Vulnerability CVE-2010-4777


Published: 2014-02-10

Description:
The Perl_reg_numbered_buff_fetch function in Perl 5.10.0, 5.12.0, 5.14.0, and other versions, when running with debugging enabled, allows context-dependent attackers to cause a denial of service (assertion failure and application exit) via crafted input that is not properly handled when using certain regular expressions, as demonstrated by causing SpamAssassin and OCSInventory to crash.

See advisories in our WLB2 database:
Topic
Author
Date
Low
PERL 5.10.0, 5.12.0, 5.14.0 Denial of Service
Nobody
10.02.2014

Type:

CWE-20

(Improper Input Validation)

Vendor: PERL
Product: PERL 
Version:
5.14.0
5.12.0
5.10

CVSS2 => (AV:N/AC:M/Au:N/C:N/I:N/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
4.3/10
2.9/10
8.6/10
Exploit range
Attack complexity
Authentication
Remote
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
None
None
Partial

 References:
https://rt.perl.org/Public/Bug/Display.html?id=76538
https://listi.jpberlin.de/pipermail/postfixbuch-users/2011-February/055885.html
https://bugzilla.redhat.com/show_bug.cgi?id=694166
http://lists.opensuse.org/opensuse-updates/2011-05/msg00025.html
http://lists.opensuse.org/opensuse-security-announce/2011-05/msg00005.html
http://forums.ocsinventory-ng.org/viewtopic.php?id=7215
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=628836

Related CVE
CVE-2018-18314
Perl before 5.26.3 has a buffer overflow via a crafted regular expression that triggers invalid write operations.
CVE-2018-18313
Perl before 5.26.3 has a buffer over-read via a crafted regular expression that triggers disclosure of sensitive information from process memory.
CVE-2018-18311
Perl before 5.26.3 and 5.28.x before 5.28.1 has a buffer overflow via a crafted regular expression that triggers invalid write operations.
CVE-2018-18312
Perl before 5.26.3 and 5.28.0 before 5.28.1 has a buffer overflow via a crafted regular expression that triggers invalid write operations.
CVE-2018-12015
In Perl through 5.26.2, the Archive::Tar module allows remote attackers to bypass a directory-traversal protection mechanism, and overwrite arbitrary files, via an archive file containing a symlink and a regular file with the same name.
CVE-2018-6913
Heap-based buffer overflow in the pack function in Perl before 5.26.2 allows context-dependent attackers to execute arbitrary code via a large item count.
CVE-2018-6798
An issue was discovered in Perl 5.22 through 5.26. Matching a crafted locale dependent regular expression can cause a heap-based buffer over-read and potentially information disclosure.
CVE-2018-6797
An issue was discovered in Perl 5.18 through 5.26. A crafted regular expression can cause a heap-based buffer overflow, with control over the bytes written.

Copyright 2019, cxsecurity.com

 

Back to Top