Bug 895542

Summary: perl: Double-free when loading Digest::SHA object representing the intermediate SHA state from a file
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: cweyl, iarnell, jplesnik, kasal, lkundrak, mmaslano, perl-devel, perl-maint-list, ppisar, psabata, rc040203, tcallawa
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Digest-SHA-5.81 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-01-16 10:28:09 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 895543    
Bug Blocks: 895547    

Description Jan Lieskovsky 2013-01-15 13:46:37 UTC 
A double-free flaw was found in the way Digest::SHA module, Perl extension for the SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512 algorithms, performed loading of a Digest::SHA object representing the intermediate SHA state from a file. If a Perl application, using Digest::SHA module, allowed an attacker to load custom Digest::SHA objects from a file via the Digest::SHA module, a local attacker could use this flaw to cause that application crash or, potentially, execute arbitrary code with the privileges of the user running that application.

Upstream bug report:
[1] https://rt.cpan.org/Public/Bug/Display.html?id=82655

Upstream Digest-SHA-5.80 vs Digest-SHA-5.81 diff:
[2] https://metacpan.org/diff/release/MSHELOR/Digest-SHA-5.80/MSHELOR/Digest-SHA-5.81

References:
[3] http://www.openwall.com/lists/oss-security/2013/01/15/5
Comment 1 Jan Lieskovsky 2013-01-15 13:48:51 UTC 
This issue did NOT affect the version of the perl package, as shipped with Red Hat Enterprise Linux 5.

--

This issue affects the version of the perl package,as shipped with Red Hat Enterprise Linux 6.

--

This issue affects the versions of the perl package, as shipped with Fedora release of 16 and 17. Please schedule an update.
Comment 2 Jan Lieskovsky 2013-01-15 13:49:35 UTC 
Created perl tracking bugs for this issue

Affects: fedora-all [bug 895543]
Comment 3 Jan Lieskovsky 2013-01-15 14:03:12 UTC 
Public reproducer information (from upstream bug [1]):
------------------------------------------------------
$ perl -MDigest::SHA -e 'my $d = Digest::SHA->new(256); $d->load("x");'
Comment 4 Jan Lieskovsky 2013-01-16 10:28:09 UTC 
Based on http://www.openwall.com/lists/oss-security/2013/01/16/1 this issue would not be considered to be a security flaw. Closing as such (and will re-open if more details become available later).