New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
heap-buffer-overflow write in Perl_parse_uniprop_string #16549
Comments
From @EtsukataHello all, I'm Eiichi Tsukata. Here is a security vulnerability report about a regexp # Brief There is a potential heap-buffer-overflow write - Version: 38c84d6(perl-5.28.0) # PoC - with AddressSanitizer ``` [eiichi@x1 perl]$ ./miniperl -le 'my $a = "\\p{numericvalue=/}"; qr/$a/' ================================================================= 0x6020000014be is located 0 bytes to the right of 14-byte region SUMMARY: AddressSanitizer: heap-buffer-overflow - without AddressSanitizer / Segmentation Fault ``` [eiichi@x1 perl5]$ PERL5LIB=./lib ./miniperl -V Summary of my perl5 (revision 5 version 28 subversion 0) configuration: Characteristics of this binary (from libperl): # Exploitability - allows remote attackers to cause a denial of service (out-of-bounds # Additional Note - 'nv' unicode property can also cause heap-buffer-overflow write:
|
From @khwilliamsonOn 05/05/2018 10:44 PM, Eiichi Tsukata (via RT) wrote:
The attached patch fixes this.
|
From @khwilliamson0001-PATCH-perl-133179-heap-buffer-overflow-write.patchFrom d1f889a81736e137c73a14bb7641299a76f6eef6 Mon Sep 17 00:00:00 2001
From: Karl Williamson <khw@cpan.org>
Date: Sun, 6 May 2018 02:27:01 -0600
Subject: [PATCH] PATCH: [perl # 133179] heap-buffer-overflow write
The code did not consider the case of a trailing slash with no
denominator following it. Simply add a check.
---
utf8.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/utf8.c b/utf8.c
index ceb4723113..ec67b08d50 100644
--- a/utf8.c
+++ b/utf8.c
@@ -6118,8 +6118,8 @@ Perl_parse_uniprop_string(pTHX_ const char * const name, const Size_t len, const
lookup_name[j++] = cur;
- /* Unless this is a slash, we are done with it */
- if (cur != '/') {
+ /* Unless this is a non-trailing slash, we are done with it */
+ if (i >= len - 1 || cur != '/') {
continue;
}
--
2.11.0
|
The RT System itself - Status changed from 'new' to 'open' |
From @Etsukata
Thanks for your speedy handling. 2018-05-06 17:31 GMT+09:00 karl williamson via RT <
|
From @khwilliamsonOn 05/06/2018 02:48 AM, Eiichi Tsukata wrote:
And thank you very much for finding and reporting the bugs you are finding.
This is not a security bug if we fix it in 5.28, because there is no I propose to merge the patch now and move the ticket to the public |
From @Etsukata
I'm happy to hear that it has been fixed prior to 5.28 release.
At https://rt-archive.perl.org/perl5/Ticket/Display.html?id=133185
Means that it does *NOT* become a security issue? 2018-05-10 8:50 GMT+09:00 karl williamson via RT <
|
From @Etsukata
According to the following criteria, it seems that it does become a 2018-05-10 21:40 GMT+09:00 Dave Mitchell <davem@iabyn.com>:
2018-05-10 10:56 GMT+09:00 Eiichi Tsukata <devel@etsukata.com>:
|
From @khwilliamsonOn 05/09/2018 07:56 PM, Eiichi Tsukata wrote:
This would normally be a security issue. But it isn't here because this We are about to ship 5.28, and I have to get permission for any change
|
From @iabynOn Thu, May 10, 2018 at 09:21:24AM -0600, Karl Williamson wrote:
+1 from me. -- |
From @khwilliamsonThanks for finding and reporting this Fixed by commit da3e33c |
@khwilliamson - Status changed from 'open' to 'resolved' |
Migrated from rt.perl.org#133179 (status was 'resolved')
Searchable as RT133179$
The text was updated successfully, but these errors were encountered: