oss-sec mailing list archives

CVE Request -- perl v5.8.* -- stack overflow by processing certain regex (Gentoo BTS#313565 / RH BZ#580605)

From: Jan Lieskovsky <jlieskov () redhat com>
Date: Thu, 08 Apr 2010 18:48:14 +0200

Hi Steve, vendors,

  1, wouldn't like to open a can of worms,
  2, but for purpose of properly tracking it, requesting a CVE id for the
     following Perl regular expression engine issue:

Bruce Merry reported:
  [1] http://bugs.gentoo.org/show_bug.cgi?id=313565

an integer overflow, leading to stack overflow in the way
Perl regular expression engine processed certain regular
expression(s). Remote attacker could use this flaw to cause
a denial of service (crash of an application, using the
Perl regular expression engine).

Public PoC from [1]:
--------------------
  perl -e 'if ((("a " x 100000) . "a\n") =~ /\A\S+(?: \S+)*\n\z/) {}'

References:
  [2] http://bugs.gentoo.org/show_bug.cgi?id=313565
  [3] https://bugzilla.redhat.com/show_bug.cgi?id=580605

Affected Perl versions:
  Issue tested and confirmed in Perl of versions v5.8.*.
  Versions of Perl v5.10.* are not affected by this.

Steve, what's the Mitre's opinion on cases like this --
denial of service reachable via certain regular expression.

Should we track them on per issue basis? Or only for cases,
where more than a DoS is possible? (doesn't seem to be
this case though).

Thanks && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

Current thread:

CVE Request -- perl v5.8.* -- stack overflow by processing certain regex (Gentoo BTS#313565 / RH BZ#580605) Jan Lieskovsky (Apr 08)
- Re: CVE Request -- perl v5.8.* -- stack overflow by processing certain regex (Gentoo BTS#313565 / RH BZ#580605) Josh Bressers (Apr 14)