Bug 1492093 (CVE-2017-12883)

Summary: CVE-2017-12883 perl: Buffer over-read in regular expression parser
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: alexl, caillon+fedoraproject, cbuissar, hhorak, iarnell, jorton, jplesnik, kasal, mbarnes, perl-devel, perl-maint-list, ppisar, psabata, rc040203, rhughes, sandmann, slawomir, tcallawa
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: perl 5.24.3, perl 5.26.1, perl 5.27.4 Doc Type: If docs needed, set a value
Doc Text:
A heap buffer overread was found in perl's grok_bslash_N() function, which is used in the compilation of Unicode nodes in regular expressions, possibly leading to crash or dump of memory segments via the error output. An attacker, able to provide a specially crafted regular expression, could look for sensible information in the error message, or crash perl.
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-09-25 15:36:55 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1492094    
Bug Blocks: 1489904, 1492097    

Description Adam Mariš 2017-09-15 12:47:19 UTC
For certain types of syntax error in a regular expression pattern, the error message could either contain the contents of a random, possibly large, chunk of memory, or could crash perl.

Upstream patch:

https://perl5.git.perl.org/perl.git/commitdiff/2be4edede4ae226e2eebd4eff28cedd2041f300f

Bug report :

https://rt.perl.org/Public/Bug/Display.html?id=131598

Comment 1 Adam Mariš 2017-09-15 12:48:20 UTC
Created perl tracking bugs for this issue:

Affects: fedora-all [bug 1492094]

Comment 4 Cedric Buissart 2017-09-25 12:10:14 UTC
Statement:

Perl as shipped in Red Hat Enterprise Linux 7 and older have not been found to be vulnerable. This vulnerability was not present in perl versions older than 5.20.

Comment 5 Fedora Update System 2017-10-02 14:24:00 UTC
perl-5.26.1-401.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.

Comment 6 Fedora Update System 2017-10-02 16:21:46 UTC
perl-5.24.3-395.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.

Comment 7 Fedora Update System 2017-10-13 21:20:27 UTC
perl-5.24.3-389.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.