Incoming data
-------- Forwarded message --------- From: Sawyer X <xsawyerx@gmail.com> Date: Sat, Nov 3, 2018 at 1:17 PM Subject: [Disclosure] Perl 5 security-related issues To: Hi, This is an early disclosure of several security-related bugs in Perl 5. The disclosure date is 22nd of November, in nearly three weeks. Based on vendor feedback, we are also trying a new process for security releases. We will not be pushing any commits of fixes until the stable is out the door, nor will we make any RC release public. Instead, we will be sending vendors the RC tarballs that they may test it before we release it fully and push the commits. We will release our first RC (RC1) on 8th of November. We would much appreciate any help in testing our new version since we can't use the public Perl distribution testing infrastructure (as it requires releasing it publicly). While we are looking into manually running some of these tests, we cannot vouch for the same amount of testing provided in the normal release cycle. This is why your assistance would help. If you would like to assist us with testing the new security release, please let me know, and I will arrange you receive a tarball on November 8th. * CVE-2018-18311 (RT #133204) Reported by: Jayakrishna Menon Fixed by: David Mitchell Type of bug: Integer overflow leading to buffer overflow Vulnerability range: 5.8.0 - 5.28 (introduced in e658793210) Reproduce: ./perl -e '$inp = "A" x 0x7fffffff; $ENV{$inp} = $inp;' (ASAN not required.) Type of failure: Segfault. Code already fixed in repo. Patches: 0001-Perl_my_setenv-handle-integer-wrap.patch (for 5.28 and 5.26) * CVE-2018-12015 (RT #133250) Reported by: Jakub Wilk Fixed by: Chris 'BinGOs' Williams Type of bug: directory traversal in module Archive::Tar Vulnerability range: 5.8.0 - 5.26 (introduced in e658793210bb when Archive::Tar was added to core) Reproduce: rm /tmp/moo ; cd ; ./perl -MArchive::Tar -e 'Archive::Tar->extract_archive("traversal.tar.gz")' ; ls /tmp/moo (Tarball traversal.tar.gz file attached. ASAN not required.) Code already fixed in repo. Patches: 0001-Update-Archive-Tar-to-CPAN-version-2.28.patch (for 5.28.0.) 0001-perl-133250-backport-CVE-2018-12015-fix.patch (for 5.26.0.) * CVE-2018-18312 (RT #133423) Reported by: Eiichi Tsukata Fixed by: Karl Williamson Type of bug: Heap-buffer-overflow write / reg_node overrun Vulnerability range: 5.18 - 5.28 Reproduce: ./perl -le 'my $r = "(?[(?-:(?[\\\x00]))\\]\x00|2[^^]\x80\x80\x80\x80])R.\\670"; qr/$r/' (ASAN required.) Type of failure: ASAN failure Patches: 0001-PATCH-perl-133423.patch (for the upstream git repo) 0003-PATCH-perl-133423-for-maint-5.28.patch (for 5.28) 0242-PATCH-perl-133423-for-5.26-maint.patch (for 5.26) * CVE-2018-18313 (RT #133192) Reported by: Eiichi Tsukata Fixed by: Karl Williamson Type of bug: Heap-buffer-overflow read Vulnerability range: 5.22 - 5.26 (introduced in b6d67071cc0) Reproduce: ./perl -e '$a = "[\0\\N{U+" . "." x 798 . "}"; qr/$a/; $x = "SECRET"' (ASAN required.) Type of failure: ASAN failure or SECRET in output. (We had difficulties reproducing this.) Code already fixed new versions. Patches: 0001-regcomp.c-Convert-some-strchr-to-memchr.patch (for upstream git repo in 5.28) maint-5.26-133192.patch (for 5.26) * CVE-2018-18314 (RT #131649) Reported by: Jakub Wilk Fixed by: Yves Orton Type of bug: Heap-based buffer overflow Vulnerability range: 5.18 - 5.28 Reproduce: ./perl -e 'm/(?[(?s:(?[[x]][xx]xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx])/;' (ASAN or Valgrind needed.) Type of failure: ASAN/Valgrind heap buffer write overflow Code already fixed in repo. Patches: 0002-fix-131649-extended-charclass-can-trigger-assert.patch (for current git repo and 5.28) 0001-fix-131649-extended-charclass-can-trigger-assert.patch (for 5.26) * Non-security critical memory leak fix (RT #133331) Fixed by: Tony Cook Type of bug: Memory leak Vulnerability range: 5.28 Reproduce: touch a b c ; PL_DESTRUCT_LEVEL=2 valgrind -q --leak-check=full ./perl -i -pe1 a b c ("-DDEBUGGING" required to be able to force proper cleanup on exit.) Type of failure: Leaked memory allocated by opendir() function. Code already fixed in the repo. Patches: 0001-perl-133314-always-close-the-directory-handle-on-cle.patch (for the git repo and 5.28.0. There is no patch on 5.26 because the problem does not exist there.) Thank you, Sawyer X. Project Lead ("Pumpking") of the Perl 5 language.
Update from email: ## Hi everyone, We decided to postpone the release by a week, to accommodate those celebrating (read: having to deal with) Thanksgiving and Black Friday, which take a great technical work toll. The disclosure date has been bumped officially to Nov 29th. Still a Thursday, just one week later. Thanks to everyone who reached out to sign up for helping us test the tarballs. ## I take it perl team takes contact directly if wanting access to participate during embargo, but please keep security team in the loop on update in this bug.
Status of 5.26 needs analysis
> * CVE-2018-18311 (RT #133204) > Type of bug: Integer overflow leading to buffer overflow > Vulnerability range: 5.8.0 - 5.28 (introduced in e658793210) Fixed in 5.26.3 > * CVE-2018-12015 (RT #133250) > Type of bug: directory traversal in module Archive::Tar > Vulnerability range: 5.8.0 - 5.26 (introduced in e658793210bb when > Archive::Tar was added to core) Handled in bug 657968 > * CVE-2018-18312 (RT #133423) > Type of bug: Heap-buffer-overflow write / reg_node overrun > Vulnerability range: 5.18 - 5.28 Fixed in 5.26.3 > * CVE-2018-18313 (RT #133192) > Type of bug: Heap-buffer-overflow read > Vulnerability range: 5.22 - 5.26 (introduced in b6d67071cc0) c1c28ce6ba90ee05aa96b11ad551a6063680f3b9 Fixed in 5.26.3 > * CVE-2018-18314 (RT #131649) > Type of bug: Heap-based buffer overflow > Vulnerability range: 5.18 - 5.28 Fixed in 5.26.3
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2f7a94dc3f57dc784e88c85516c7bfcc4e3bf5f9 commit 2f7a94dc3f57dc784e88c85516c7bfcc4e3bf5f9 Author: Andreas K. Hüttel <dilfridge@gentoo.org> AuthorDate: 2019-04-19 15:57:12 +0000 Commit: Andreas K. Hüttel <dilfridge@gentoo.org> CommitDate: 2019-04-19 16:52:03 +0000 package.mask: Unmask Perl 5.28.2 Bug: https://bugs.gentoo.org/610384 Bug: https://bugs.gentoo.org/670190 Bug: https://bugs.gentoo.org/677012 Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org> profiles/package.mask | 7 ------- 1 file changed, 7 deletions(-)
All affected ebuilds masked (well, except on sparc and hppa which are however not security-supported). No cleanup for now because infra... Anyway security please proceed.
This issue was resolved and addressed in GLSA 201909-01 at https://security.gentoo.org/glsa/201909-01 by GLSA coordinator Thomas Deutschmann (whissi).