Bug 1547779 (CVE-2018-6798)
| Summary: | CVE-2018-6798 perl: heap read overflow in regexec.c | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Laura Pardo <lpardo> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | alexl, caillon+fedoraproject, cbuissar, hhorak, iarnell, jorton, jplesnik, kasal, mbarnes, mmaslano, perl-devel, perl-maint-list, ppisar, psabata, rhughes, sandmann, security-response-team, tcallawa |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | perl 5.26.2, perl 5.24.4 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A heap buffer over read flaw was found in the way Perl regular expression engine handled inputs with invalid UTF-8 characters. An attacker able to provide a specially crafted input to be matched against a regular expression could cause Perl interpreter to crash or disclose portion of its memory.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-06-08 03:40:46 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1561100, 1561101, 1561102, 1567777, 1567796 | ||
| Bug Blocks: | 1547784 | ||
|
Description
Laura Pardo
2018-02-21 22:49:34 UTC
Reproducer:
$ valgrind -- perl -e '"\xff" =~ /(?il)\x{100}|\x{100}/;'
==18228== Memcheck, a memory error detector
==18228== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==18228== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==18228== Command: perl -e "\\xff"\ =~\ /(?il)\\x{100}|\\x{100}/;
==18228==
==18228== Invalid read of size 1
==18228== at 0x499C4E5: Perl__byte_dump_string (in /usr/lib/libperl.so.5.26.1)
==18228== by 0x499CF02: Perl_utf8n_to_uvchr_error (in /usr/lib/libperl.so.5.26.1)
==18228== by 0x499D88D: Perl__force_out_malformed_utf8_message (in /usr/lib/libperl.so.5.26.1)
==18228== by 0x49A23CB: Perl__to_utf8_fold_flags (in /usr/lib/libperl.so.5.26.1)
==18228== by 0x4995499: ??? (in /usr/lib/libperl.so.5.26.1)
==18228== by 0x499A4AF: Perl_regexec_flags (in /usr/lib/libperl.so.5.26.1)
[...]
Perl 5 Porters published the fix for Perl 5.26.1 at: https://perl5.git.perl.org/perl.git/commitdiff/8e6f44c90c7fa1f63c19a44c45482b09a407e15b https://perl5.git.perl.org/perl.git/commitdiff/fa889a389ebb8e63782a3697775aa42c63a8f0cd https://perl5.git.perl.org/perl.git/commitdiff/8b80ce67ff257aaa36e47eaf4194d27a51595524 https://perl5.git.perl.org/perl.git/commitdiff/ae187cb6c87b079045274f298fdcf426e4a6404b and in Perl-5.26.2-RC1 and 5.24.4-RC1 tar balls. Created perl tracking bugs for this issue: Affects: fedora-all [bug 1567777] Statement: Versions of the perl interpreter older than 5.22 are not vulnerable. As a result, the versions of perl as shipped in Red Hat Enterprise Linux version 7, 6 and 5, as well as the versions of rh-perl520-perl as shipped with Red Hat Software Collections are not affected by this vulnerability. External References: https://rt.perl.org/Public/Bug/Display.html?id=132063 Acknowledgments: Name: Perl 5 Porters Upstream: Nguyen Duc Manh This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS Via RHSA-2018:1192 https://access.redhat.com/errata/RHSA-2018:1192 |