Bug 580605 (CVE-2010-1158)
Summary: | CVE-2010-1158 Perl: Stack overflow by processing a certain regular expression | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Jan Lieskovsky <jlieskov> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED WONTFIX | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | bressers, mmaslano |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://bugs.gentoo.org/show_bug.cgi?id=313565 | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2010-04-22 17:59:40 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Jan Lieskovsky
2010-04-08 15:47:47 UTC
This is not an integer overflow, rather an expected behaviour / limitation of the perl's regular expression engine. Regular expression matching function is called recursively for certain types of patterns (where subexpression using quantifier is nested inside another quantified expression), where long input can result in deep recursion and exhaustion of all stack memory (i.e. impact is limited to crash). Amount of stack memory available to perl interpreter influences the size of input that must be provided to trigger the crash. Alternatively, expression can be modified to avoid quantification nesting, or program modified to limit size of input passed to regular expression engine. This problem was addressed in perl 5.10, as noted in perl5100delta man page: Engine de-recursivised The regular expression engine is no longer recursive, meaning that patterns that used to overflow the stack will either die with useful explanations, or run to completion, which, since they were able to blow the stack before, will likely take a very long time to happen. If you were experiencing the occasional stack overflow (or segfault) and upgrade to discover that now perl apparently hangs instead, look for a degenerate regex. (Dave Mitchell) This is a significant change to regex engine with possible trade-offs. As the risk of such change than the security impact of this flaw, there is no plan to backport this fix to already released products using older perl versions. Commit de-recursivising regex engine: http://perl5.git.perl.org/perl.git/commitdiff/95b2444054 I've not checked what other previous patches it may depend on, or what other additional fixes may be required. |