Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 313565 (CVE-2010-1158) - <dev-lang/perl-5.10: simple test program with regex segfaults (CVE-2010-1158)
Summary: <dev-lang/perl-5.10: simple test program with regex segfaults (CVE-2010-1158)
Status: RESOLVED FIXED
Alias: CVE-2010-1158
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: AMD64 Linux
: High normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2010-04-06 19:36 UTC by Bruce Merry
Modified: 2013-11-28 08:33 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Bruce Merry 2010-04-06 19:36:25 UTC
I have a 1-line test program that causes Perl to segmentation fault. I'm reporting it as a security problem since I assume that anything that can segfault the interpreter has at a minimum a DoS potential.

Reproducible: Always

Steps to Reproduce:
1. Run
perl -e 'if ((("a " x 100000) . "a\n") =~ /\A\S+(?: \S+)*\n\z/) {}'

Actual Results:  
Segmentation fault occurs.

Expected Results:  
Should run successfully with no output.

The bug seems to depend on having a long test string - it kicks in somewhere between 7000 and 8000 repetitions. I don't know if that's because there is actually a buffer overflow there or if it just needs a long string to make the overflow corrupt things badly enough to segfault. It also seems to depend on the regex: if the second "\S+" is changed to "\S" it does not segfault.

Running the same command on an Ubuntu 9.10 32-bit install (with Perl 5.10.0) does not segfault. Once I've got the bug created I'll experiment with upgrading my Gentoo install to a ~amd64 version of Perl to see if that makes it go away.

perl -v:
This is perl, v5.8.8 built for x86_64-linux

emerge --info:

Portage 2.1.7.17 (default/linux/amd64/10.0/desktop, gcc-4.3.4, glibc-2.10.1-r1, 2.6.30-sandtray-00011-g15fc07d x86_64)
=================================================================
System uname: Linux-2.6.30-sandtray-00011-g15fc07d-x86_64-Intel-R-_Core-TM-2_CPU_T7400_@_2.16GHz-with-gentoo-1.12.13
Timestamp of tree: Tue, 06 Apr 2010 19:00:01 +0000
app-shells/bash:     4.0_p35
dev-java/java-config: 2.1.10
dev-lang/python:     2.5.4-r3, 2.6.4-r1
dev-util/cmake:      2.6.4-r3
sys-apps/baselayout: 1.12.13
sys-apps/sandbox:    1.6-r2
sys-devel/autoconf:  2.13, 2.63-r1
sys-devel/automake:  1.5, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10.3
sys-devel/binutils:  2.18-r3
sys-devel/gcc:       4.3.4
sys-devel/gcc-config: 1.4.1
sys-devel/libtool:   2.2.6b
virtual/os-headers:  2.6.30-r1
ACCEPT_KEYWORDS="amd64"
ACCEPT_LICENSE="* -@EULA skype-eula dlj-1.1 @FREE"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-O2 -march=core2 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/X11/xkb"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c"
CXXFLAGS="-O2 -march=core2 -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="assume-digests distlocks fixpackages news parallel-fetch protect-owned sandbox sfperms strict unmerge-logs unmerge-orphans userfetch"
GENTOO_MIRRORS="http://gentoo.virginmedia.com/"
LANG="en_GB.UTF8"
LDFLAGS="-Wl,-O1"
LINGUAS="en en_GB"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_EXTRA_OPTS="--progress"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="X a52 aac acl acpi alsa amd64 apache2 audiofile berkdb bluetooth branding bzip2 cairo cdparanoia cdr cli consolekit cracklib crypt cups curl cxx dbus dga doc dri dts dvd dvdr emboss encode exif fam ffmpeg firefox flac foomaticdb fortran ftp fuse gcj gdbm gif glut gphoto2 gpm graphviz gtk hal iconv idea imagemagick imap imlib ipv6 java jpeg jpeg2k kpathsea laptop latex lcms ldap libnotify lirc mad mbox mikmod mmap mmx mng modules mp3 mp4 mpeg mudflap multilib ncurses nls nptl nptlonly nsplugin offensive ogg openal opengl openmp pam pango pcre pdf perl png ppds pppd python qt3support qt4 readline reflection samba sdl session slang sndfile sockets spell spl sse sse2 ssl startup-notification svg sysfs tcpd tetex theora tiff tk truetype unicode usb userlocales v4l v4l2 vorbis wmf x264 xcb xinerama xml xorg xpm xulrunner xv xvid xvmc zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" APACHE2_MPMS="prefork" ELIBC="glibc" INPUT_DEVICES="keyboard mouse synaptics evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en en_GB" LIRC_DEVICES="inputlirc devinput macmini userspace" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="radeon radeonhd vesa fbdev" 
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LC_ALL, MAKEOPTS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS
Comment 1 Matthias Geerdsen (RETIRED) gentoo-dev 2010-06-14 21:19:10 UTC
CVE-2010-1158 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1158):
  Integer overflow in the regular expression engine in Perl 5.8.x
  allows context-dependent attackers to cause a denial of service
  (stack consumption and application crash) by matching a crafted
  regular expression against a long string.

Comment 2 Matthias Geerdsen (RETIRED) gentoo-dev 2010-06-14 22:55:24 UTC
https://bugzilla.redhat.com/show_bug.cgi?id=580605
Red Hat has at least a little more info thanks to Thomas
Comment 3 Kent Fredric (IRC: kent\n) (RETIRED) gentoo-dev 2010-11-05 09:27:30 UTC
5.12.2 is stabilised now, and does not suffer this issue, at least as far as I can tell. Is this good enough quality assurance to mark this bug as resolved? 
( and perhaps make sure there is a GLSA to encourage people to upgrade to it )
Comment 4 Torsten Veller (RETIRED) gentoo-dev 2011-03-09 22:15:04 UTC
dev-lang/perl-5.8.8 is package masked.
Comment 5 Tim Sammut (RETIRED) gentoo-dev 2011-03-10 13:55:27 UTC
GLSA request filed.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2013-11-28 08:33:11 UTC
This issue was resolved and addressed in
 GLSA 201311-17 at http://security.gentoo.org/glsa/glsa-201311-17.xml
by GLSA coordinator Sergey Popov (pinkbyte).