Bruce Merry reported: [1] http://bugs.gentoo.org/show_bug.cgi?id=313565 an integer overflow, leading to stack overflow in the way Perl regular expression engine processed certain regular expression(s). Remote attacker could use this flaw to cause a denial of service (crash of an application, using the Perl regular expression engine). Public PoC from [1]: -------------------- perl -e 'if ((("a " x 100000) . "a\n") =~ /\A\S+(?: \S+)*\n\z/) {}'
This is not an integer overflow, rather an expected behaviour / limitation of the perl's regular expression engine. Regular expression matching function is called recursively for certain types of patterns (where subexpression using quantifier is nested inside another quantified expression), where long input can result in deep recursion and exhaustion of all stack memory (i.e. impact is limited to crash). Amount of stack memory available to perl interpreter influences the size of input that must be provided to trigger the crash. Alternatively, expression can be modified to avoid quantification nesting, or program modified to limit size of input passed to regular expression engine. This problem was addressed in perl 5.10, as noted in perl5100delta man page: Engine de-recursivised The regular expression engine is no longer recursive, meaning that patterns that used to overflow the stack will either die with useful explanations, or run to completion, which, since they were able to blow the stack before, will likely take a very long time to happen. If you were experiencing the occasional stack overflow (or segfault) and upgrade to discover that now perl apparently hangs instead, look for a degenerate regex. (Dave Mitchell) This is a significant change to regex engine with possible trade-offs. As the risk of such change than the security impact of this flaw, there is no plan to backport this fix to already released products using older perl versions.
Commit de-recursivising regex engine: http://perl5.git.perl.org/perl.git/commitdiff/95b2444054 I've not checked what other previous patches it may depend on, or what other additional fixes may be required.