Bug 1492091 (CVE-2017-12837) - CVE-2017-12837 perl: Heap buffer overflow in regular expression compiler
Summary: CVE-2017-12837 perl: Heap buffer overflow in regular expression compiler
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2017-12837
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1492094
Blocks: 1489904 1492097
TreeView+ depends on / blocked
 
Reported: 2017-09-15 12:44 UTC by Adam Mariš
Modified: 2019-09-29 14:22 UTC (History)
17 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A heap write buffer overflow was found in perl's S_regatom() function, which is used in the compilation of regular expressions, resulting in the crash of the perl interpreter. An attacker, able to provide a specially crafted regular expression, could cause a denial of service.
Clone Of:
Environment:
Last Closed: 2017-09-25 15:37:50 UTC


Attachments (Terms of Use)

Description Adam Mariš 2017-09-15 12:44:58 UTC
Compiling certain regular expression patterns with the case-insensitive modifier could cause a heap buffer overflow and crash perl.

Upstream patch:

https://perl5.git.perl.org/perl.git/commitdiff/96c83ed78aeea1a0496dd2b2d935869a822dc8a5

Bug report :

https://rt.perl.org/Public/Bug/Display.html?id=131582

Comment 1 Adam Mariš 2017-09-15 12:48:34 UTC
Created perl tracking bugs for this issue:

Affects: fedora-all [bug 1492094]

Comment 2 Cedric Buissart 🐶 2017-09-25 15:18:13 UTC
Statement:

This issue does not affect perl versions older than 5.18. Perl as shipped in Red Hat Enterprise Linux 7 and older are not affected by this vulnerability.

Comment 4 Cedric Buissart 🐶 2017-09-25 15:38:03 UTC
Acknowledgments:

Name: Sawyer X (Perl)

Comment 5 Fedora Update System 2017-10-02 14:23:47 UTC
perl-5.26.1-401.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.

Comment 6 Fedora Update System 2017-10-02 16:21:34 UTC
perl-5.24.3-395.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.

Comment 7 Fedora Update System 2017-10-13 21:20:16 UTC
perl-5.24.3-389.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.