953821 – (CVE-2024-56406) <dev-lang/perl-5.40.2: Heap buffer overflow

Bug 953821 (CVE-2024-56406) - <dev-lang/perl-5.40.2: Heap buffer overflow

Summary: <dev-lang/perl-5.40.2: Heap buffer overflow

Status:	IN_PROGRESS

Alias:	CVE-2024-56406

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Gentoo Security

URL:	https://www.openwall.com/lists/oss-se...
Whiteboard:	B2 [cleanup glsa?]
Keywords:

Depends on:	954013
Blocks:
	Show dependency tree

Reported:	2025-04-13 22:09 UTC by Sam James
Modified:	2025-04-21 06:28 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sam James archtester

2025-04-13 22:09:16 UTC

"""
========================================================================
CVE-2024-56406                                       CPAN Security Group
========================================================================

        CVE ID:  CVE-2024-56406
  Distribution:  perl
      Versions:  from 5.40.0 until 5.40.2
                 from 5.38.0 until 5.38.4
                 from 5.36.0 through 5.36.3
                 from 5.34.0 through 5.34.3

      MetaCPAN:  https://metacpan.org/dist/perl
      VCS Repo:  https://github.com/Perl/perl5/


Perl 5.34, 5.36, 5.38 and 5.40 are vulnerable to a heap buffer overflow
when transliterating non-ASCII bytes

Description
-----------
A heap buffer overflow vulnerability was discovered in Perl. 

When there are non-ASCII bytes in the left-hand-side of the `tr`
operator, `S_do_trans_invmap` can overflow the destination pointer `d`.

   $ perl -e '$_ = "\x{FF}" x 1000000; tr/\xFF/\x{100}/;' 
   Segmentation fault (core dumped)

It is believed that this vulnerability can enable Denial of Service and
possibly Code Execution attacks on platforms that lack sufficient
defenses.

Problem types
-------------
CWE-122 Heap-based Buffer Overflow
CWE-787 Out-of-bounds Write

Mitigations
-----------
Users should update perl to 5.40.2 or 5.38.4, or apply the upstream
patch provided in the References section.

References
----------
https://github.com/Perl/perl5/commit/87f42aa0e0096e9a346c9672aa3a0bd3bef8c1dd.patch
https://metacpan.org/release/SHAY/perl-5.38.4/changes
https://metacpan.org/release/SHAY/perl-5.40.2/changes

Credits
-------
Nathan Mills, finder
"""

Comment 1 Aliaksei Sakalou 2025-04-18 06:53:39 UTC

Quick fix for perl-5.40.0-r1


root# cat /etc/portage/patches/dev-lang/perl-5.40.0-r1/perl-5.40.0-fixbuff.patch 

diff --git a/op.c b/op.c
index 69ff030e88eb..298b2926338a 100644
--- a/op.c
+++ b/op.c
@@ -6881,6 +6881,7 @@ S_pmtrans(pTHX_ OP *o, OP *expr, OP *repl)
                  * same time.  But otherwise one crosses before the other */
                 if (t_cp < 256 && r_cp_end > 255 && r_cp != t_cp) {
                     can_force_utf8 = TRUE;
+                    max_expansion = MAX(2, max_expansion);
                 }
             }


root# cd /var/db/repos/gentoo/dev-lang/perl/ && ebuild perl-5.40.0-r1.ebuild manifest && emerge perl

Comment 2 Aliaksei Sakalou 2025-04-20 14:04:46 UTC

The vulnerability has a high severity rating: https://www.tenable.com/cve/CVE-2024-56406