Bug 2234416 (CVE-2022-48522)

Summary: CVE-2022-48522 perl: stack-based crash in S_find_uninit_var()
Product: [Other] Security Response Reporter: Mauro Matteo Cascella <mcascell>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: jplesnik, mspacek, perl-maint-list
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: perl 5.35.5, perl 5.34.1 Doc Type: If docs needed, set a value
Doc Text:
A stack-based buffer overflow vulnerability was found in the S_find_uninit_var() function in sv.c in Perl. This issue may allow an authenticated local attacker to send a specially crafted request to the application, leading to an infinite recursion, exhausting the process' stack space, resulting in a denial of service.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2234417, 2234418, 2234419, 2234420    
Bug Blocks: 2234421    

Description Mauro Matteo Cascella 2023-08-24 10:52:06 UTC 
NVD description: In Perl 5.34.0, function S_find_uninit_var in sv.c has a stack-based crash that can lead to remote code execution or local privilege escalation.

References:
https://nvd.nist.gov/vuln/detail/CVE-2022-48522
https://github.com/Perl/perl5/blob/79a7b254d85a10b65126ad99bf10e70480569d68/sv.c#L16336-L16345
Comment 1 Mauro Matteo Cascella 2023-08-24 10:53:54 UTC 
According to Debian [1] this "might be related to https://bugs.launchpad.net/ubuntu/+source/perl/+bug/2032667 which is just a infinite recursion exhausting the stack, with negligible security impact."

Upstream issue & fix:
https://github.com/Perl/perl5/issues/19147
https://github.com/Perl/perl5/commit/23cca2d1f4544cb47f1124d98c308ce1f31f09a6 (v5.35.5)

[1] https://security-tracker.debian.org/tracker/CVE-2022-48522
Comment 3 Jitka Plesnikova 2023-08-24 13:00:10 UTC 
Due to comment:
https://bugs.launchpad.net/ubuntu/+source/perl/+bug/2032667/comments/1

The code was broken around devel release 5.33.1. It was fixed around 5.35.5 and also added to 5.34.1. 
RHEL 8 and RHEL 9 contain only perl versions 5.26, 5.30, 5.32. These version are not affected. 
I was not able to reproduce the issue there.

I reproduced it only with perl 5.34.0.
Comment 4 TEJ RATHI 2023-08-24 13:11:55 UTC 
Yes, Just verified our codebase against the patch, indeed we are not affected, you can close the bugs. I am setting NOT-AFFECTED. Thanks.