Bug 1837975 (CVE-2020-10543) - CVE-2020-10543 perl: heap-based buffer overflow in regular expression compiler leads to DoS
Summary: CVE-2020-10543 perl: heap-based buffer overflow in regular expression compile...
Status: NEW
Alias: CVE-2020-10543
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1839272 1839273 1839274 1844662
Blocks: 1838017
TreeView+ depends on / blocked
Reported: 2020-05-20 10:15 UTC by msiddiqu
Modified: 2020-06-18 18:06 UTC (History)
13 users (show)

Fixed In Version: perl 5.30.3, perl 5.28.3
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed:

Attachments (Terms of Use)

Description msiddiqu 2020-05-20 10:15:58 UTC
There is a heap buffer overflow in Perl's regular expression compiler
that overwrites memory allocated after the regular expression storage
space with attacker supplied data. The heap overflow occurs due to a
signed size_t integer overflow in the storage space calculations for
nested regular expression quantifiers.

Comment 1 msiddiqu 2020-05-20 10:17:45 UTC

Name: ManhND (Tarantula Team), VinCSS (Vingroup)

Comment 7 Petr Pisar 2020-05-25 06:51:32 UTC
(In reply to Todd Cullum from comment #4)
> Mitigation:
> To mitigate this flaw, developers should not pass untrusted or uncontrolled
> input data to the Perl regex engine for evaluation.

That's not correct. The flaw requires passing an untrusted regular expression to the Perl regex compiler. The flaw does not depend on data (a subject text being) matched. And since the regular expressions in Perl can contain any arbitrary Perl code, supplying a user-provided regular expression has always been deemed a security risk.

Comment 10 Todd Cullum 2020-05-27 18:11:47 UTC

To mitigate this flaw, developers should not allow untrusted regular expressions to be compiled by the Perl regular expression compiler.

Comment 11 Todd Cullum 2020-05-27 18:42:09 UTC
The flaw is in the calculation of minimum heap storage space in the routine S_study_chunk() of regcomp.c which allows a ssize_t overflow to occur, producing a subsequent heap buffer overflow and out-of-bounds write of attacker-specified data.

Comment 14 msiddiqu 2020-06-06 01:27:16 UTC
Created perl tracking bugs for this issue:

Affects: fedora-all [bug 1844662]

Note You need to log in before you can comment on or make changes to this bug.