Upstream reports that they were given a report of stack memory exhaustion through deep recursion in the Data::Dumper extension. Original report below: Issue Description ================= During internal development a stack overflow was discovered. The cause of the overflow lies in the Data::Dumper extension which is part of Perl-Core. By using the "Dumper" method on a large Array-Reference which recursively contains other Array-References, it is possible to cause many recursive calls to the DD_dump native function and ultimately exhaust all available stack memory. Impact ====== When the runtime stack grows over the maximal size, a guard page on most modern operating systems is hit, causing the Perl interpreter to crash. Depending on context, code execution might be possible if special circumstances are met on some architectures. Temporary Workaround and Fix ============================ Applications written in Perl should make sure that no unnecessary large array references in terms of recursion are created. On the side of Perl it should be investigated if the DD_dump function can be implemented iteratively instead of recursively.
Created attachment 935700 [details] Upstream provided patch Attaching upstream patch
Upstream bug report (currently not public): https://rt.perl.org/Public/Bug/Display.html?id=122111
Acknowledgements: Red Hat would like to thank the Ricardo Signes for reporting this issue. Upstream acknowledges Markus Vervier of LSE Leading Security Experts as the original reporter.
This issue is public now: http://www.nntp.perl.org/group/perl.perl5.porters/2014/09/msg220118.html http://perl5.git.perl.org/perl.git/commitdiff/19be3be6968e2337bcdfe480693fff795ecd1304
Created perl-Data-Dumper tracking bugs for this issue: Affects: fedora-all [bug 1144903] Affects: epel-all [bug 1144904]
Could you please create tracking bugs also for RHEL 7 and RHSCL?
perl-Data-Dumper-2.154-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
perl-Data-Dumper-2.154-1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
Statement: This issue affects the versions of perl as shipped with Red Hat Enterprise Linux 6 and the versions of perl-Data-Dumper as shipped with Red Hat Enterprise Linux 7. A future update may address this issue. Red Hat Enterprise Linux 5 is now in Production 3 Phase of the support and maintenance life cycle. This has been rated as having Low security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2014-4330