Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 580612 (CVE-2015-8853) - <dev-lang/perl-5.22.1: denial-of-service / Regexp-matching "hangs" indefinitely on illegal input using binmode :utf8 using 100%CPU (CVE-2015-8853)
Summary: <dev-lang/perl-5.22.1: denial-of-service / Regexp-matching "hangs" indefinite...
Status: RESOLVED FIXED
Alias: CVE-2015-8853
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: A3 [glsa cve]
Keywords:
Depends on: CVE-2016-1238
Blocks:
  Show dependency tree
 
Reported: 2016-04-20 09:29 UTC by Agostino Sarubbo
Modified: 2017-01-29 23:45 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2016-04-20 09:29:10 UTC
From ${URL} :

A bug in perl can cause regular expressions an malformed UTF8 inputs
to go into a forever loop and consume 100% CPU. The issue was found to
drive a realworld web application into an infinite loop"

The Upstream bugreport about this issue:

https://rt.perl.org/Public/Bug/Display.html?id=123562

Upstream commit:

http://perl5.git.perl.org/perl.git/commitdiff/22b433eff9a1ffa2454e18405a56650f07b385b5
(which e.g. has been as well cherry-picked back to the maint-5.22
branch).


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Andreas K. Hüttel archtester gentoo-dev 2016-04-20 12:32:56 UTC
This is fixed in Perl 5.22.1. 

It makes no sense to stabilize 5.22.1 now, since 5.22.2 with more security fixes comes out in a few days. -> Let's wait for that.
Comment 2 Andreas K. Hüttel archtester gentoo-dev 2016-04-30 23:59:33 UTC
(In reply to Andreas K. Hüttel from comment #1)
> This is fixed in Perl 5.22.1. 
> 
> It makes no sense to stabilize 5.22.1 now, since 5.22.2 with more security
> fixes comes out in a few days. -> Let's wait for that.

Perl 5.22.2 was released today and is already available in Gentoo. Stabilization will be handled in bug 567482 after a testing period. Please wait for now; arches will be CC'ed in bug 567482 when we're ready to go ahead.
Comment 3 Andreas K. Hüttel archtester gentoo-dev 2016-05-09 18:03:27 UTC
(In reply to Andreas K. Hüttel from comment #2)
> (In reply to Andreas K. Hüttel from comment #1)
> > This is fixed in Perl 5.22.1. 
> > 
> > It makes no sense to stabilize 5.22.1 now, since 5.22.2 with more security
> > fixes comes out in a few days. -> Let's wait for that.
> 
> Perl 5.22.2 was released today and is already available in Gentoo.
> Stabilization will be handled in bug 567482 after a testing period. Please
> wait for now; arches will be CC'ed in bug 567482 when we're ready to go
> ahead.

Perl 5.22.2 is ready for stabilization; please proceed in bug 567482.
There you can find the full list of packages to be stabilized.
Comment 4 Thomas Deutschmann gentoo-dev 2017-01-21 22:15:25 UTC
Added to existing GLSA.
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2017-01-29 23:45:30 UTC
This issue was resolved and addressed in
 GLSA 201701-75 at https://security.gentoo.org/glsa/201701-75
by GLSA coordinator Thomas Deutschmann (whissi).