-insensitive modifier could cause a heap buffer overflow and crash perl.

Upstream patch:

https://perl5.git.perl.org/perl.git/commitdiff/96c83ed78aeea1a0496dd2b2d935869a822dc8a5

Bug report :

https://rt.perl.org/Public/Bug/Display.html?id=131582

Comment 1 Adam Mariš 2017-09-15 12:48:34 UTC

Created perl tracking bugs for this issue:

Affects: fedora-all [bug 1492094]

Comment 2 Cedric Buissart 2017-09-25 15:18:13 UTC

Statement:

This issue does not affect perl versions older than 5.18. Perl as shipped in Red Hat Enterprise Linux 7 and older are not affected by this vulnerability.

Comment 4 Cedric Buissart 2017-09-25 15:38:03 UTC

Acknowledgments:

Name: Sawyer X (Perl)

Comment 5 Fedora Update System 2017-10-02 14:23:47 UTC

perl-5.26.1-401.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.

Comment 6 Fedora Update System 2017-10-02 16:21:34 UTC

perl-5.24.3-395.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.

Comment 7 Fedora Update System 2017-10-13 21:20:16 UTC

perl-5.24.3-389.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.