Bug 1187149 (CVE-2013-7422)

Summary: CVE-2013-7422 perl: segmentation fault in S_regmatch on negative backreference
Product: [Other] Security Response Reporter: Martin Prpič <mprpic>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: cweyl, iarnell, jplesnik, jrusnack, kasal, perl-devel, perl-maint-list, ppisar, psabata, rc040203, rmeggins, scorneli, tcallawa, vkaigoro, yozone
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: perl 5.19.5 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-03-16 13:58:54 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1187151    
Bug Blocks: 1187150    

Description Martin Prpič 2015-01-29 12:27:31 UTC 
An integer underflow flaw was discovered in the way Perl parsed regular expression backreferences. An attacker able to supply a crafted regular expression to a Perl application could possibly use this flaw to crash that application.

Reproducer:

$ perl -e '/\7777777777/'
Segmentation fault

Upstream issue:

https://rt.perl.org/Public/Bug/Display.html?id=119505

Upstream patch:

http://perl5.git.perl.org/perl.git/commitdiff/0c2990d652e985784f095bba4bc356481a66aa06
Comment 1 Martin Prpič 2015-01-29 12:29:09 UTC 
Created perl tracking bugs for this issue:

Affects: fedora-all [bug 1187151]
Comment 3 Stefan Cornelius 2015-03-05 13:15:41 UTC 
The code responsible for processing regular expression backreferences in regcomp.c did not properly handle large digit strings. An attacker able to pass specially crafted regular expressions containing large backreferences can exploit this issue to e.g. cause an application crash due to an out-of-bounds read caused by an array indexing error in the S_regmatch() function.

It's possible that this flaw may not affect 32bit platforms.

SUSE has previously fixed this via http://marc.info/?l=opensuse-commit&m=121933719424130, although this patch is different from the one used Perl upstream.

OSS post assigning the CVE:
http://www.openwall.com/lists/oss-security/2015/01/27/3
Comment 4 Vasyl Kaigorodov 2015-03-16 12:54:16 UTC 
Statement:

Red Hat Product Security has rated this issue as having Low security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.