Perl bundles `Encode' module (http://search.cpan.org/~dankogai/Encode/) that contains `Unicode.xs' file where a heap overflow bug has been fixed recently (http://cpansearch.perl.org/src/DANKOGAI/Encode-2.44/Changes): $Revision: 2.44 $ $Date: 2011/08/09 07:49:44 $ ! Unicode/Unicode.xs Addressed the following: Date: Fri, 22 Jul 2011 13:58:43 +0200 From: Robert Zacek <zacek> To: perl5-security-report Subject: Unicode.xs!decode_xs n-byte heap-overflow The patch has been merged into perl development tree (http://perl5.git.perl.org/perl.git/commitdiff/e46d973584785af1f445c4dedbee4243419cb860#patch5): diff --git a/cpan/Encode/Unicode/Unicode.xs b/cpan/Encode/Unicode/Unicode.xs index 16f4cd1..039f155 100644 (file) --- a/cpan/Encode/Unicode/Unicode.xs +++ b/cpan/Encode/Unicode/Unicode.xs @@ -1,5 +1,5 @@ /* - $Id: Unicode.xs,v 2.7 2010/12/31 22:48:48 dankogai Exp $ + $Id: Unicode.xs,v 2.8 2011/08/09 07:49:44 dankogai Exp dankogai $ */ #define PERL_NO_GET_CONTEXT @@ -256,7 +256,10 @@ CODE: This prevents allocating too much in the rogue case of a large input consisting initially of long sequence uft8-byte unicode chars followed by single utf8-byte chars. */ - STRLEN remaining = (e - s)/usize; + /* +1 + fixes Unicode.xs!decode_xs n-byte heap-overflow + */ + STRLEN remaining = (e - s)/usize + 1; /* +1 to avoid the leak */ STRLEN max_alloc = remaining + (8*1024*1024); STRLEN est_alloc = remaining * UTF8_MAXLEN; STRLEN newlen = SvLEN(result) + /* min(max_alloc, est_alloc) */ Debian has applied the fix for Perl 5.12 and 5.14 versions (http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=637376) so far but recognized the bug in all Perl releases since 5.10.0. No reproducer or other details are known now. This flaw is public. Non-replied question has been post to perl-ports mailing list (http://permalink.gmane.org/gmane.comp.lang.perl.perl5.porters/98004).
This was assigned the name CVE-2011-2939: http://www.openwall.com/lists/oss-security/2011/08/19/17 As noted in the email, it looks like a single byte overflow that probably is not exploitable.
When remaining is zero, max_alloc is 8*1024*1024 and est_alloc is zero, thus est_alloc is used for newlen. It results in resultbuf and resultbuflen being unmodified, where it should they should be at least increased by UTF8_MAXLEN.
This issue could result in a 13 bytes overflow of resultbuf, which for Perl's UTF-8 is how wide can a single UTF-8 encoded character become in bytes.
Created perl tracking bugs for this issue Affects: fedora-all [bug 743266]
perl-5.12.4-162.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report.
perl-5.14.1-188.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.
perl-5.12.4-147.fc14 has been pushed to the Fedora 14 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2011:1424 https://rhn.redhat.com/errata/RHSA-2011-1424.html