oss-sec mailing list archives

CVE Request: perl: denial-of-service / Regexp-matching "hangs" indefinitely on illegal input using binmode :utf8 using 100%CPU

From: Salvatore Bonaccorso <carnil () debian org>
Date: Wed, 20 Apr 2016 11:18:32 +0200

Hi

A bug in perl can cause regular expressions an malformed UTF8 inputs
to go into a forever loop and consume 100% CPU. The issue was found to
drive a realworld web application into an infinite loop"

The Upstream bugreport about this issue:

https://rt.perl.org/Public/Bug/Display.html?id=123562

Upstream commit:

http://perl5.git.perl.org/perl.git/commitdiff/22b433eff9a1ffa2454e18405a56650f07b385b5
(which e.g. has been as well cherry-picked back to the maint-5.22
branch).

It as well was reported in Debian as:

https://bugs.debian.org/821848

Could you assign a CVE for this issue?

Regards,
Salvatore

Attachment: signature.asc
Description: Digital signature

Current thread:

CVE Request: perl: denial-of-service / Regexp-matching "hangs" indefinitely on illegal input using binmode :utf8 using 100%CPU Salvatore Bonaccorso (Apr 20)
- Re: CVE Request: perl: denial-of-service / Regexp-matching "hangs" indefinitely on illegal input using binmode :utf8 using 100%CPU cve-assign (Apr 20)