Skip Menu |
Report information
Id: 132609
Status: open
Priority: 0/
Queue: perl5

Owner: Nobody
Requestors: sraums2498 [at] gmail.com
Cc:
AdminCc:

Operating System: (no value)
PatchStatus: (no value)
Severity: (no value)
Type: (no value)
Perl Version: (no value)
Fixed In: (no value)



From: SRAUMS JN <sraums2498 [...] gmail.com>
Subject: PERL-5.26.1 stack_overflow
To: perl5-security-report [...] perl.org
Date: Tue, 19 Dec 2017 16:29:58 +0530
Download (untitled) / with headers
text/plain 21.3k

Message body is not shown because it is too large.

Message body is not shown because it is too large.

Download 254
application/octet-stream 6.1k

Message body not shown because it is not plain text.

RT-Send-CC: perl5-security-report [...] perl.org
Download (untitled) / with headers
text/plain 465b
This reduces to: ./miniperl -e 'pack "[" x 20000' .. which explodes the stack because we check for close parens recursively in pack.c:S_group_end(): else if (c == '[') patptr = group_end(patptr, patend, ']') + 1; The same happens for "(", for the same reason. I don't think we class such things as vulnerabilities, can anyone confirm or deny? I'm also not sure what would be involved in avoiding this, or if there's value in doing so. Hugo
From: Zefram <zefram [...] fysh.org>
Date: Thu, 11 Jan 2018 02:01:02 +0000
Subject: Re: [perl #132609] PERL-5.26.1 stack_overflow
To: perl5-security-report [...] perl.org
Download (untitled) / with headers
text/plain 204b
Hugo van der Sanden via RT wrote: Show quoted text
>I don't think we class such things as vulnerabilities, can anyone >confirm or deny?
Confirmed, we don't consider busting the C stack to be a security failure. -zefram
RT-Send-CC: perl5-porters [...] perl.org
Download (untitled) / with headers
text/plain 297b
On Wed, 10 Jan 2018 18:01:19 -0800, zefram@fysh.org wrote: Show quoted text
> Hugo van der Sanden via RT wrote:
> >I don't think we class such things as vulnerabilities, can anyone > >confirm or deny?
> > Confirmed, we don't consider busting the C stack to be a security failure.
Moved to the public queue. Tony
Date: Tue, 27 Mar 2018 12:33:35 +0530
To: perlbug-followup [...] perl.org
Subject: Re: [perl #132609] PERL-5.26.1 stack_overflow
From: SRAUMS JN <sraums2498 [...] gmail.com>
Download (untitled) / with headers
text/plain 943b
Maybe you are correct.
But all I can see here is, by not closing a bracket in a statement, if  I am able to corrupt the stack, I think it is easiest way to exploit the target, which in our case here is perl. 
So referring to the CVSS here:
ease of exploit: High (as we just need to leave a bracket open)
attack complexity: almost nothing
As here, the perl is failing to sanitze this condition where bracket is not closed, which is then further leading to stack corruption.
So I believe this is a security issue.



On Wed, Jan 24, 2018 at 4:09 AM, Tony Cook via RT <perlbug-followup@perl.org> wrote:
Show quoted text
On Wed, 10 Jan 2018 18:01:19 -0800, zefram@fysh.org wrote:
> Hugo van der Sanden via RT wrote:
> >I don't think we class such things as vulnerabilities, can anyone
> >confirm or deny?
>
> Confirmed, we don't consider busting the C stack to be a security failure.

Moved to the public queue.

Tony



--
Regards,
SRAUMS


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

For issues related to this RT instance (aka "perlbug"), please contact perlbug-admin at perl.org