Bug 580605 - (CVE-2010-1158) CVE-2010-1158 Perl: Stack overflow by processing a certain regular expression
CVE-2010-1158 Perl: Stack overflow by processing a certain regular expression
Status: CLOSED WONTFIX
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
http://bugs.gentoo.org/show_bug.cgi?i...
impact=low,source=gentoo,reported=201...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-04-08 11:47 EDT by Jan Lieskovsky
Modified: 2010-06-15 02:25 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-04-22 13:59:40 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jan Lieskovsky 2010-04-08 11:47:47 EDT
Bruce Merry reported:
  [1] http://bugs.gentoo.org/show_bug.cgi?id=313565

an integer overflow, leading to stack overflow in the way
Perl regular expression engine processed certain regular
expression(s). Remote attacker could use this flaw to cause 
a denial of service (crash of an application, using the
Perl regular expression engine).

Public PoC from [1]:
--------------------
  perl -e 'if ((("a " x 100000) . "a\n") =~ /\A\S+(?: \S+)*\n\z/) {}'
Comment 2 Tomas Hoger 2010-04-22 13:59:40 EDT
This is not an integer overflow, rather an expected behaviour / limitation of the perl's regular expression engine.  Regular expression matching function is called recursively for certain types of patterns (where subexpression using quantifier is nested inside another quantified expression), where long input can result in deep recursion and exhaustion of all stack memory (i.e. impact is limited to crash).  Amount of stack memory available to perl interpreter influences the size of input that must be provided to trigger the crash.  Alternatively, expression can be modified to avoid quantification nesting, or program modified to limit size of input passed to regular expression engine.

This problem was addressed in perl 5.10, as noted in perl5100delta man page:

  Engine de-recursivised

  The regular expression engine is no longer recursive, meaning that patterns
  that used to overflow the stack will either die with useful explanations, or
  run to completion, which, since they were able to blow the stack before, will
  likely take a very long time to happen. If you were experiencing the
  occasional stack overflow (or segfault) and upgrade to discover that now perl
  apparently hangs instead, look for a degenerate regex. (Dave Mitchell)

This is a significant change to regex engine with possible trade-offs.  As the risk of such change than the security impact of this flaw, there is no plan to backport this fix to already released products using older perl versions.
Comment 3 Tomas Hoger 2010-04-22 14:02:59 EDT
Commit de-recursivising regex engine:
  http://perl5.git.perl.org/perl.git/commitdiff/95b2444054

I've not checked what other previous patches it may depend on, or what other additional fixes may be required.

Note You need to log in before you can comment on or make changes to this bug.