Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

perl: Regexp-matching "hangs" indefinitely on illegal input using binmode :utf8 using 100%CPU (CVE-2015-8853)

Related Vulnerabilities: CVE-2015-8853  

Source

Debian Bug report logs - #821848
perl: Regexp-matching "hangs" indefinitely on illegal input using binmode :utf8 using 100%CPU (CVE-2015-8853)

version graph

Package: perl; Maintainer for perl is Niko Tyni <ntyni@debian.org>; Source for perl is src:perl (PTS, buildd, popcon).

Reported by: Alexandros Kosiaris <akosiaris@gmail.com>

Date: Tue, 19 Apr 2016 20:51:01 UTC

Severity: important

Tags: fixed-upstream, patch, security, upstream

Found in versions perl/5.14.2-21, perl/5.20.2-3+deb8u4, perl/5.20.2-3

Fixed in versions perl/5.22.1~rc3-1, perl/5.20.2-3+deb8u5

Done: Dominic Hargreaves <dom@earth.li>

Bug is archived. No further changes may be made.

Forwarded to https://rt.perl.org/Public/Bug/Display.html?id=123562

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Niko Tyni <ntyni@debian.org>:
Bug#821848; Package perl. (Tue, 19 Apr 2016 20:51:05 GMT) (full text, mbox, link).

Acknowledgement sent to Alexandros Kosiaris <akosiaris@gmail.com>:
New Bug report received and forwarded. Copy sent to Niko Tyni <ntyni@debian.org>. (Tue, 19 Apr 2016 20:51:06 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Alexandros Kosiaris <akosiaris@gmail.com>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: perl: Regexp-matching "hangs" indefinitely on illegal input using binmode :utf8 using 100%CPU
Date: Tue, 19 Apr 2016 23:49:02 +0300
[Message part 1 (text/plain, inline)]
Package: perl
Version: 5.20.2-3+deb8u4
Severity: normal
Tags: upstream patch

Dear Maintainer,

There is a bug in Perl 5.8.9 (at least) that causes regular
expressions an malformed UTF8 inputs to go into a forever loop and
consume 100% CPU. Upstream's tracker url is
https://rt.perl.org/Public/Bug/Display.html?id=123562. Patch is at
http://perl5.git.perl.org/perl.git/commitdiff/22b433eff9a1ffa2454e18405a56650f07b385b5
and attached is a version rebased for Debian Jessie. I have not
confirmed it, but based on the versions numbers I believe Stretch and Sid are also affected.

-- System Information:
Debian Release: 8.4
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.4.0-0.bpo.1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages perl depends on:
ii  dpkg          1.17.26
ii  libbz2-1.0    1.0.6-7+b3
ii  libc6         2.19-18+deb8u4
ii  libdb5.3      5.3.28-9
ii  libgdbm3      1.8.3-13.1
ii  perl-base     5.20.2-3+deb8u4
ii  perl-modules  5.20.2-3+deb8u4
ii  zlib1g        1:1.2.8.dfsg-2+b1

Versions of packages perl recommends:
ii  netbase  5.3
pn  rename   <none>

Versions of packages perl suggests:
pn  libterm-readline-gnu-perl | libterm-readline-perl-perl  <none>
ii  make                                                    4.0-8.1
ii  perl-doc                                                5.20.2-3+deb8u4

-- no debconf information

[123562.diff (text/x-diff, attachment)]

Set Bug forwarded-to-address to 'https://rt.perl.org/Public/Bug/Display.html?id=123562'. Request was from Dominic Hargreaves <dom@earth.li> to control@bugs.debian.org. (Tue, 19 Apr 2016 21:51:14 GMT) (full text, mbox, link).

Added tag(s) fixed-upstream. Request was from Dominic Hargreaves <dom@earth.li> to control@bugs.debian.org. (Tue, 19 Apr 2016 21:51:15 GMT) (full text, mbox, link).

Marked as fixed in versions perl/5.22.1~rc3-1. Request was from Dominic Hargreaves <dom@earth.li> to control@bugs.debian.org. (Tue, 19 Apr 2016 22:00:19 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Niko Tyni <ntyni@debian.org>:
Bug#821848; Package perl. (Tue, 19 Apr 2016 22:09:08 GMT) (full text, mbox, link).

Acknowledgement sent to Dominic Hargreaves <dom@earth.li>:
Extra info received and forwarded to list. Copy sent to Niko Tyni <ntyni@debian.org>. (Tue, 19 Apr 2016 22:09:08 GMT) (full text, mbox, link).

Message #16 received at 821848@bugs.debian.org (full text, mbox, reply):

From: Dominic Hargreaves <dom@earth.li>
To: Alexandros Kosiaris <akosiaris@gmail.com>, 821848@bugs.debian.org
Subject: Re: Bug#821848: perl: Regexp-matching "hangs" indefinitely on illegal input using binmode :utf8 using 100%CPU
Date: Tue, 19 Apr 2016 23:04:15 +0100
On Tue, Apr 19, 2016 at 11:49:02PM +0300, Alexandros Kosiaris wrote:
> Package: perl
> Version: 5.20.2-3+deb8u4
> Severity: normal
> Tags: upstream patch
> 
> Dear Maintainer,
> 
> There is a bug in Perl 5.8.9 (at least) that causes regular
> expressions an malformed UTF8 inputs to go into a forever loop and
> consume 100% CPU. Upstream's tracker url is
> https://rt.perl.org/Public/Bug/Display.html?id=123562. Patch is at
> http://perl5.git.perl.org/perl.git/commitdiff/22b433eff9a1ffa2454e18405a56650f07b385b5
> and attached is a version rebased for Debian Jessie. I have not
> confirmed it, but based on the versions numbers I believe Stretch and Sid are also affected.

Thanks for the report. This was fixed in perl 5.22.1, which is now
in sid and stretch.

We might be able to fix this in stable; we'll see how that goes.

Cheers,
Dominic.

Marked as found in versions perl/5.20.2-3. Request was from Niko Tyni <ntyni@debian.org> to control@bugs.debian.org. (Wed, 20 Apr 2016 06:03:06 GMT) (full text, mbox, link).

Added tag(s) security. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Wed, 20 Apr 2016 09:09:17 GMT) (full text, mbox, link).

Changed Bug title to 'perl: Regexp-matching "hangs" indefinitely on illegal input using binmode :utf8 using 100%CPU (CVE-2015-8853)' from 'perl: Regexp-matching "hangs" indefinitely on illegal input using binmode :utf8 using 100%CPU'. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Wed, 20 Apr 2016 14:45:08 GMT) (full text, mbox, link).

Marked as found in versions perl/5.14.2-21. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Wed, 20 Apr 2016 14:45:11 GMT) (full text, mbox, link).

Severity set to 'important' from 'normal' Request was from Dominic Hargreaves <dom@earth.li> to control@bugs.debian.org. (Sat, 23 Apr 2016 15:12:14 GMT) (full text, mbox, link).

Added tag(s) pending. Request was from Dominic Hargreaves <dom@larted.org.uk> to control@bugs.debian.org. (Sun, 24 Apr 2016 17:06:09 GMT) (full text, mbox, link).

Reply sent to Dominic Hargreaves <dom@earth.li>:
You have taken responsibility. (Wed, 25 May 2016 21:49:25 GMT) (full text, mbox, link).

Notification sent to Alexandros Kosiaris <akosiaris@gmail.com>:
Bug acknowledged by developer. (Wed, 25 May 2016 21:49:25 GMT) (full text, mbox, link).

Message #33 received at 821848-close@bugs.debian.org (full text, mbox, reply):

From: Dominic Hargreaves <dom@earth.li>
To: 821848-close@bugs.debian.org
Subject: Bug#821848: fixed in perl 5.20.2-3+deb8u5
Date: Wed, 25 May 2016 21:47:37 +0000
Source: perl
Source-Version: 5.20.2-3+deb8u5

We believe that the bug you reported is fixed in the latest version of
perl, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 821848@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Dominic Hargreaves <dom@earth.li> (supplier of updated perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 23 May 2016 23:42:11 +0100
Source: perl
Binary: perl-base perl-doc perl-debug libperl5.20 libperl-dev perl-modules perl
Architecture: all amd64 source
Version: 5.20.2-3+deb8u5
Distribution: jessie
Urgency: medium
Maintainer: Niko Tyni <ntyni@debian.org>
Changed-By: Dominic Hargreaves <dom@earth.li>
Closes: 816280 820328 821848 822336
Description: 
 libperl5.20 - shared Perl library
 libperl-dev - Perl library: development files
 perl-base  - minimal Perl system
 perl-debug - debug-enabled Perl interpreter
 perl-doc   - Perl documentation
 perl       - Larry Wall's Practical Extraction and Report Language
 perl-modules - Core Perl modules
Changes:
 perl (5.20.2-3+deb8u5) jessie; urgency=medium
 .
   * Apply patch from Niko Tyni fixing debugperl crashes with XS
     modules (Closes: #816280)
   * [SECURITY] CVE-2015-8853 fix regexp engine hang on illegal UTF8
     input (Closes: #821848)
   * Fix UTF8-related regexp engine crash (Closes: #820328)
   * Apply selected bug-fix patches taken from 5.20.3 (Closes: #822336)
     - /usr/share/doc/perl/perldebdelta.pod describes the changes in
       more detail
Checksums-Sha1: 
 9d50d05e55e45b5d5f7afb818f103303eb5a47be 2324 perl_5.20.2-3+deb8u5.dsc
 95c3897926c6d37496e4f077de6fa50a97743d2a 136136 perl_5.20.2-3+deb8u5.debian.tar.xz
 23f211abbe4fba24a21c7a9563c091938206d504 7345772 perl-doc_5.20.2-3+deb8u5_all.deb
 c2452ccf992c8e0c1bac96b271ed2ed9720cb3bd 2545644 perl-modules_5.20.2-3+deb8u5_all.deb
 cadad1f8472d61d38c056cc92e64cb773138ce57 1225242 perl-base_5.20.2-3+deb8u5_amd64.deb
 d76a52c5620bc163342e9b4638b5735a4f7f9bcc 4488112 perl-debug_5.20.2-3+deb8u5_amd64.deb
 4e58a16e69b02a18d9ea59bac6035503b522e9f1 1354 libperl5.20_5.20.2-3+deb8u5_amd64.deb
 1fedfe49f39638bc3de35c0783c4cfaabf5a036d 2153264 libperl-dev_5.20.2-3+deb8u5_amd64.deb
 d20adbbe8fcc7d22fd36d7eb868c1e8a84efc3e3 2654668 perl_5.20.2-3+deb8u5_amd64.deb
Checksums-Sha256: 
 b9d022b6e58d3d856bfb37afb3af0c840c561ba42483bfd31eae22edc6651f3a 2324 perl_5.20.2-3+deb8u5.dsc
 5185ab1a87cd71c751a822f366c5483ae286e2f371966b5cfed2d5cc05f0de9b 136136 perl_5.20.2-3+deb8u5.debian.tar.xz
 210e41fa8fd1dcfe9fb4c9fe4c7c754b17ebe2e9ecbbbc0d5afd6e74309fb164 7345772 perl-doc_5.20.2-3+deb8u5_all.deb
 e757a89f1e81eda9cf2a70972aa33f611c5fb26bffa892b63dd638f4e19e2529 2545644 perl-modules_5.20.2-3+deb8u5_all.deb
 a10626902eb8f32a6ca1c6995be8f1e041dbc2d29856ce4690f24a7e0a3401f7 1225242 perl-base_5.20.2-3+deb8u5_amd64.deb
 989bd11fbcfe2d331db6c192fd17637ecb6251b3e6eddd1b5f689bd4be4552c5 4488112 perl-debug_5.20.2-3+deb8u5_amd64.deb
 33db77bb341c9928da728dd99ba73a8d79f381caaa2d574593a4933fe6c56e83 1354 libperl5.20_5.20.2-3+deb8u5_amd64.deb
 a3213069b1f0fc0443d4e5e819f61d5577d1842ccda4f43ca279c0a607abb980 2153264 libperl-dev_5.20.2-3+deb8u5_amd64.deb
 b60d918cbdfe7a77e5ea8d39a2dc235205a595c2050843a196e0a6f1afccf8da 2654668 perl_5.20.2-3+deb8u5_amd64.deb
Files: 
 215405d22f5f1144623dd7281b7c96fe 2324 perl standard perl_5.20.2-3+deb8u5.dsc
 b2d6222f7b689a7e6c8b24d73525ef16 136136 perl standard perl_5.20.2-3+deb8u5.debian.tar.xz
 6dd9eacac34ca6820a5d510600beb1e5 7345772 doc optional perl-doc_5.20.2-3+deb8u5_all.deb
 c4658cbcdb6b649ae2799783a0760b2d 2545644 perl standard perl-modules_5.20.2-3+deb8u5_all.deb
 e9b8bf98060b532194bcdf62b2fdc503 1225242 perl required perl-base_5.20.2-3+deb8u5_amd64.deb
 991d5eb6651300991fa93d210d8419ec 4488112 debug extra perl-debug_5.20.2-3+deb8u5_amd64.deb
 d0c219d9d596655492d0a78b96fef792 1354 libs optional libperl5.20_5.20.2-3+deb8u5_amd64.deb
 13e31e002a9b0a66e890503b058f7472 2153264 libdevel optional libperl-dev_5.20.2-3+deb8u5_amd64.deb
 f5dcdd3ce3945d74e4b1312100d5d912 2654668 perl standard perl_5.20.2-3+deb8u5_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJXQ5VSAAoJEMAFfnFNaU+y6noQAJQFS1159uzi/aq1P4Nydoob
5xK7PClpXvZoXxbruOLdKZiWTlEzbKLGQF2RhI2HCgDbGE6BFBQoEZzg0ffid62q
tdA0+dZ3ncHhSh6X8+Oa7UmrZJVLBoeNQfYgPIk17ePH3YpxLdYl1Coen674lV7j
76Q51mXUflTCiYyaD5Xp436uY+5PR6kTLQZEv80pEi3HQcB89w0l2vXwDxJq8cyh
ZwCBhoWB/uXgvsOS0vjAfdzJOB4MytbEftn7/t9U2BhzDL2dpV5Le4/7Q9nnDX6z
U2jjVUflwG/utNKRMuPlsRKcGlIIqLnPZxnwCOX+dR1dxapyk91c/l6js72XKpBM
RFG03BLarIX1l2PPBduN9mLsenyVvwluvqkQ+odaHQ6buEPGS8slze0Xqoh4N5Rm
e35oaXn+WFNK2BmGXwJvirzJgATHu0lt6/93dSGGRqI/zahmQAUJCrZaaT/9SPB6
XB8+0Bu+cfushhYSAQ806eq7D0BNkVsYyJ6ibxbjxoCXpQD7hquM2xXKx+GbjjpZ
ygy+vOYqFPWsN4qG8MSUsFI4GF21xes/YLYBNsR7dyexqpGdLPuL6gKuK/IEUgOs
RfhccDZEcaQZf0TbYCQYQmKZZ+bbEhF/mgc5rMFztw4K7oOowRKeu8FlNztVq/Bq
TbzjwWVcHMYFpu5sAI0d
=QH8F
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Fri, 08 Jul 2016 07:41:47 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 14:07:55 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started