Bug 1837975 (CVE-2020-10543) - CVE-2020-10543 perl: heap-based buffer overflow in regular expression compiler leads to DoS
Summary: CVE-2020-10543 perl: heap-based buffer overflow in regular expression compile...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-10543
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1839272 1839273 1839274 1844662 1929869 1933100 1938328 1972188 1972189
Blocks: 1838017
TreeView+ depends on / blocked
 
Reported: 2020-05-20 10:15 UTC by msiddiqu
Modified: 2021-07-20 22:10 UTC (History)
17 users (show)

Fixed In Version: perl 5.30.3, perl 5.28.3
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-02-02 14:41:38 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:0343 0 None None None 2021-02-02 12:04:30 UTC
Red Hat Product Errata RHSA-2021:0883 0 None None None 2021-03-16 14:56:02 UTC
Red Hat Product Errata RHSA-2021:2792 0 None None None 2021-07-20 22:10:57 UTC

Description msiddiqu 2020-05-20 10:15:58 UTC
There is a heap buffer overflow in Perl's regular expression compiler
that overwrites memory allocated after the regular expression storage
space with attacker supplied data. The heap overflow occurs due to a
signed size_t integer overflow in the storage space calculations for
nested regular expression quantifiers.

Comment 1 msiddiqu 2020-05-20 10:17:45 UTC
Acknowledgments:

Name: ManhND (Tarantula Team), VinCSS (Vingroup)

Comment 7 Petr Pisar 2020-05-25 06:51:32 UTC
(In reply to Todd Cullum from comment #4)
> Mitigation:
> 
> To mitigate this flaw, developers should not pass untrusted or uncontrolled
> input data to the Perl regex engine for evaluation.

That's not correct. The flaw requires passing an untrusted regular expression to the Perl regex compiler. The flaw does not depend on data (a subject text being) matched. And since the regular expressions in Perl can contain any arbitrary Perl code, supplying a user-provided regular expression has always been deemed a security risk.

Comment 10 Todd Cullum 2020-05-27 18:11:47 UTC
Mitigation:

To mitigate this flaw, developers should not allow untrusted regular expressions to be compiled by the Perl regular expression compiler.

Comment 11 Todd Cullum 2020-05-27 18:42:09 UTC
The flaw is in the calculation of minimum heap storage space in the routine S_study_chunk() of regcomp.c which allows a ssize_t overflow to occur, producing a subsequent heap buffer overflow and out-of-bounds write of attacker-specified data.

Comment 14 msiddiqu 2020-06-06 01:27:16 UTC
Created perl tracking bugs for this issue:

Affects: fedora-all [bug 1844662]

Comment 19 errata-xmlrpc 2021-02-02 12:04:25 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2021:0343 https://access.redhat.com/errata/RHSA-2021:0343

Comment 20 Product Security DevOps Team 2021-02-02 14:41:38 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-10543

Comment 24 errata-xmlrpc 2021-03-16 14:56:01 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Extended Update Support

Via RHSA-2021:0883 https://access.redhat.com/errata/RHSA-2021:0883

Comment 25 errata-xmlrpc 2021-03-30 09:31:34 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.7 Extended Update Support

Via RHSA-2021:1032 https://access.redhat.com/errata/RHSA-2021:1032

Comment 26 errata-xmlrpc 2021-04-20 12:53:27 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.4 Advanced Update Support
  Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.4 Telco Extended Update Support

Via RHSA-2021:1266 https://access.redhat.com/errata/RHSA-2021:1266

Comment 27 errata-xmlrpc 2021-05-18 14:12:48 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:1678 https://access.redhat.com/errata/RHSA-2021:1678

Comment 30 errata-xmlrpc 2021-07-20 22:10:58 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2021:2792 https://access.redhat.com/errata/RHSA-2021:2792


Note You need to log in before you can comment on or make changes to this bug.