Comment 1 Kristian Fiskerstrand (RETIRED) 2018-11-03 11:37:52 UTC

-------- Forwarded message ---------
From: Sawyer X <xsawyerx@gmail.com>
Date: Sat, Nov 3, 2018 at 1:17 PM
Subject: [Disclosure] Perl 5 security-related issues
To:


Hi,

This is an early disclosure of several security-related bugs in Perl 5.

The disclosure date is 22nd of November, in nearly three weeks.

Based on vendor feedback, we are also trying a new process for security releases. We will not be pushing any commits of fixes until the stable is out the door, nor will we make any RC release public. Instead, we will be sending vendors the RC tarballs that they may test it before we release it fully and push the commits.

We will release our first RC (RC1) on 8th of November.

We would much appreciate any help in testing our new version since we can't use the public Perl distribution testing infrastructure (as it requires releasing it publicly). While we are looking into manually running some of these tests, we cannot vouch for the same amount of testing provided in the normal release cycle. This is why your assistance would help.

If you would like to assist us with testing the new security release, please let me know, and I will arrange you receive a tarball on November 8th.

* CVE-2018-18311 (RT #133204)

    Reported by: Jayakrishna Menon
    Fixed by: David Mitchell
    Type of bug: Integer overflow leading to buffer overflow
    Vulnerability range: 5.8.0 - 5.28 (introduced in e658793210)
    Reproduce:

./perl -e '$inp = "A" x 0x7fffffff; $ENV{$inp} = $inp;'

(ASAN not required.)

    Type of failure: Segfault.
    Code already fixed in repo.
    Patches:
        0001-Perl_my_setenv-handle-integer-wrap.patch (for 5.28 and 5.26)


* CVE-2018-12015 (RT #133250)

    Reported by: Jakub Wilk
    Fixed by: Chris 'BinGOs' Williams
    Type of bug: directory traversal in module Archive::Tar
    Vulnerability range: 5.8.0 - 5.26 (introduced in e658793210bb when Archive::Tar was added to core)
    Reproduce:

rm /tmp/moo ; cd ; ./perl -MArchive::Tar -e 'Archive::Tar->extract_archive("traversal.tar.gz")' ; ls /tmp/moo

(Tarball traversal.tar.gz file attached. ASAN not required.)

    Code already fixed in repo.
    Patches:
        0001-Update-Archive-Tar-to-CPAN-version-2.28.patch (for 5.28.0.)
        0001-perl-133250-backport-CVE-2018-12015-fix.patch (for 5.26.0.)


* CVE-2018-18312 (RT #133423)

    Reported by: Eiichi Tsukata
    Fixed by: Karl Williamson
    Type of bug: Heap-buffer-overflow write / reg_node overrun
    Vulnerability range: 5.18 - 5.28
    Reproduce:

./perl -le 'my $r = "(?[(?-:(?[\\\x00]))\\]\x00|2[^^]\x80\x80\x80\x80])R.\\670"; qr/$r/'

(ASAN required.)

    Type of failure: ASAN failure
    Patches:
        0001-PATCH-perl-133423.patch (for the upstream git repo)
        0003-PATCH-perl-133423-for-maint-5.28.patch (for 5.28)
        0242-PATCH-perl-133423-for-5.26-maint.patch (for 5.26)


* CVE-2018-18313 (RT #133192)

    Reported by: Eiichi Tsukata
    Fixed by: Karl Williamson
    Type of bug: Heap-buffer-overflow read
    Vulnerability range: 5.22 - 5.26 (introduced in b6d67071cc0)
    Reproduce:

./perl -e '$a = "[\0\\N{U+" . "." x 798 . "}"; qr/$a/; $x = "SECRET"'

(ASAN required.)

    Type of failure: ASAN failure or SECRET in output. (We had difficulties reproducing this.)
    Code already fixed new versions.
    Patches:
        0001-regcomp.c-Convert-some-strchr-to-memchr.patch (for upstream git repo in 5.28)
        maint-5.26-133192.patch (for 5.26)


* CVE-2018-18314 (RT #131649)

    Reported by: Jakub Wilk
    Fixed by: Yves Orton
    Type of bug: Heap-based buffer overflow
    Vulnerability range: 5.18 - 5.28
    Reproduce:

./perl -e 'm/(?[(?s:(?[[x]][xx]xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx])/;'

(ASAN or Valgrind needed.)

    Type of failure: ASAN/Valgrind heap buffer write overflow
    Code already fixed in repo.
    Patches:
        0002-fix-131649-extended-charclass-can-trigger-assert.patch (for current git repo and 5.28)
        0001-fix-131649-extended-charclass-can-trigger-assert.patch (for 5.26)


* Non-security critical memory leak fix (RT #133331)

    Fixed by: Tony Cook
    Type of bug: Memory leak
    Vulnerability range: 5.28
    Reproduce:

touch a b c ; PL_DESTRUCT_LEVEL=2 valgrind -q --leak-check=full ./perl -i -pe1 a b c

("-DDEBUGGING" required to be able to force proper cleanup on exit.)

    Type of failure: Leaked memory allocated by opendir() function.
    Code already fixed in the repo.
    Patches:
        0001-perl-133314-always-close-the-directory-handle-on-cle.patch (for the git repo and 5.28.0. There is no patch on 5.26 because the problem does not exist there.)


Thank you,
Sawyer X.
Project Lead ("Pumpking") of the Perl 5 language.

Comment 2 Kristian Fiskerstrand (RETIRED) 2018-11-07 19:58:41 UTC

Update from email:
##
Hi everyone,

We decided to postpone the release by a week, to accommodate those celebrating (read: having to deal with) Thanksgiving and Black Friday, which take a great technical work toll.

The disclosure date has been bumped officially to Nov 29th. Still a Thursday, just one week later.

Thanks to everyone who reached out to sign up for helping us test the tarballs.
##

I take it perl team takes contact directly if wanting access to participate during embargo, but please keep security team in the loop on update in this bug.

Comment 3 Andreas K. Hüttel 2019-04-07 14:13:22 UTC

Status of 5.26 needs analysis

Comment 4 Andreas K. Hüttel 2019-04-07 14:22:24 UTC

> * CVE-2018-18311 (RT #133204)
>     Type of bug: Integer overflow leading to buffer overflow
>     Vulnerability range: 5.8.0 - 5.28 (introduced in e658793210)
Fixed in 5.26.3

> * CVE-2018-12015 (RT #133250)
>     Type of bug: directory traversal in module Archive::Tar
>     Vulnerability range: 5.8.0 - 5.26 (introduced in e658793210bb when
> Archive::Tar was added to core)
Handled in bug 657968

> * CVE-2018-18312 (RT #133423)
>     Type of bug: Heap-buffer-overflow write / reg_node overrun
>     Vulnerability range: 5.18 - 5.28
Fixed in 5.26.3

> * CVE-2018-18313 (RT #133192)
>     Type of bug: Heap-buffer-overflow read
>     Vulnerability range: 5.22 - 5.26 (introduced in b6d67071cc0)
c1c28ce6ba90ee05aa96b11ad551a6063680f3b9
Fixed in 5.26.3

> * CVE-2018-18314 (RT #131649)
>     Type of bug: Heap-based buffer overflow
>     Vulnerability range: 5.18 - 5.28
Fixed in 5.26.3

Comment 5 Larry the Git Cow 2019-04-19 16:54:29 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2f7a94dc3f57dc784e88c85516c7bfcc4e3bf5f9

commit 2f7a94dc3f57dc784e88c85516c7bfcc4e3bf5f9
Author:     Andreas K. Hüttel <dilfridge@gentoo.org>
AuthorDate: 2019-04-19 15:57:12 +0000
Commit:     Andreas K. Hüttel <dilfridge@gentoo.org>
CommitDate: 2019-04-19 16:52:03 +0000

    package.mask: Unmask Perl 5.28.2
    
    Bug: https://bugs.gentoo.org/610384
    Bug: https://bugs.gentoo.org/670190
    Bug: https://bugs.gentoo.org/677012
    Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org>

 profiles/package.mask | 7 -------
 1 file changed, 7 deletions(-)

Comment 6 Andreas K. Hüttel 2019-08-30 21:16:26 UTC

All affected ebuilds masked (well, except on sparc and hppa which are however not security-supported).

No cleanup for now because infra... Anyway security please proceed.

Comment 7 GLSAMaker/CVETool Bot 2019-09-06 16:15:53 UTC

This issue was resolved and addressed in
 GLSA 201909-01 at https://security.gentoo.org/glsa/201909-01
by GLSA coordinator Thomas Deutschmann (whissi).