Bug 1547779 (CVE-2018-6798) - CVE-2018-6798 perl: heap read overflow in regexec.c
Summary: CVE-2018-6798 perl: heap read overflow in regexec.c
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2018-6798
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1561100 1561101 1561102 1567777 1567796
Blocks: 1547784
TreeView+ depends on / blocked
 
Reported: 2018-02-21 22:49 UTC by Laura Pardo
Modified: 2021-02-17 00:47 UTC (History)
18 users (show)

Fixed In Version: perl 5.26.2, perl 5.24.4
Doc Type: If docs needed, set a value
Doc Text:
A heap buffer over read flaw was found in the way Perl regular expression engine handled inputs with invalid UTF-8 characters. An attacker able to provide a specially crafted input to be matched against a regular expression could cause Perl interpreter to crash or disclose portion of its memory.
Clone Of:
Environment:
Last Closed: 2019-06-08 03:40:46 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:1192 0 None None None 2018-04-23 06:50:36 UTC

Description Laura Pardo 2018-02-21 22:49:34 UTC
A flaw was found in Perl 5. A heap read overflow in regexec.c file may allow an attacker to cause a segmentation fault which might lead to a Denial of Service (DoS) or, possibly, heap memory disclosure.

Matching a crafted locale dependent regular expression can cause a heap buffer read overflow and potentially information disclosure while reporting an error message. That error message includes bytes beyond the end of the string, and possibly beyond the end of the buffer, providing a potential information disclosure if the memory had contained any sensitive information.

Comment 1 Petr Pisar 2018-02-22 13:33:36 UTC
Reproducer:

$ valgrind -- perl -e '"\xff" =~ /(?il)\x{100}|\x{100}/;' 
==18228== Memcheck, a memory error detector
==18228== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==18228== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==18228== Command: perl -e "\\xff"\ =~\ /(?il)\\x{100}|\\x{100}/;
==18228== 
==18228== Invalid read of size 1
==18228==    at 0x499C4E5: Perl__byte_dump_string (in /usr/lib/libperl.so.5.26.1)
==18228==    by 0x499CF02: Perl_utf8n_to_uvchr_error (in /usr/lib/libperl.so.5.26.1)
==18228==    by 0x499D88D: Perl__force_out_malformed_utf8_message (in /usr/lib/libperl.so.5.26.1)
==18228==    by 0x49A23CB: Perl__to_utf8_fold_flags (in /usr/lib/libperl.so.5.26.1)
==18228==    by 0x4995499: ??? (in /usr/lib/libperl.so.5.26.1)
==18228==    by 0x499A4AF: Perl_regexec_flags (in /usr/lib/libperl.so.5.26.1)
[...]

Comment 11 Cedric Buissart 2018-04-16 08:06:28 UTC
Created perl tracking bugs for this issue:

Affects: fedora-all [bug 1567777]

Comment 13 Cedric Buissart 2018-04-16 09:43:33 UTC
Statement:

Versions of the perl interpreter older than 5.22 are not vulnerable. As a result, the versions of perl as shipped in Red Hat Enterprise Linux version 7, 6 and 5, as well as the versions of  rh-perl520-perl as shipped with Red Hat Software Collections are not affected by this vulnerability.

Comment 14 Cedric Buissart 2018-04-16 09:43:43 UTC
External References:

https://rt.perl.org/Public/Bug/Display.html?id=132063

Comment 18 Cedric Buissart 2018-04-18 14:31:59 UTC
Acknowledgments:

Name: Perl 5 Porters
Upstream: Nguyen Duc Manh

Comment 19 errata-xmlrpc 2018-04-23 06:50:26 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS

Via RHSA-2018:1192 https://access.redhat.com/errata/RHSA-2018:1192


Note You need to log in before you can comment on or make changes to this bug.