A flaw was found in Perl 5. A heap read overflow in regexec.c file may allow an attacker to cause a segmentation fault which might lead to a Denial of Service (DoS) or, possibly, heap memory disclosure. Matching a crafted locale dependent regular expression can cause a heap buffer read overflow and potentially information disclosure while reporting an error message. That error message includes bytes beyond the end of the string, and possibly beyond the end of the buffer, providing a potential information disclosure if the memory had contained any sensitive information.
Reproducer: $ valgrind -- perl -e '"\xff" =~ /(?il)\x{100}|\x{100}/;' ==18228== Memcheck, a memory error detector ==18228== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==18228== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info ==18228== Command: perl -e "\\xff"\ =~\ /(?il)\\x{100}|\\x{100}/; ==18228== ==18228== Invalid read of size 1 ==18228== at 0x499C4E5: Perl__byte_dump_string (in /usr/lib/libperl.so.5.26.1) ==18228== by 0x499CF02: Perl_utf8n_to_uvchr_error (in /usr/lib/libperl.so.5.26.1) ==18228== by 0x499D88D: Perl__force_out_malformed_utf8_message (in /usr/lib/libperl.so.5.26.1) ==18228== by 0x49A23CB: Perl__to_utf8_fold_flags (in /usr/lib/libperl.so.5.26.1) ==18228== by 0x4995499: ??? (in /usr/lib/libperl.so.5.26.1) ==18228== by 0x499A4AF: Perl_regexec_flags (in /usr/lib/libperl.so.5.26.1) [...]
Perl 5 Porters published the fix for Perl 5.26.1 at: https://perl5.git.perl.org/perl.git/commitdiff/8e6f44c90c7fa1f63c19a44c45482b09a407e15b https://perl5.git.perl.org/perl.git/commitdiff/fa889a389ebb8e63782a3697775aa42c63a8f0cd https://perl5.git.perl.org/perl.git/commitdiff/8b80ce67ff257aaa36e47eaf4194d27a51595524 https://perl5.git.perl.org/perl.git/commitdiff/ae187cb6c87b079045274f298fdcf426e4a6404b and in Perl-5.26.2-RC1 and 5.24.4-RC1 tar balls.
Created perl tracking bugs for this issue: Affects: fedora-all [bug 1567777]
Statement: Versions of the perl interpreter older than 5.22 are not vulnerable. As a result, the versions of perl as shipped in Red Hat Enterprise Linux version 7, 6 and 5, as well as the versions of rh-perl520-perl as shipped with Red Hat Software Collections are not affected by this vulnerability.
External References: https://rt.perl.org/Public/Bug/Display.html?id=132063
Acknowledgments: Name: Perl 5 Porters Upstream: Nguyen Duc Manh
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS Via RHSA-2018:1192 https://access.redhat.com/errata/RHSA-2018:1192