Bug 1492093 – CVE-2017-12883 perl: Buffer over-read in regular expression parser

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1492093 - (CVE-2017-12883) CVE-2017-12883 perl: Buffer over-read in regular expression parser

Summary:	CVE-2017-12883 perl: Buffer over-read in regular expression parser

Status:	CLOSED WONTFIX

Aliases:	CVE-2017-12883

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=moderate,public=20170912,repor...
Keywords:	Security

Depends On:	1492094
Blocks:	1489904 1492097
	Show dependency tree / graph

Reported:	2017-09-15 08:47 EDT by Adam Mariš
Modified:	2017-10-13 17:20 EDT (History)
CC List:	18 users (show)

See Also:
Fixed In Version:	perl 5.24.3, perl 5.26.1, perl 5.27.4
Doc Type:	If docs needed, set a value
Doc Text:	A heap buffer overread was found in perl's grok_bslash_N() function, which is used in the compilation of Unicode nodes in regular expressions, possibly leading to crash or dump of memory segments via the error output. An attacker, able to provide a specially crafted regular expression, could look for sensible information in the error message, or crash perl.
Story Points:	---
Clone Of:
Environment:
Last Closed:	2017-09-25 11:36:55 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Adam Mariš 2017-09-15 08:47:19 EDT

For certain types of syntax error in a regular expression pattern, the error message could either contain the contents of a random, possibly large, chunk of memory, or could crash perl.

Upstream patch:

https://perl5.git.perl.org/perl.git/commitdiff/2be4edede4ae226e2eebd4eff28cedd2041f300f

Bug report :

https://rt.perl.org/Public/Bug/Display.html?id=131598

Comment 1 Adam Mariš 2017-09-15 08:48:20 EDT

Created perl tracking bugs for this issue:

Affects: fedora-all [bug 1492094]

Comment 4 Cedric Buissart 2017-09-25 08:10:14 EDT

Statement:

Perl as shipped in Red Hat Enterprise Linux 7 and older have not been found to be vulnerable. This vulnerability was not present in perl versions older than 5.20.

Comment 5 Fedora Update System 2017-10-02 10:24:00 EDT

perl-5.26.1-401.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.

Comment 6 Fedora Update System 2017-10-02 12:21:46 EDT

perl-5.24.3-395.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.

Comment 7 Fedora Update System 2017-10-13 17:20:27 EDT

perl-5.24.3-389.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.