It was reported [1] that perl suffers from an assertion failure in certain regular expressions. This could cause crashes in certain programs, such as OCSInventory [2] and SpamAssassin [3]. [1] http://rt.perl.org/rt3/Public/Bug/Display.html?id=76538 [2] http://forums.ocsinventory-ng.org/viewtopic.php?id=7215 [3] https://listi.jpberlin.de/pipermail/postfixbuch-users/2011-February/055885.html
I am unable to reproduce this on Fedora 14, RHEL6, RHEL5, or RHEL4. Using the reproducer from http://rt.perl.org/rt3/Ticket/Attachment/548804/260938/ I get no crashes: % perl sample3.pl XML::Twig ok Our versions look like they _should_ be affected, but for some reason we're not seeing the assertion failures at all. I've tried with all three samples. We do not build perl with -g, so I do not believe assertion checks are enabled. Can someone comment as to why we are not seeing these assertion failures? I do believe this is a non-issue for us, but would like to understand why.
We do not see assertions because they are disabled. The Configure -DDEBUGGING=-g option switches compiler debugging data generation on but does not define DEBUGGING symbol needed to enable asserts (perl.h:3880). If you want to enable asserts, you need to Configure -DDEBUGGING=both (Configure:5080). Then I get assertion abort with second case from [1]: $ LANG=en_US.UTF-8 LD_LIBRARY_PATH=$PWD ./perl ~petr/perl/assertion_bug-CVE-2010-4777/case1 perl: regcomp.c:5199: Perl_reg_numbered_buff_fetch: Assertion `rx->sublen >= (s - rx->subbeg) + i' failed. Neúspěšně ukončen (SIGABRT) (core dumped [obraz paměti uložen]) Asserts are not enabled because of performance penalty.
Thanks for that explanation, Petr. Statement: Not vulnerable. This issue did not affect the versions of perl as shipped with Red Hat Enterprise Linux 4, 5, or 6 as they did not have asserts enabled.