Bug 580605 (CVE-2010-1158)

Summary: CVE-2010-1158 Perl: Stack overflow by processing a certain regular expression
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: bressers, mmaslano
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://bugs.gentoo.org/show_bug.cgi?id=313565
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-04-22 17:59:40 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jan Lieskovsky 2010-04-08 15:47:47 UTC 
Bruce Merry reported:
  [1] http://bugs.gentoo.org/show_bug.cgi?id=313565

an integer overflow, leading to stack overflow in the way
Perl regular expression engine processed certain regular
expression(s). Remote attacker could use this flaw to cause 
a denial of service (crash of an application, using the
Perl regular expression engine).

Public PoC from [1]:
--------------------
  perl -e 'if ((("a " x 100000) . "a\n") =~ /\A\S+(?: \S+)*\n\z/) {}'
Comment 2 Tomas Hoger 2010-04-22 17:59:40 UTC 
This is not an integer overflow, rather an expected behaviour / limitation of the perl's regular expression engine.  Regular expression matching function is called recursively for certain types of patterns (where subexpression using quantifier is nested inside another quantified expression), where long input can result in deep recursion and exhaustion of all stack memory (i.e. impact is limited to crash).  Amount of stack memory available to perl interpreter influences the size of input that must be provided to trigger the crash.  Alternatively, expression can be modified to avoid quantification nesting, or program modified to limit size of input passed to regular expression engine.

This problem was addressed in perl 5.10, as noted in perl5100delta man page:

  Engine de-recursivised

  The regular expression engine is no longer recursive, meaning that patterns
  that used to overflow the stack will either die with useful explanations, or
  run to completion, which, since they were able to blow the stack before, will
  likely take a very long time to happen. If you were experiencing the
  occasional stack overflow (or segfault) and upgrade to discover that now perl
  apparently hangs instead, look for a degenerate regex. (Dave Mitchell)

This is a significant change to regex engine with possible trade-offs.  As the risk of such change than the security impact of this flaw, there is no plan to backport this fix to already released products using older perl versions.
Comment 3 Tomas Hoger 2010-04-22 18:02:59 UTC 
Commit de-recursivising regex engine:
  http://perl5.git.perl.org/perl.git/commitdiff/95b2444054

I've not checked what other previous patches it may depend on, or what other additional fixes may be required.