Red Hat Bugzilla – Bug 731246
CVE-2011-2939 Perl decode_xs heap-based buffer overflow
Last modified: 2016-11-08 11:07:13 EST
Perl bundles `Encode' module (http://search.cpan.org/~dankogai/Encode/) that contains `Unicode.xs' file where a heap overflow bug has been fixed recently (http://cpansearch.perl.org/src/DANKOGAI/Encode-2.44/Changes):
$Revision: 2.44 $ $Date: 2011/08/09 07:49:44 $
Addressed the following:
Date: Fri, 22 Jul 2011 13:58:43 +0200
From: Robert Zacek <firstname.lastname@example.org>
Subject: Unicode.xs!decode_xs n-byte heap-overflow
The patch has been merged into perl development tree (http://perl5.git.perl.org/perl.git/commitdiff/e46d973584785af1f445c4dedbee4243419cb860#patch5):
diff --git a/cpan/Encode/Unicode/Unicode.xs b/cpan/Encode/Unicode/Unicode.xs
index 16f4cd1..039f155 100644 (file)
@@ -1,5 +1,5 @@
- $Id: Unicode.xs,v 2.7 2010/12/31 22:48:48 dankogai Exp $
+ $Id: Unicode.xs,v 2.8 2011/08/09 07:49:44 dankogai Exp dankogai $
@@ -256,7 +256,10 @@ CODE:
This prevents allocating too much in the rogue case of a large
input consisting initially of long sequence uft8-byte unicode
chars followed by single utf8-byte chars. */
- STRLEN remaining = (e - s)/usize;
+ /* +1
+ fixes Unicode.xs!decode_xs n-byte heap-overflow
+ STRLEN remaining = (e - s)/usize + 1; /* +1 to avoid the leak */
STRLEN max_alloc = remaining + (8*1024*1024);
STRLEN est_alloc = remaining * UTF8_MAXLEN;
STRLEN newlen = SvLEN(result) + /* min(max_alloc, est_alloc) */
Debian has applied the fix for Perl 5.12 and 5.14 versions (http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=637376) so far but recognized the bug in all Perl releases since 5.10.0.
No reproducer or other details are known now. This flaw is public.
Non-replied question has been post to perl-ports mailing list (http://permalink.gmane.org/gmane.comp.lang.perl.perl5.porters/98004).
This was assigned the name CVE-2011-2939:
As noted in the email, it looks like a single byte overflow that probably is not exploitable.
When remaining is zero, max_alloc is 8*1024*1024 and est_alloc is zero, thus est_alloc is used for newlen. It results in resultbuf and resultbuflen being unmodified, where it should they should be at least increased by UTF8_MAXLEN.
This issue could result in a 13 bytes overflow of resultbuf, which for Perl's UTF-8 is how wide can a single UTF-8 encoded character become in bytes.
Created perl tracking bugs for this issue
Affects: fedora-all [bug 743266]
perl-5.12.4-162.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report.
perl-5.14.1-188.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.
perl-5.12.4-147.fc14 has been pushed to the Fedora 14 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in following products:
Red Hat Enterprise Linux 6
Via RHSA-2011:1424 https://rhn.redhat.com/errata/RHSA-2011-1424.html