perl: segfaults when echoing a very long string [CVE-2012-5195]

Debian Bug report logs - #689314
perl: segfaults when echoing a very long string [CVE-2012-5195]

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Thorsten Glaser <tg@mirbsd.de>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: perl: segfaults when echoing a very long string

Date: Mon, 01 Oct 2012 16:11:00 +0200

Package: perl
Version: 5.14.2-13
Severity: normal

# perl -le 'print "v"x(2**31+1) ."=1"'                                               
Segmentation fault 

Trying to reproduce the error from
http://git.kernel.org/?p=libs/klibc/klibc.git;a=commitdiff;h=127b17bb38dbfc95386a52b2159f059221d33497
on Debian wheezy/amd64.

Interestingly enough, Debian lenny/amd64 works just fine.

-- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-3-amd64 (SMP w/8 CPU cores)
Locale: LANG=C, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/mksh-static

Versions of packages perl depends on:
ii  libbz2-1.0    1.0.6-4
ii  libc6         2.13-35
ii  libdb5.1      5.1.29-5
ii  libgdbm3      1.8.3-11
ii  perl-base     5.14.2-13
ii  perl-modules  5.14.2-13
ii  zlib1g        1:1.2.7.dfsg-13

Versions of packages perl recommends:
ii  netbase  5.0

Versions of packages perl suggests:
pn  libterm-readline-gnu-perl | libterm-readline-perl-perl  <none>
ii  make                                                    3.81-8.2
pn  perl-doc                                                <none>

-- no debconf information

Message #16 received at 689314@bugs.debian.org (full text, mbox, reply):

From: Niko Tyni <ntyni@debian.org>

To: Thorsten Glaser <tg@mirbsd.de>, 689314@bugs.debian.org

Cc: team@security.debian.org

Subject: Re: Bug#689314: perl: segfaults when echoing a very long string

Date: Wed, 10 Oct 2012 21:35:41 +0300

severity 689314 grave
retitle 689314 perl: segfaults when echoing a very long string [CVE-2012-5195]
tag 689314 upstream security patch
thanks

On Mon, Oct 01, 2012 at 04:11:00PM +0200, Thorsten Glaser wrote:
> Package: perl
> Version: 5.14.2-13
> Severity: normal
> 
> # perl -le 'print "v"x(2**31+1) ."=1"'                                               
> Segmentation fault 

This has security impact and has been assigned CVE-2012-5195.  See

 http://www.nntp.perl.org/group/perl.perl5.porters/2012/10/msg193886.html
 http://perl5.git.perl.org/perl.git/commit/b675304e3fdbcce3ef853b06b6ebe870d99faa7e

It's not quite clear yet if 5.10.1 (squeeze) is affected. 

I'll upload a fix to sid/wheezy shortly.
-- 
Niko Tyni   ntyni@debian.org

Message #21 received at 689314-close@bugs.debian.org (full text, mbox, reply):

From: Niko Tyni <ntyni@debian.org>

To: 689314-close@bugs.debian.org

Subject: Bug#689314: fixed in perl 5.14.2-14

Date: Wed, 10 Oct 2012 19:33:12 +0000

Source: perl
Source-Version: 5.14.2-14

We believe that the bug you reported is fixed in the latest version of
perl, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 689314@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Niko Tyni <ntyni@debian.org> (supplier of updated perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 10 Oct 2012 21:17:36 +0300
Source: perl
Binary: perl-base libcgi-fast-perl perl-doc perl-modules perl-debug libperl5.14 libperl-dev perl
Architecture: source all amd64
Version: 5.14.2-14
Distribution: unstable
Urgency: high
Maintainer: Niko Tyni <ntyni@debian.org>
Changed-By: Niko Tyni <ntyni@debian.org>
Description: 
 libcgi-fast-perl - CGI::Fast Perl module
 libperl-dev - Perl library: development files
 libperl5.14 - shared Perl library
 perl       - Larry Wall's Practical Extraction and Report Language
 perl-base  - minimal Perl system
 perl-debug - debug-enabled Perl interpreter
 perl-doc   - Perl documentation
 perl-modules - Core Perl modules
Closes: 689314
Changes: 
 perl (5.14.2-14) unstable; urgency=high
 .
   * [SECURITY] CVE-2012-5195: fix a heap buffer overrun with
     the 'x' string repeat operator. (Closes: #689314)
Checksums-Sha1: 
 0fa0a577774d7edddbcba98f4d893ae6c60071ed 1729 perl_5.14.2-14.dsc
 82dcf4e5bd8b2523e5c74389092ed3762e9a9da6 139457 perl_5.14.2-14.debian.tar.gz
 a530ee2042eeb76e7ea9238e8c4f0703cda8aee2 75536 libcgi-fast-perl_5.14.2-14_all.deb
 0a506dd59b65499cfb307458c56acc4b7e525616 8167364 perl-doc_5.14.2-14_all.deb
 a502b2b9452a7e5ccc2f9dc6487ad4c95a694b15 3441550 perl-modules_5.14.2-14_all.deb
 1205249b2f0386e0ecb037f191d86a611532b829 1535070 perl-base_5.14.2-14_amd64.deb
 f6f8a974387f6f73af686a251810d89664a11a08 8006206 perl-debug_5.14.2-14_amd64.deb
 8e0c0b46af1a9f04db1f58b3af3e7aae57a11531 1176 libperl5.14_5.14.2-14_amd64.deb
 a14367becba92ad9fbe558879e6e723c8328a0af 3320866 libperl-dev_5.14.2-14_amd64.deb
 5decf1dc26e86213cbe6fa6c856f7410952f6069 4424162 perl_5.14.2-14_amd64.deb
Checksums-Sha256: 
 a9de2518d0a2d66891cd8ec4bd5f0f955eed1a2082b3c3fa3067af737ca200ba 1729 perl_5.14.2-14.dsc
 6dc01d6788f2208b794080e77dd6302a2b2af27f2cd67e1a14dcadddcbb7ab1e 139457 perl_5.14.2-14.debian.tar.gz
 0907697ac1f5bdbc6c28abffc817dd6ce4fbbc594002baa374b9c5c1051b0d12 75536 libcgi-fast-perl_5.14.2-14_all.deb
 2e6a736563187e09996585a6b84d82d4d34272ec6708e6117379844de5d3906c 8167364 perl-doc_5.14.2-14_all.deb
 d84ebe4a149b802fccc66eb3f273b65b26c132f0cd717775e2e4764690c10eab 3441550 perl-modules_5.14.2-14_all.deb
 1a4abb408c6b728fa0d00471036da9260bebc194277559aef9a6781f14cb4aea 1535070 perl-base_5.14.2-14_amd64.deb
 29cb6c4900bf5e6658c35ccef442c781c57a29f131760fdc533429bf6803b945 8006206 perl-debug_5.14.2-14_amd64.deb
 2d25dc015dbb729036aa032d7049fe8b685d8ce2e5c2661cdafafbcb6e6d0d18 1176 libperl5.14_5.14.2-14_amd64.deb
 133735f02f416bfe7291c791fec5eeadd164253c37cb808ea6e1988ce1a9152e 3320866 libperl-dev_5.14.2-14_amd64.deb
 f5a7b2e02b100c07aa3f62bde7286ec67a65a71e516847a0be0b2d49f848d0c2 4424162 perl_5.14.2-14_amd64.deb
Files: 
 57784b092f7e5f56f69dfc69876ce9c1 1729 perl standard perl_5.14.2-14.dsc
 4108bbec738d432b025f6073f00ebea0 139457 perl standard perl_5.14.2-14.debian.tar.gz
 4cf4b1974618d3c4bcc32470ebe1fa4b 75536 perl optional libcgi-fast-perl_5.14.2-14_all.deb
 62da056bf4c991f2f52cba3b6bd251d1 8167364 doc optional perl-doc_5.14.2-14_all.deb
 7e0d99886bd1440d59accd9d7f5846a6 3441550 perl standard perl-modules_5.14.2-14_all.deb
 b2975f6a3fae78d15b35c83c4983daee 1535070 perl required perl-base_5.14.2-14_amd64.deb
 da71d36c0cf342b054edc28efd14cfac 8006206 debug extra perl-debug_5.14.2-14_amd64.deb
 cb4bdf0b66a759ef0accfec948c39d1b 1176 libs optional libperl5.14_5.14.2-14_amd64.deb
 9ac0c7825282e182e2d53522313ed894 3320866 libdevel optional libperl-dev_5.14.2-14_amd64.deb
 17d5f6c17501562fd8c4002f72ddeeda 4424162 perl standard perl_5.14.2-14_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlB1yIkACgkQiyizGWoHLTk5cwCfQpnuyyo3HdpOUAaAyNXXjYX6
wmoAoIQQ8VLA38qSpwTgAlwtIWWEnjiZ
=DuJm
-----END PGP SIGNATURE-----

Message #32 received at 689314@bugs.debian.org (full text, mbox, reply):

From: Dominic Hargreaves <dom@earth.li>

To: 689314@bugs.debian.org

Subject: Re: Bug#689314: perl: segfaults when echoing a very long string

Date: Fri, 30 Nov 2012 14:24:40 +0000

On Wed, Oct 10, 2012 at 09:35:41PM +0300, Niko Tyni wrote:
> severity 689314 grave
> retitle 689314 perl: segfaults when echoing a very long string [CVE-2012-5195]
> tag 689314 upstream security patch
> thanks
> 
> On Mon, Oct 01, 2012 at 04:11:00PM +0200, Thorsten Glaser wrote:
> > Package: perl
> > Version: 5.14.2-13
> > Severity: normal
> > 
> > # perl -le 'print "v"x(2**31+1) ."=1"'                                               
> > Segmentation fault 
> 
> This has security impact and has been assigned CVE-2012-5195.  See
> 
>  http://www.nntp.perl.org/group/perl.perl5.porters/2012/10/msg193886.html
>  http://perl5.git.perl.org/perl.git/commit/b675304e3fdbcce3ef853b06b6ebe870d99faa7e
> 
> It's not quite clear yet if 5.10.1 (squeeze) is affected. 

We are nevertheless planning to upload fix to stable-security shortly.

-- 
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)

Message #53 received at 689314-done@bugs.debian.org (full text, mbox, reply):

From: Dominic Hargreaves <dom@earth.li>

To: 689314-done@bugs.debian.org

Subject: Now fixed in stable

Date: Thu, 13 Dec 2012 14:35:19 +0000

Now fixed in stable.

-- 
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)

Message #58 received at 689314-close@bugs.debian.org (full text, mbox, reply):

From: Dominic Hargreaves <dom@earth.li>

To: 689314-close@bugs.debian.org

Subject: Bug#689314: fixed in perl 5.10.1-17squeeze4

Date: Thu, 13 Dec 2012 23:47:11 +0000

Source: perl
Source-Version: 5.10.1-17squeeze4

We believe that the bug you reported is fixed in the latest version of
perl, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 689314@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Dominic Hargreaves <dom@earth.li> (supplier of updated perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 11 Dec 2012 14:07:34 +0000
Source: perl
Binary: perl-base libcgi-fast-perl perl-doc perl-modules perl-debug perl-suid libperl5.10 libperl-dev perl
Architecture: source all i386
Version: 5.10.1-17squeeze4
Distribution: stable-security
Urgency: low
Maintainer: Niko Tyni <ntyni@debian.org>
Changed-By: Dominic Hargreaves <dom@earth.li>
Description: 
 libcgi-fast-perl - CGI::Fast Perl module
 libperl-dev - Perl library: development files
 libperl5.10 - shared Perl library
 perl       - Larry Wall's Practical Extraction and Report Language
 perl-base  - minimal Perl system
 perl-debug - debug-enabled Perl interpreter
 perl-doc   - Perl documentation
 perl-modules - Core Perl modules
 perl-suid  - runs setuid Perl scripts
Closes: 689314 693420 695223
Changes: 
 perl (5.10.1-17squeeze4) stable-security; urgency=low
 .
   * [SECURITY] CVE-2012-5195: fix a heap buffer overrun with
     the 'x' string repeat operator. (Closes: #689314)
   * [SECURITY] CVE-2012-5526: CGI.pm improper cookie and p3p
     CRLF escaping (Closes: #693420)
   * [SECURITY] add warning to Storable documentation that Storable
     documents should not be accepted from untrusted sources
     (Closes: #695223)
Checksums-Sha1: 
 859eaf2f93180babbe471fc221ad7cbed6765382 1422 perl_5.10.1-17squeeze4.dsc
 3f9e6297d5b811b9022e4778e00d63895e9c8fdb 121727 perl_5.10.1-17squeeze4.debian.tar.gz
 e909c107d5e95242442cee143f3b4b1486b403f1 53092 libcgi-fast-perl_5.10.1-17squeeze4_all.deb
 f599f67d614f910a8129d93e2c0b378857c4bb87 7187956 perl-doc_5.10.1-17squeeze4_all.deb
 f08efb3de41a41faa33d1c138020d17199200cd4 3490686 perl-modules_5.10.1-17squeeze4_all.deb
 f3a61584d7a7dc399b27345d336bc61cd2ce4c3f 980544 perl-base_5.10.1-17squeeze4_i386.deb
 5ecd9070fecde471241eb02cd23a6240f451fbef 6631116 perl-debug_5.10.1-17squeeze4_i386.deb
 80a05d9e5f5d5ca28d290cb3bca1666cbc38f980 33196 perl-suid_5.10.1-17squeeze4_i386.deb
 7c1ebe62bd63eaace4b7a7440c556f0a3cc701b6 633086 libperl5.10_5.10.1-17squeeze4_i386.deb
 95e7bd5576cbe8a1af5c0defc7b41b4e5d54925e 2344752 libperl-dev_5.10.1-17squeeze4_i386.deb
 504bd42009c01d61a153551192b323e995ceab17 3780108 perl_5.10.1-17squeeze4_i386.deb
Checksums-Sha256: 
 ef099ae048fcee48fe308dc4d4650ba2074a5f90c1a8e9d28d96bfcce317b38f 1422 perl_5.10.1-17squeeze4.dsc
 920a1803db226adec97566a75322fc6f4433aec20e3c43039aa2ab3cf31af80e 121727 perl_5.10.1-17squeeze4.debian.tar.gz
 962489e03a44003922580fa022b08d0b6554a80eb9e45d9c8ebba8940dc2590a 53092 libcgi-fast-perl_5.10.1-17squeeze4_all.deb
 efcd20e8c3193a3813640d3daa2cfde9ae9bdfcce52ccbc32c4787943f58e1c9 7187956 perl-doc_5.10.1-17squeeze4_all.deb
 9ead387c134c01dc9f0d725775feab9baed389168f1a333a0e6364f73052759f 3490686 perl-modules_5.10.1-17squeeze4_all.deb
 e28423172fc523150bb5c49e18f1787f729d5a4032147f42fe367e1e2f3ca02e 980544 perl-base_5.10.1-17squeeze4_i386.deb
 dd38094491bfd651ee5616b9b293ea1d4dbdb6ee745d14f748cca14a372bb379 6631116 perl-debug_5.10.1-17squeeze4_i386.deb
 1147d30dbcc33a882e51706a45bc37fc9b538fc8c57b35d97b32b1c389674284 33196 perl-suid_5.10.1-17squeeze4_i386.deb
 bd795bdaf678276261b97dc61dffc7a61ff20c011db4ad029e005edd816b7d64 633086 libperl5.10_5.10.1-17squeeze4_i386.deb
 47ed2ca6e446abab2510543e372b449ad150f4b992caba9e2cd5997184849ea3 2344752 libperl-dev_5.10.1-17squeeze4_i386.deb
 0d0baf300ba3245754b279307f9170837f02fe14df6b2ca9490954976f610214 3780108 perl_5.10.1-17squeeze4_i386.deb
Files: 
 1814a2f123994932b3e80bf6cd40b4a3 1422 perl standard perl_5.10.1-17squeeze4.dsc
 15d60b4e815aacf4ac0b78abe6d8a707 121727 perl standard perl_5.10.1-17squeeze4.debian.tar.gz
 383f48282b4f667eee14a8d5beceb82d 53092 perl optional libcgi-fast-perl_5.10.1-17squeeze4_all.deb
 2fe68c20002b408dfb5b71edd83e11a0 7187956 doc optional perl-doc_5.10.1-17squeeze4_all.deb
 37a799d9de5accc7c855d7d26a83b441 3490686 perl standard perl-modules_5.10.1-17squeeze4_all.deb
 a77dccb405afd3f0163cb85a8580fc50 980544 perl required perl-base_5.10.1-17squeeze4_i386.deb
 e4bd3eda2a0eab46732e4f626420b46f 6631116 debug extra perl-debug_5.10.1-17squeeze4_i386.deb
 7ce01abf61f476552be095f178c57db8 33196 perl optional perl-suid_5.10.1-17squeeze4_i386.deb
 2eb4e5e556a49a04a5b5bc395634f4b5 633086 libs optional libperl5.10_5.10.1-17squeeze4_i386.deb
 f2a39a143757c6a693e010f70a3fb42c 2344752 libdevel optional libperl-dev_5.10.1-17squeeze4_i386.deb
 b1b0e225809e1e9458aa313e932b555d 3780108 perl standard perl_5.10.1-17squeeze4_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iD8DBQFQx1qIYzuFKFF44qURApn+AKCZfVcM25yRNryeFhW+CsUDDQBWngCcCoJa
StA9P/+fCayFF1GHmZnzXdw=
=1igm
-----END PGP SIGNATURE-----

Message #63 received at 689314@bugs.debian.org (full text, mbox, reply):

From: Alexander Kudrevatykh <kudrevatykh@gmail.com>

To: Debian Bug Tracking System <689314@bugs.debian.org>

Subject: Re: perl: segfaults when echoing a very long string [CVE-2012-5195]

Date: Fri, 04 Jan 2013 17:00:24 +0400

Package: perl
Version: 5.14.2-16
Followup-For: Bug #689314

perl still segfaults with command # perl -e 'print "x"x(2**31)'
but not segfaults with original command

-- System Information:
Debian Release: 7.0
  APT prefers testing
  APT policy: (500, 'testing'), (1, 'experimental')
Architecture: i386 (x86_64)
Foreign Architectures: amd64

Kernel: Linux 3.7-trunk-amd64 (SMP w/4 CPU cores)
Locale: LANG=ru_RU.UTF-8, LC_CTYPE=ru_RU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages perl depends on:
ii  libbz2-1.0    1.0.6-4
ii  libc6         2.13-37
ii  libdb5.1      5.1.29-5
ii  libgdbm3      1.8.3-11
ii  perl-base     5.14.2-16
ii  perl-modules  5.14.2-16
ii  zlib1g        1:1.2.7.dfsg-13

Versions of packages perl recommends:
ii  netbase  5.0

Versions of packages perl suggests:
ii  libterm-readline-perl-perl  1.0303-1
ii  make                        3.81-8.2
pn  perl-doc                    <none>

-- no debconf information

Message #68 received at 689314@bugs.debian.org (full text, mbox, reply):

From: Dominic Hargreaves <dom@earth.li>

To: Alexander Kudrevatykh <kudrevatykh@gmail.com>, 689314@bugs.debian.org

Subject: Re: Bug#689314: perl: segfaults when echoing a very long string [CVE-2012-5195]

Date: Sat, 5 Jan 2013 16:44:48 +0000

On Fri, Jan 04, 2013 at 05:00:24PM +0400, Alexander Kudrevatykh wrote:
> perl still segfaults with command # perl -e 'print "x"x(2**31)'
> but not segfaults with original command

I can reproduce this on i386, but not amd64.

$ perl -le 'print "v"x(2**31+1) ."=1"'
panic: memory wrap at -e line 1.

$ perl -e 'print "x"x(2**31)'
Segmentation fault

Strangely, when I try and reproduce with a vanilla 5.14.3 build, I
get:

$ ./perl -e 'print "x"x(2**31)'
$ echo $?
0

which seems wrong in a different way...

-- 
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)

Message #73 received at 689314@bugs.debian.org (full text, mbox, reply):

From: "Alexander V. Kudrevatykh" <kudrevatykh@gmail.com>

To: Dominic Hargreaves <dom@earth.li>

Cc: 689314@bugs.debian.org

Subject: Re: Bug#689314: perl: segfaults when echoing a very long string [CVE-2012-5195]

Date: Sat, 05 Jan 2013 20:54:50 +0400

[Message part 1 (text/plain, inline)]

Hi, I have i386 system and perl with amd64 kernel, may be this confused
you?
With amd64 system and perl I cannot reproduce it too.

В Сб., 05/01/2013 в 16:44 +0000, Dominic Hargreaves пишет: 
> On Fri, Jan 04, 2013 at 05:00:24PM +0400, Alexander Kudrevatykh wrote:
> > perl still segfaults with command # perl -e 'print "x"x(2**31)'
> > but not segfaults with original command
> 
> I can reproduce this on i386, but not amd64.
> 
> $ perl -le 'print "v"x(2**31+1) ."=1"'
> panic: memory wrap at -e line 1.
> 
> $ perl -e 'print "x"x(2**31)'
> Segmentation fault
> 
> Strangely, when I try and reproduce with a vanilla 5.14.3 build, I
> get:
> 
> $ ./perl -e 'print "x"x(2**31)'
> $ echo $?
> 0
> 
> which seems wrong in a different way...
> 

[signature.asc (application/pgp-signature, inline)]

Message #78 received at 689314@bugs.debian.org (full text, mbox, reply):

From: Niko Tyni <ntyni@debian.org>

To: 689314@bugs.debian.org

Cc: Alexander Kudrevatykh <kudrevatykh@gmail.com>

Subject: Re: Bug#689314: perl: segfaults when echoing a very long string [CVE-2012-5195]

Date: Fri, 11 Jan 2013 10:24:58 +0200

On Sat, Jan 05, 2013 at 04:44:48PM +0000, Dominic Hargreaves wrote:

> Strangely, when I try and reproduce with a vanilla 5.14.3 build, I
> get:
> 
> $ ./perl -e 'print "x"x(2**31)'
> $ echo $?
> 0
> 
> which seems wrong in a different way...

FWIW, I can reproduce it with an unpatched 5.14.3 on current sid i386
(a personality=linux32 chroot on an amd64 kernel to be precise).  

I copied config.over from the Debian package and then called its
'config.debian --static'.  I haven't bisected which Configure options
actually count.

My guess is it's just going out of memory but doesn't handle it too
gracefully.

Core was generated by `./perl -e print "x"x(2**31)'.
Program terminated with signal 11, Segmentation fault.
#0  0xf75a2b4f in memcpy () from /lib/i386-linux-gnu/libc.so.6
(gdb) bt
#0  0xf75a2b4f in memcpy () from /lib/i386-linux-gnu/libc.so.6
#1  0x08162f9d in memcpy (__len=2002024496, __src=<optimized out>, __dest=<optimized out>)
    at /usr/include/i386-linux-gnu/bits/string3.h:52
#2  PerlIOBuf_write (my_perl=0x8df0008, f=0x8e07d70, vbuf=0x77525008, count=<optimized out>)
    at perlio.c:4184
#3  0x0813fefd in Perl_do_print (my_perl=my_perl@entry=0x8df0008, sv=0x8e0c13c, fp=fp@entry=0x8e07d70)
    at doio.c:1257
#4  0x080e4ab3 in Perl_pp_print (my_perl=0x8df0008) at pp_hot.c:773
#5  0x080e2878 in Perl_runops_standard (my_perl=0x8df0008) at run.c:41
#6  0x0807eef0 in S_run_body (oldscope=0, my_perl=0x8df0008) at perl.c:2365
#7  perl_run (my_perl=0x8df0008) at perl.c:2283
#8  0x0806125f in main (argc=3, argv=0xffdefe94, env=0xffdefea4) at perlmain.c:120


Summary of my perl5 (revision 5 version 14 subversion 3) configuration:
  Derived from: 
  Platform:
    osname=linux, osvers=3.2.0-4-amd64, archname=i486-linux-gnu-thread-multi-64int
    uname='linux madeleine 3.2.0-4-amd64 #1 smp debian 3.2.32-1 i686 gnulinux '
    config_args='-Dusethreads -Duselargefiles -Dccflags=-DDEBIAN -D_FORTIFY_SOURCE=2 -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Dldflags= -Wl,-z,relro -Dlddlflags=-shared -Wl,-z,relro -Dcccdlflags=-fPIC -Darchname=i486-linux-gnu -Dprefix=/usr -Dprivlib=/usr/share/perl/5.14 -Darchlib=/usr/lib/perl/5.14 -Dvendorprefix=/usr -Dvendorlib=/usr/share/perl5 -Dvendorarch=/usr/lib/perl5 -Dsiteprefix=/usr/local -Dsitelib=/usr/local/share/perl/5.14.3 -Dsitearch=/usr/local/lib/perl/5.14.3 -Dman1dir=/usr/share/man/man1 -Dman3dir=/usr/share/man/man3 -Dsiteman1dir=/usr/local/man/man1 -Dsiteman3dir=/usr/local/man/man3 -Duse64bitint -Dman1ext=1 -Dman3ext=3perl -Dpager=/usr/bin/sensible-pager -Uafs -Ud_csh -Ud_ualarm -Uusesfio -Uusenm -Ui_libutil -DDEBUGGING=-g -Doptimize=-O2 -Uuseshrplib -des'
    hint=recommended, useposix=true, d_sigaction=define
    useithreads=define, usemultiplicity=define
    useperlio=define, d_sfio=undef, uselargefiles=define, usesocks=undef
    use64bitint=define, use64bitall=undef, uselongdouble=undef
    usemymalloc=n, bincompat5005=undef
  Compiler:
    cc='cc', ccflags ='-D_REENTRANT -D_GNU_SOURCE -DDEBIAN -D_FORTIFY_SOURCE=2 -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -fno-strict-aliasing -pipe -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64',
    optimize='-O2 -g',
    cppflags='-D_REENTRANT -D_GNU_SOURCE -DDEBIAN -D_FORTIFY_SOURCE=2 -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -fno-strict-aliasing -pipe -I/usr/local/include'
    ccversion='', gccversion='4.7.2', gccosandvers=''
    intsize=4, longsize=4, ptrsize=4, doublesize=8, byteorder=12345678
    d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=12
    ivtype='long long', ivsize=8, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=8
    alignbytes=4, prototype=define
  Linker and Libraries:
    ld='cc', ldflags =' -Wl,-z,relro -fstack-protector -L/usr/local/lib'
    libpth=/usr/local/lib /lib/i386-linux-gnu /lib/../lib /usr/lib/i386-linux-gnu /usr/lib/../lib /lib /usr/lib
    libs=-lnsl -lgdbm -ldb -ldl -lm -lcrypt -lutil -lpthread -lc -lgdbm_compat
    perllibs=-lnsl -ldl -lm -lcrypt -lutil -lpthread -lc
    libc=, so=so, useshrplib=false, libperl=libperl.a
    gnulibc_version='2.13'
  Dynamic Linking:
    dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,-E'
    cccdlflags='-fPIC', lddlflags='-shared -Wl,-z,relro -L/usr/local/lib -fstack-protector'


Characteristics of this binary (from libperl): 
  Compile-time options: MULTIPLICITY PERL_DONT_CREATE_GVSV
                        PERL_IMPLICIT_CONTEXT PERL_MALLOC_WRAP
                        PERL_PRESERVE_IVUV USE_64_BIT_INT USE_ITHREADS
                        USE_LARGE_FILES USE_PERLIO USE_PERL_ATOF
                        USE_REENTRANT_API
  Locally applied patches:
    uncommitted-changes
  Built under linux
  Compiled at Jan 11 2013 08:10:08
  @INC:
    lib
    /usr/local/lib/perl/5.14.3
    /usr/local/share/perl/5.14.3
    /usr/lib/perl5
    /usr/share/perl5
    /usr/lib/perl/5.14
    /usr/share/perl/5.14
    .

Message #83 received at 689314@bugs.debian.org (full text, mbox, reply):

From: Dominic Hargreaves <dom@earth.li>

To: Niko Tyni <ntyni@debian.org>, 689314@bugs.debian.org

Cc: Alexander Kudrevatykh <kudrevatykh@gmail.com>

Subject: Re: Bug#689314: perl: segfaults when echoing a very long string [CVE-2012-5195]

Date: Thu, 17 Jan 2013 00:40:27 +0000

Control: notfound -1 5.14.2-16

On Fri, Jan 11, 2013 at 10:24:58AM +0200, Niko Tyni wrote:
> On Sat, Jan 05, 2013 at 04:44:48PM +0000, Dominic Hargreaves wrote:
> 
> > Strangely, when I try and reproduce with a vanilla 5.14.3 build, I
> > get:
> > 
> > $ ./perl -e 'print "x"x(2**31)'
> > $ echo $?
> > 0
> > 
> > which seems wrong in a different way...
> 
> FWIW, I can reproduce it with an unpatched 5.14.3 on current sid i386
> (a personality=linux32 chroot on an amd64 kernel to be precise).  
> 
> I copied config.over from the Debian package and then called its
> 'config.debian --static'.  I haven't bisected which Configure options
> actually count.
> 
> My guess is it's just going out of memory but doesn't handle it too
> gracefully.

Upstream (the perl5 security team) has investigated and think it's
not a security bug. I'm therefore adjusting the version info on this
bug and opening a new one (#698320).

Thanks both for the report and investigation!

Dominic.

-- 
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)

Send a report that this bug log contains spam.