I have a 1-line test program that causes Perl to segmentation fault. I'm reporting it as a security problem since I assume that anything that can segfault the interpreter has at a minimum a DoS potential. Reproducible: Always Steps to Reproduce: 1. Run perl -e 'if ((("a " x 100000) . "a\n") =~ /\A\S+(?: \S+)*\n\z/) {}' Actual Results: Segmentation fault occurs. Expected Results: Should run successfully with no output. The bug seems to depend on having a long test string - it kicks in somewhere between 7000 and 8000 repetitions. I don't know if that's because there is actually a buffer overflow there or if it just needs a long string to make the overflow corrupt things badly enough to segfault. It also seems to depend on the regex: if the second "\S+" is changed to "\S" it does not segfault. Running the same command on an Ubuntu 9.10 32-bit install (with Perl 5.10.0) does not segfault. Once I've got the bug created I'll experiment with upgrading my Gentoo install to a ~amd64 version of Perl to see if that makes it go away. perl -v: This is perl, v5.8.8 built for x86_64-linux emerge --info: Portage 2.1.7.17 (default/linux/amd64/10.0/desktop, gcc-4.3.4, glibc-2.10.1-r1, 2.6.30-sandtray-00011-g15fc07d x86_64) ================================================================= System uname: Linux-2.6.30-sandtray-00011-g15fc07d-x86_64-Intel-R-_Core-TM-2_CPU_T7400_@_2.16GHz-with-gentoo-1.12.13 Timestamp of tree: Tue, 06 Apr 2010 19:00:01 +0000 app-shells/bash: 4.0_p35 dev-java/java-config: 2.1.10 dev-lang/python: 2.5.4-r3, 2.6.4-r1 dev-util/cmake: 2.6.4-r3 sys-apps/baselayout: 1.12.13 sys-apps/sandbox: 1.6-r2 sys-devel/autoconf: 2.13, 2.63-r1 sys-devel/automake: 1.5, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10.3 sys-devel/binutils: 2.18-r3 sys-devel/gcc: 4.3.4 sys-devel/gcc-config: 1.4.1 sys-devel/libtool: 2.2.6b virtual/os-headers: 2.6.30-r1 ACCEPT_KEYWORDS="amd64" ACCEPT_LICENSE="* -@EULA skype-eula dlj-1.1 @FREE" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-O2 -march=core2 -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/X11/xkb" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c" CXXFLAGS="-O2 -march=core2 -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="assume-digests distlocks fixpackages news parallel-fetch protect-owned sandbox sfperms strict unmerge-logs unmerge-orphans userfetch" GENTOO_MIRRORS="http://gentoo.virginmedia.com/" LANG="en_GB.UTF8" LDFLAGS="-Wl,-O1" LINGUAS="en en_GB" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_EXTRA_OPTS="--progress" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="X a52 aac acl acpi alsa amd64 apache2 audiofile berkdb bluetooth branding bzip2 cairo cdparanoia cdr cli consolekit cracklib crypt cups curl cxx dbus dga doc dri dts dvd dvdr emboss encode exif fam ffmpeg firefox flac foomaticdb fortran ftp fuse gcj gdbm gif glut gphoto2 gpm graphviz gtk hal iconv idea imagemagick imap imlib ipv6 java jpeg jpeg2k kpathsea laptop latex lcms ldap libnotify lirc mad mbox mikmod mmap mmx mng modules mp3 mp4 mpeg mudflap multilib ncurses nls nptl nptlonly nsplugin offensive ogg openal opengl openmp pam pango pcre pdf perl png ppds pppd python qt3support qt4 readline reflection samba sdl session slang sndfile sockets spell spl sse sse2 ssl startup-notification svg sysfs tcpd tetex theora tiff tk truetype unicode usb userlocales v4l v4l2 vorbis wmf x264 xcb xinerama xml xorg xpm xulrunner xv xvid xvmc zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" APACHE2_MPMS="prefork" ELIBC="glibc" INPUT_DEVICES="keyboard mouse synaptics evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en en_GB" LIRC_DEVICES="inputlirc devinput macmini userspace" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="radeon radeonhd vesa fbdev" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LC_ALL, MAKEOPTS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS
CVE-2010-1158 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1158): Integer overflow in the regular expression engine in Perl 5.8.x allows context-dependent attackers to cause a denial of service (stack consumption and application crash) by matching a crafted regular expression against a long string.
https://bugzilla.redhat.com/show_bug.cgi?id=580605 Red Hat has at least a little more info thanks to Thomas
5.12.2 is stabilised now, and does not suffer this issue, at least as far as I can tell. Is this good enough quality assurance to mark this bug as resolved? ( and perhaps make sure there is a GLSA to encourage people to upgrade to it )
dev-lang/perl-5.8.8 is package masked.
GLSA request filed.
This issue was resolved and addressed in GLSA 201311-17 at http://security.gentoo.org/glsa/glsa-201311-17.xml by GLSA coordinator Sergey Popov (pinkbyte).