Bug 1837975 (CVE-2020-10543)

Summary: CVE-2020-10543 perl: heap-based buffer overflow in regular expression compiler leads to DoS
Product: [Other] Security Response Reporter: msiddiqu
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: caillon+fedoraproject, cwarfiel, ekirby, iarnell, jplesnik, kasal, kyoshida, mmaslano, perl-devel, perl-maint-list, ppisar, rhughes, sandmann, security-response-team, snavale, spotrh, tvainio
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: perl 5.30.3, perl 5.28.3 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-02-02 14:41:38 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1839272, 1839273, 1839274, 1844662, 1929869, 1933100, 1938328, 1972188, 1972189    
Bug Blocks: 1838017    

Description msiddiqu 2020-05-20 10:15:58 UTC 
There is a heap buffer overflow in Perl's regular expression compiler
that overwrites memory allocated after the regular expression storage
space with attacker supplied data. The heap overflow occurs due to a
signed size_t integer overflow in the storage space calculations for
nested regular expression quantifiers.
Comment 1 msiddiqu 2020-05-20 10:17:45 UTC 
Acknowledgments:

Name: ManhND (Tarantula Team), VinCSS (Vingroup)
Comment 7 Petr Pisar 2020-05-25 06:51:32 UTC 
(In reply to Todd Cullum from comment #4)
> Mitigation:
> 
> To mitigate this flaw, developers should not pass untrusted or uncontrolled
> input data to the Perl regex engine for evaluation.

That's not correct. The flaw requires passing an untrusted regular expression to the Perl regex compiler. The flaw does not depend on data (a subject text being) matched. And since the regular expressions in Perl can contain any arbitrary Perl code, supplying a user-provided regular expression has always been deemed a security risk.
Comment 10 Todd Cullum 2020-05-27 18:11:47 UTC 
Mitigation:

To mitigate this flaw, developers should not allow untrusted regular expressions to be compiled by the Perl regular expression compiler.
Comment 11 Todd Cullum 2020-05-27 18:42:09 UTC 
The flaw is in the calculation of minimum heap storage space in the routine S_study_chunk() of regcomp.c which allows a ssize_t overflow to occur, producing a subsequent heap buffer overflow and out-of-bounds write of attacker-specified data.
Comment 12 msiddiqu 2020-06-06 01:22:17 UTC 
Upstream Patch:
 
https://github.com/perl/perl5/commit/897d1f7fd515b828e4b198d8b8bef76c6faf03ed
Comment 13 msiddiqu 2020-06-06 01:22:48 UTC 
References: 
 
https://github.com/Perl/perl5/compare/v5.30.2...v5.30.3
https://github.com/Perl/perl5/blob/blead/pod/perl5303delta.pod
Comment 14 msiddiqu 2020-06-06 01:27:16 UTC 
Created perl tracking bugs for this issue:

Affects: fedora-all [bug 1844662]
Comment 15 msiddiqu 2020-06-06 01:56:21 UTC 
The fixes are now published in Perl versions 5.28.3 and 5.30.3.

https://metacpan.org/pod/release/XSAWYERX/perl-5.28.3/pod/perldelta.pod

https://metacpan.org/pod/release/XSAWYERX/perl-5.30.3/pod/perldelta.pod
Comment 19 errata-xmlrpc 2021-02-02 12:04:25 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2021:0343 https://access.redhat.com/errata/RHSA-2021:0343
Comment 20 Product Security DevOps Team 2021-02-02 14:41:38 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-10543
Comment 24 errata-xmlrpc 2021-03-16 14:56:01 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Extended Update Support

Via RHSA-2021:0883 https://access.redhat.com/errata/RHSA-2021:0883
Comment 25 errata-xmlrpc 2021-03-30 09:31:34 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.7 Extended Update Support

Via RHSA-2021:1032 https://access.redhat.com/errata/RHSA-2021:1032
Comment 26 errata-xmlrpc 2021-04-20 12:53:27 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.4 Advanced Update Support
  Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.4 Telco Extended Update Support

Via RHSA-2021:1266 https://access.redhat.com/errata/RHSA-2021:1266
Comment 27 errata-xmlrpc 2021-05-18 14:12:48 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:1678 https://access.redhat.com/errata/RHSA-2021:1678
Comment 30 errata-xmlrpc 2021-07-20 22:10:58 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2021:2792 https://access.redhat.com/errata/RHSA-2021:2792