Debian Bug report logs -
#628817
perl NULL pointer dereference
Reported by: "Thijs Kinkhorst" <thijs@debian.org>
Date: Wed, 1 Jun 2011 15:57:02 UTC
Severity: important
Tags: security
Found in versions perl/5.10.0-19lenny3, perl/5.10.1-17
Fixed in versions perl/5.12.0-1, perl/5.12.3-7
Done: Dominic Hargreaves <dom@earth.li>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Niko Tyni <ntyni@debian.org>
:
Bug#628817
; Package perl
.
(Wed, 01 Jun 2011 15:57:04 GMT) (full text, mbox, link).
Acknowledgement sent
to "Thijs Kinkhorst" <thijs@debian.org>
:
New Bug report received and forwarded. Copy sent to Niko Tyni <ntyni@debian.org>
.
(Wed, 01 Jun 2011 15:57:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: perl
Severity: serious
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for perl.
CVE-2011-0761[0]:
| Perl 5.10.x allows context-dependent attackers to cause a denial of
| service (NULL pointer dereference and application crash) by leveraging
| an ability to inject arguments into a (1) getpeername, (2) readdir,
| (3) closedir, (4) getsockname, (5) rewinddir, (6) tell, or (7) telldir
| function call.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0761
http://security-tracker.debian.org/tracker/CVE-2011-0761
Information forwarded
to debian-bugs-dist@lists.debian.org, Niko Tyni <ntyni@debian.org>
:
Bug#628817
; Package perl
.
(Wed, 01 Jun 2011 19:15:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Dominic Hargreaves <dom@earth.li>
:
Extra info received and forwarded to list. Copy sent to Niko Tyni <ntyni@debian.org>
.
(Wed, 01 Jun 2011 19:15:07 GMT) (full text, mbox, link).
Message #10 received at 628817@bugs.debian.org (full text, mbox, reply):
On Wed, Jun 01, 2011 at 05:52:17PM +0200, Thijs Kinkhorst wrote:
> the following CVE (Common Vulnerabilities & Exposures) id was
> published for perl.
>
> CVE-2011-0761[0]:
> | Perl 5.10.x allows context-dependent attackers to cause a denial of
> | service (NULL pointer dereference and application crash) by leveraging
> | an ability to inject arguments into a (1) getpeername, (2) readdir,
> | (3) closedir, (4) getsockname, (5) rewinddir, (6) tell, or (7) telldir
> | function call.
>
> If you fix the vulnerability please also make sure to include the
> CVE id in your changelog entry.
>
> For further information see:
>
> [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0761
> http://security-tracker.debian.org/tracker/CVE-2011-0761
As some pointed out upstream[0], this is only an issue if an application
passes unvalidated input directly into those functions. Do we think
this makes this issue not worth fixing in stable/oldstable?
Dominic.
[0] <http://www.xray.mpe.mpg.de/mailing-lists/perl5-porters/2011-06/msg00027.html>
--
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)
Information forwarded
to debian-bugs-dist@lists.debian.org
:
Bug#628817
; Package perl
.
(Thu, 02 Jun 2011 11:42:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Niko Tyni <ntyni@debian.org>
:
Extra info received and forwarded to list.
(Thu, 02 Jun 2011 11:42:14 GMT) (full text, mbox, link).
Message #15 received at 628817@bugs.debian.org (full text, mbox, reply):
On Wed, Jun 01, 2011 at 05:52:17PM +0200, Thijs Kinkhorst wrote:
> Package: perl
> Severity: serious
> Tags: security
> CVE-2011-0761[0]:
> | Perl 5.10.x allows context-dependent attackers to cause a denial of
> | service (NULL pointer dereference and application crash) by leveraging
> | an ability to inject arguments into a (1) getpeername, (2) readdir,
> | (3) closedir, (4) getsockname, (5) rewinddir, (6) tell, or (7) telldir
> | function call.
Some observations:
- the crash can be reproduced with just
perl -e 'getsockname(1,1)'
- the functions (at least getsockname) don't seem to check their argument
count, they only use the last one. This is still the case in 5.12.
I haven't found any indication of the Perl stack corrupting on 5.12
though so this seems harmless.
- the crash is at gv.c:89 (as of 5.10.1):
if (!gv || SvTYPE((const SV *)gv) != SVt_PVGV) {
- compiler optimization of gv.c affects the behaviour:
+ a regular perl built with -O0 gives the intended
Bad symbol for filehandle at -e line 1
+ a debugging version (-DDEBUGGING) with -O0 gives an expected
assertion failure:
Assertion gv failed: file "gv.c", line 87 at -e line 1.
+ -DDEBUGGING at -O2 (i.e. what's in the perl-debug package)
crashes the same way as the regular perl so the assertion check
is bypassed.
I don't quite understand yet what happens in the optimized version of
Perl_gv_IOadd(); the gv is NULL so the !gv check above should prevent
referencing it AIUI.
--
Niko Tyni ntyni@debian.org
Information forwarded
to debian-bugs-dist@lists.debian.org, Niko Tyni <ntyni@debian.org>
:
Bug#628817
; Package perl
.
(Mon, 13 Jun 2011 17:51:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Dominic Hargreaves <dom@earth.li>
:
Extra info received and forwarded to list. Copy sent to Niko Tyni <ntyni@debian.org>
.
(Mon, 13 Jun 2011 17:51:06 GMT) (full text, mbox, link).
Message #20 received at 628817@bugs.debian.org (full text, mbox, reply):
On Thu, Jun 02, 2011 at 02:39:35PM +0300, Niko Tyni wrote:
> On Wed, Jun 01, 2011 at 05:52:17PM +0200, Thijs Kinkhorst wrote:
> > Package: perl
> > Severity: serious
> > Tags: security
>
> > CVE-2011-0761[0]:
> > | Perl 5.10.x allows context-dependent attackers to cause a denial of
> > | service (NULL pointer dereference and application crash) by leveraging
> > | an ability to inject arguments into a (1) getpeername, (2) readdir,
> > | (3) closedir, (4) getsockname, (5) rewinddir, (6) tell, or (7) telldir
> > | function call.
>
> Some observations:
>
> - the crash can be reproduced with just
> perl -e 'getsockname(1,1)'
>
> - the functions (at least getsockname) don't seem to check their argument
> count, they only use the last one. This is still the case in 5.12.
> I haven't found any indication of the Perl stack corrupting on 5.12
> though so this seems harmless.
>
> - the crash is at gv.c:89 (as of 5.10.1):
> if (!gv || SvTYPE((const SV *)gv) != SVt_PVGV) {
>
> - compiler optimization of gv.c affects the behaviour:
> + a regular perl built with -O0 gives the intended
> Bad symbol for filehandle at -e line 1
>
> + a debugging version (-DDEBUGGING) with -O0 gives an expected
> assertion failure:
> Assertion gv failed: file "gv.c", line 87 at -e line 1.
>
> + -DDEBUGGING at -O2 (i.e. what's in the perl-debug package)
> crashes the same way as the regular perl so the assertion check
> is bypassed.
>
> I don't quite understand yet what happens in the optimized version of
> Perl_gv_IOadd(); the gv is NULL so the !gv check above should prevent
> referencing it AIUI.
Niko,
In your opinion, based on the above and the (only) upstream response
on
<http://www.xray.mpe.mpg.de/mailing-lists/perl5-porters/2011-06/msg00027.html>
do you think that this bug should be downgraded from serious, since
apps should not (according to upstream, and I'm inclined to agree) be
passing unsanitised untrusted input into those functions?
Dominic.
--
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)
Information forwarded
to debian-bugs-dist@lists.debian.org
:
Bug#628817
; Package perl
.
(Mon, 13 Jun 2011 18:12:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Niko Tyni <ntyni@debian.org>
:
Extra info received and forwarded to list.
(Mon, 13 Jun 2011 18:12:03 GMT) (full text, mbox, link).
Message #25 received at 628817@bugs.debian.org (full text, mbox, reply):
severity 628817 important
thanks
Security team: please let us know if you disagree. See below.
On Mon, Jun 13, 2011 at 06:48:46PM +0100, Dominic Hargreaves wrote:
> On Thu, Jun 02, 2011 at 02:39:35PM +0300, Niko Tyni wrote:
> > On Wed, Jun 01, 2011 at 05:52:17PM +0200, Thijs Kinkhorst wrote:
> > > Package: perl
> > > Severity: serious
> > > Tags: security
> >
> > > CVE-2011-0761[0]:
> > > | Perl 5.10.x allows context-dependent attackers to cause a denial of
> > > | service (NULL pointer dereference and application crash) by leveraging
> > > | an ability to inject arguments into a (1) getpeername, (2) readdir,
> > > | (3) closedir, (4) getsockname, (5) rewinddir, (6) tell, or (7) telldir
> > > | function call.
> >
> > Some observations:
> >
> > - the crash can be reproduced with just
> > perl -e 'getsockname(1,1)'
> >
> > - the functions (at least getsockname) don't seem to check their argument
> > count, they only use the last one. This is still the case in 5.12.
> > I haven't found any indication of the Perl stack corrupting on 5.12
> > though so this seems harmless.
> >
> > - the crash is at gv.c:89 (as of 5.10.1):
> > if (!gv || SvTYPE((const SV *)gv) != SVt_PVGV) {
> >
> > - compiler optimization of gv.c affects the behaviour:
> > + a regular perl built with -O0 gives the intended
> > Bad symbol for filehandle at -e line 1
> >
> > + a debugging version (-DDEBUGGING) with -O0 gives an expected
> > assertion failure:
> > Assertion gv failed: file "gv.c", line 87 at -e line 1.
> >
> > + -DDEBUGGING at -O2 (i.e. what's in the perl-debug package)
> > crashes the same way as the regular perl so the assertion check
> > is bypassed.
> >
> > I don't quite understand yet what happens in the optimized version of
> > Perl_gv_IOadd(); the gv is NULL so the !gv check above should prevent
> > referencing it AIUI.
>
> Niko,
>
> In your opinion, based on the above and the (only) upstream response
> on
> <http://www.xray.mpe.mpg.de/mailing-lists/perl5-porters/2011-06/msg00027.html>
> do you think that this bug should be downgraded from serious, since
> apps should not (according to upstream, and I'm inclined to agree) be
> passing unsanitised untrusted input into those functions?
I haven't had the time to look at this any further, but I agree that
the severity should be downgraded. Doing that but Cc'ing the
security team (with extensive quoting) in case they think otherwise.
--
Niko Tyni ntyni@debian.org
Severity set to 'important' from 'serious'
Request was from Niko Tyni <ntyni@debian.org>
to control@bugs.debian.org
.
(Mon, 13 Jun 2011 18:12:05 GMT) (full text, mbox, link).
Bug Marked as fixed in versions perl/5.12.3-7.
Request was from Dominic Hargreaves <dom@earth.li>
to control@bugs.debian.org
.
(Tue, 14 Jun 2011 21:42:05 GMT) (full text, mbox, link).
Bug Marked as found in versions perl/5.10.1-17.
Request was from Dominic Hargreaves <dom@earth.li>
to control@bugs.debian.org
.
(Wed, 15 Jun 2011 18:09:03 GMT) (full text, mbox, link).
Bug Marked as found in versions perl/5.10.0-19lenny3.
Request was from Dominic Hargreaves <dom@earth.li>
to control@bugs.debian.org
.
(Wed, 15 Jun 2011 18:09:05 GMT) (full text, mbox, link).
Bug Marked as fixed in versions perl/5.12.0-1.
Request was from Dominic Hargreaves <dom@earth.li>
to control@bugs.debian.org
.
(Wed, 15 Jun 2011 18:45:03 GMT) (full text, mbox, link).
Reply sent
to Dominic Hargreaves <dom@earth.li>
:
You have taken responsibility.
(Wed, 04 Jan 2012 21:27:12 GMT) (full text, mbox, link).
Notification sent
to "Thijs Kinkhorst" <thijs@debian.org>
:
Bug acknowledged by developer.
(Wed, 04 Jan 2012 21:27:12 GMT) (full text, mbox, link).
Message #40 received at 628817-done@bugs.debian.org (full text, mbox, reply):
As I said in another mail:
> Upstream thinks this isn't classed as a security vulnerability[1], and
> I've not been able to find any evidence of anyone else having fixed this
> either. As such (and as I noted in the above bug report) I don't think
> it's worth fixing (if it is, I'm not the right person to attempt it).
> [1] <http://www.xray.mpe.mpg.de/mailing-lists/perl5-porters/2011-06/msg00027.html>
--
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Thu, 02 Feb 2012 07:33:10 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:07:02 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.