Tavis Ormandy and Will Drewry have discovered a flaw in the way perl calculates
the space needed to process a regular expression. It is possible to cause the
two passes to mismatch. To quote their mail:
The compile phase uses multiple passes (similar to older pcre releases),
once to determine space requirements and another to actually compile the
expression, however it's very simple to cause the two passes to mismatch.
From the perl documentation:
> The regular expression compiler produces polymorphic opcodes.That is,
> the pattern adapts to the data and automatically switches to the Unicode
> character scheme when presented with Unicode data--or instead uses a
> traditional byte scheme when presented with byte data.
This unfortunately means that you can cause the mode to switch at an
arbitrary point, and then subsequent passes of any of the expression prior
to this point switch will be passed differently, and thus potentially have
their space requirements miscalculated.
Red Hat would like to thank Tavis Ormandy and Will Drewry for properly disclosing this issue.
Created attachment 220101 [details]
Patch for Perl 5.8 from Tavis
I don't believe this affects perl 5.6. I wouldn't mind if someone could back me
up on this, but my research suggests that the 5.6 regular expression interpreter
is either in unicode mode or not, it can't switch, which means there can't be a
mismatch between the passes.
Part of perlunicode(1) from perl5.6 what corresponds to quote used in original
The existing regular expression compiler does not produce polymorphic
opcodes. This means that the determination on whether to match Unicode
characters is made when the pattern is compiled, based on whether
the pattern contains Unicode characters, and not when the matching
happens at run time. This needs to be changed to adaptively match
Unicode if the string to be matched is Unicode.
This is going to be RHSA-2007:0966
Created attachment 255541 [details]
Original patch was mangled while being mailed, this one was used in updated
RHEL perl packages and really fixes the issue.
Fixed in affected versions of Red Hat Enterprise Linux:
Red Hat Application Stack:
This issue has been addressed in following products:
Red Hat Certificate System 7.3
Via RHSA-2010:0602 https://rhn.redhat.com/errata/RHSA-2010-0602.html