Debian Bug report logs -
#962005
perl: regexp security issues: CVE-2020-10543, CVE-2020-10878, CVE-2020-12723
Reported by: Dominic Hargreaves <dom@earth.li>
Date: Mon, 1 Jun 2020 21:15:02 UTC
Severity: important
Tags: security
Found in version perl/5.30.2-1
Fixed in version perl/5.30.3-1
Done: Dominic Hargreaves <dom@earth.li>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Niko Tyni <ntyni@debian.org>:
Bug#962005; Package src:perl.
(Mon, 01 Jun 2020 21:15:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Dominic Hargreaves <dom@earth.li>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Niko Tyni <ntyni@debian.org>.
(Mon, 01 Jun 2020 21:15:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: perl
Version: 5.30.2-1
Severity: important
Tags: security pending
X-Debbugs-Cc: team@security.debian.org
These three issues have all been judged to be no-dsa. An unstable
release will be forthcoming and we hope to provide fixes for stable and
oldstable via point releases.
The following text comes from
<https://metacpan.org/release/XSAWYERX/perl-5.30.3>.
[CVE-2020-10543] Buffer overflow caused by a crafted regular expression
A signed size_t integer overflow in the storage space calculations for
nested regular expression quantifiers could cause a heap buffer overflow in
Perl's regular expression compiler that overwrites memory allocated after
the regular expression storage space with attacker supplied data.
The target system needs a sufficient amount of memory to allocate partial
expansions of the nested quantifiers prior to the overflow occurring. This
requirement is unlikely to be met on 64-bit systems.
Discovered by: ManhND of The Tarantula Team, VinCSS (a member of Vingroup).
[CVE-2020-10878] Integer overflow via malformed bytecode produced by a
crafted regular expression
Integer overflows in the calculation of offsets between instructions for the
regular expression engine could cause corruption of the intermediate
language state of a compiled regular expression. An attacker could abuse
this behaviour to insert instructions into the compiled form of a Perl
regular expression.
Discovered by: Hugo van der Sanden and Slaven Rezic.
[CVE-2020-12723] Buffer overflow caused by a crafted regular expression
Recursive calls to S_study_chunk() by Perl's regular expression compiler to
optimize the intermediate language representation of a regular expression
could cause corruption of the intermediate language state of a compiled
regular expression.
Discovered by: Sergey Aleynikov.
Additional Note
An application written in Perl would only be vulnerable to any of the above
flaws if it evaluates regular expressions supplied by the attacker.
Evaluating regular expressions in this fashion is known to be dangerous
since the regular expression engine does not protect against denial of
service attacks in this usage scenario.
Reply sent
to Dominic Hargreaves <dom@earth.li>:
You have taken responsibility.
(Mon, 01 Jun 2020 23:51:10 GMT) (full text, mbox, link).
Notification sent
to Dominic Hargreaves <dom@earth.li>:
Bug acknowledged by developer.
(Mon, 01 Jun 2020 23:51:10 GMT) (full text, mbox, link).
Message #10 received at 962005-close@bugs.debian.org (full text, mbox, reply):
Source: perl
Source-Version: 5.30.3-1
Done: Dominic Hargreaves <dom@earth.li>
We believe that the bug you reported is fixed in the latest version of
perl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 962005@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Dominic Hargreaves <dom@earth.li> (supplier of updated perl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 01 Jun 2020 22:23:43 +0100
Source: perl
Architecture: source
Version: 5.30.3-1
Distribution: unstable
Urgency: medium
Maintainer: Niko Tyni <ntyni@debian.org>
Changed-By: Dominic Hargreaves <dom@earth.li>
Closes: 958721 962005
Changes:
perl (5.30.3-1) unstable; urgency=medium
.
[ Dominic Hargreaves ]
* Update perlbug to no longer email deprecated bug address
(Closes: #958721)
.
[ Niko Tyni ]
* Update the build system to debhelper compatibility level 13.
.
[ Dominic Hargreaves ]
* Update to new upstream version (Closes: #962005)
+ [SECURITY] CVE-2020-10543: Buffer overflow caused by a crafted
regular expression
+ [SECURITY] CVE-2020-10878: Integer overflow via malformed bytecode
produced by a crafted regular expression
+ [SECURITY] CVE-2020-12723: Buffer overflow caused by a crafted
regular expression
Checksums-Sha1:
80bd9c2b4bc8668a939e47d017d1cd5bf8ce281d 2868 perl_5.30.3-1.dsc
8998cffbb866af0e302baa62949cfba37006fc0d 870970 perl_5.30.3.orig-regen-configure.tar.gz
1003c6aa71d8966501038178459a9fa4e9aba747 12375128 perl_5.30.3.orig.tar.xz
757232902de5dbdd448f30db931ec38a3d519c47 167112 perl_5.30.3-1.debian.tar.xz
1d0be8d1b255a2a703842be7550931317db54174 5902 perl_5.30.3-1_source.buildinfo
Checksums-Sha256:
56df312974f79a78cb31776238863c6787e7c3d8c1b8753eae1a4f1a193c9132 2868 perl_5.30.3-1.dsc
99174174fbfc550f801076ab8a1a5831c92f75c1b81e553150351f14a111dcf8 870970 perl_5.30.3.orig-regen-configure.tar.gz
6967595f2e3f3a94544c35152f9a25e0cb8ea24ae45f4bf1882f2e33f4a400f4 12375128 perl_5.30.3.orig.tar.xz
d14cdea07729b5b135494d1cebafd5728d8b65be13ff49d483c543f164086684 167112 perl_5.30.3-1.debian.tar.xz
295dd559cf735bdb106ec22b5c67d1956ee7aa7b7eeaac97aee3274823f40b2e 5902 perl_5.30.3-1_source.buildinfo
Files:
dabfcf04a8357451a1fcc19b25896539 2868 perl standard perl_5.30.3-1.dsc
0311edd9e01c1ae4101df137f13bd2f0 870970 perl standard perl_5.30.3.orig-regen-configure.tar.gz
0af2ab0f01ec13e37cc13a27de930936 12375128 perl standard perl_5.30.3.orig.tar.xz
e2a9d60958fd1b8661bd3081b63b08e6 167112 perl standard perl_5.30.3-1.debian.tar.xz
80db2e26eaf9224781d0f26262a2878b 5902 perl standard perl_5.30.3-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJBBAEBCAArFiEEy0llJ/kAnyscGnbawAV+cU1pT7IFAl7VkHcNHGRvbUBlYXJ0
aC5saQAKCRDABX5xTWlPsrS3EADB/sHrXg+Brve7eopTxEsl0UEmHbcr7xfZY9vX
r0wNO9PfFjS4SlPd80o2bg0uOSV43kzFQHvXtc3q/z6j55Ok4uJeHkXAoQIuf9Ep
H2nuTTzaVVxz6rj4lJEJ0uS33I+/EAQsxkyrcH+8jQTUSAdfGpkj0hPEVLGG/377
07iY9hmS5q+VEyhoLBkdao4slfOigOwVGxCP0peVof0QFGdDW+kJJESezOJFnbUZ
Inm/sxJ5qAhhMr/HeFO3TWN+qZp25bEEuVfow2rIzBpCE7C0hndLIfU95yEx4uQ0
ii/JQYZJI3nAl8qiXDCT0JwbR07VLd8/DePMfdotggjVy5tZTqczljF8Bh7mKefz
Sd5gof8B4MOjUEHPXZPf8EoUXKu6NOrNs4idacRDty2FpdVnxf2WL6J0agAF4IfG
TQ8ylI9p9ZQYJZRcUiqE8W0TjJ6+rZ5/S4HcFHo+WczF94YRvaFZ2Y5G7ask6mE6
jUtNmKjplflJJnCNHaHXwV6WKiD56mHkySpKDFlCn4+ekbSfcEbfeVn7wu+R1Dng
EYDbecMBclCcUSxFBDGulfrtmU4/hUT17cBkF8rdWSGU/fV1lOnMR46I+wyW0i5Y
kFT1fC1ptmh9iit0erIH0AKN7jrCJe933yVE0HFxRY2J3/5c7sfOeyKyMI4iP/5c
r/MP0A==
=/h5h
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Tue Jun 2 13:39:22 2020;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon