Bug 694166 (CVE-2010-4777)

Summary: CVE-2010-4777 perl: assertion failure with certain regular expressions
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: cweyl, iarnell, kasal, lkundrak, mmaslano, perl-maint-list, ppisar, psabata, rc040203, tcallawa
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-04-07 18:17:35 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Vincent Danen 2011-04-06 16:22:58 UTC 
It was reported [1] that perl suffers from an assertion failure in certain regular expressions.  This could cause crashes in certain programs, such as OCSInventory [2] and SpamAssassin [3].

[1] http://rt.perl.org/rt3/Public/Bug/Display.html?id=76538
[2] http://forums.ocsinventory-ng.org/viewtopic.php?id=7215
[3] https://listi.jpberlin.de/pipermail/postfixbuch-users/2011-February/055885.html
Comment 1 Vincent Danen 2011-04-06 16:29:14 UTC 
I am unable to reproduce this on Fedora 14, RHEL6, RHEL5, or RHEL4.  Using the reproducer from http://rt.perl.org/rt3/Ticket/Attachment/548804/260938/ I get no crashes:

% perl sample3.pl
XML::Twig ok

Our versions look like they _should_ be affected, but for some reason we're not seeing the assertion failures at all.  I've tried with all three samples.

We do not build perl with -g, so I do not believe assertion checks are enabled.  Can someone comment as to why we are not seeing these assertion failures?  I do believe this is a non-issue for us, but would like to understand why.
Comment 2 Petr Pisar 2011-04-07 08:43:38 UTC 
We do not see assertions because they are disabled. The Configure -DDEBUGGING=-g option switches compiler debugging data generation on but does not define DEBUGGING symbol needed to enable asserts (perl.h:3880).

If you want to enable asserts, you need to Configure -DDEBUGGING=both (Configure:5080). Then I get assertion abort with second case from [1]:

$ LANG=en_US.UTF-8 LD_LIBRARY_PATH=$PWD ./perl ~petr/perl/assertion_bug-CVE-2010-4777/case1 
perl: regcomp.c:5199: Perl_reg_numbered_buff_fetch: Assertion `rx->sublen >= (s - rx->subbeg) + i' failed.
Neúspěšně ukončen (SIGABRT) (core dumped [obraz paměti uložen])

Asserts are not enabled because of performance penalty.
Comment 3 Vincent Danen 2011-04-07 18:17:35 UTC 
Thanks for that explanation, Petr.

Statement:

Not vulnerable.  This issue did not affect the versions of perl as shipped with Red Hat Enterprise Linux 4, 5, or 6 as they did not have asserts enabled.