A flaw was found in Perl versions 5.18 through 5.26. A Heap-buffer-overflow write / reg_node overrun
Upstream ticket: https://rt.perl.org/Public/Bug/Display.html?id=133423
Acknowledgments: Name: the Perl project Upstream: Eiichi Tsukata
Created perl tracking bugs for this issue: Affects: fedora-all [bug 1654919]
Upstream commit: https://github.com/Perl/perl5/commit/4db502b8711307951dfadc62a8f2c2eda922ca22
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Via RHSA-2019:0001 https://access.redhat.com/errata/RHSA-2019:0001
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 6 Via RHSA-2019:0010 https://access.redhat.com/errata/RHSA-2019:0010
openshift-enterprise-3: notaffected. I reviewed OpenShift containers for applications with dependencies on perl and was unable to identify any where the perl interpreter would be exposed to attacker-controlled regular expressions which could expose this flaw. There is a perl dependency in our MariaDB packaging, however the only non-test related perl usage is in a backup script (mysqlhotcopy) which is not exposed to attacker-controlled regular expressions. I have not filed trackers as these images will inherit the existing perl fixes next time they are respun. See also https://access.redhat.com/articles/2803031