From sad@eltex.net

Hello!
I'm attaching single script and a test data file. This script hangs on
regexp match, though I think it shouldn't.

It doesn't hang if it's run in untainted mode, or study is commented.
Here's my perl configuration​:

Flags​:
  category=
  severity=

Site configuration information for perl v5.8.7​:

Configured by Debian Project at Sat Jul 9 12​:13​:16 EST 2005.

Summary of my perl5 (revision 5 version 8 subversion 7) configuration​:
  Platform​:
  osname=linux, osvers=2.4.27-ti1211, archname=i486-linux-gnu-thread-multi
  uname='linux kosh 2.4.27-ti1211 #1 sun sep 19 18​:17​:45 est 2004 i686
gnulinux '
  config_args='-Dusethreads -Duselargefiles -Dccflags=-DDEBIAN
-Dcccdlflags=-fPIC -Darchname=i486-linux-gnu -Dprefix=/usr
-Dprivlib=/usr/share/perl/5.8 -Darchlib=/usr/lib/perl/5.8
-Dvendorprefix=/usr -Dvendorlib=/usr/share/perl5
-Dvendorarch=/usr/lib/perl5 -Dsiteprefix=/usr/local
-Dsitelib=/usr/local/share/perl/5.8.7
-Dsitearch=/usr/local/lib/perl/5.8.7 -Dman1dir=/usr/share/man/man1
-Dman3dir=/usr/share/man/man3 -Dsiteman1dir=/usr/local/man/man1
-Dsiteman3dir=/usr/local/man/man3 -Dman1ext=1 -Dman3ext=3perl
-Dpager=/usr/bin/sensible-pager -Uafs -Ud_csh -Uusesfio -Uusenm
-Duseshrplib -Dlibperl=libperl.so.5.8.7 -Dd_dosuid -des'
  hint=recommended, useposix=true, d_sigaction=define
  usethreads=define use5005threads=undef useithreads=define
usemultiplicity=define
  useperlio=define d_sfio=undef uselargefiles=define usesocks=undef
  use64bitint=undef use64bitall=undef uselongdouble=undef
  usemymalloc=n, bincompat5005=undef
  Compiler​:
  cc='cc', ccflags ='-D_REENTRANT -D_GNU_SOURCE -DTHREADS_HAVE_PIDS
-DDEBIAN -fno-strict-aliasing -pipe -I/usr/local/include
-D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64',
  optimize='-O2',
  cppflags='-D_REENTRANT -D_GNU_SOURCE -DTHREADS_HAVE_PIDS -DDEBIAN
-fno-strict-aliasing -pipe -I/usr/local/include'
  ccversion='', gccversion='4.0.1 20050701 (prerelease) (Debian
4.0.0-12)', gccosandvers=''
  intsize=4, longsize=4, ptrsize=4, doublesize=8, byteorder=1234
  d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=12
  ivtype='long', ivsize=4, nvtype='double', nvsize=8, Off_t='off_t',
lseeksize=8
  alignbytes=4, prototype=define
  Linker and Libraries​:
  ld='cc', ldflags =' -L/usr/local/lib'
  libpth=/usr/local/lib /lib /usr/lib
  libs=-lgdbm -lgdbm_compat -ldb -ldl -lm -lpthread -lc -lcrypt
  perllibs=-ldl -lm -lpthread -lc -lcrypt
  libc=/lib/libc-2.3.2.so, so=so, useshrplib=true,
libperl=libperl.so.5.8.7
  gnulibc_version='2.3.2'
  Dynamic Linking​:
  dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,-E'
  cccdlflags='-fPIC', lddlflags='-shared -L/usr/local/lib'

Locally applied patches​:
 

@​INC for perl v5.8.7​:
  /etc/perl
  /usr/local/lib/perl/5.8.7
  /usr/local/share/perl/5.8.7
  /usr/lib/perl5
  /usr/share/perl5
  /usr/lib/perl/5.8
  /usr/share/perl/5.8
  /usr/local/lib/site_perl
  /usr/local/lib/perl/5.8.4
  /usr/local/share/perl/5.8.4
  /usr/local/lib/perl/5.8.3
  .

Environment for perl v5.8.7​:
  HOME=/home/jmv
  LANG=ru_RU.UTF-8
  LANGUAGE (unset)
  LC_NUMERIC=C
  LC_TIME=C
  LD_LIBRARY_PATH (unset)
  LOGDIR (unset)
 
PATH=/usr/local/bin​:/usr/bin​:/bin​:/usr/X11R6/bin​:/usr/games​:/home/jmv/bin
  PERL_BADLANG (unset)
  SHELL=/bin/bash

Complete configuration data for perl v5.8.7​:

Author=''
CONFIG='true'
Date='$Date'
Header=''
Id='$Id'
Locker=''
Log='$Log'
Mcc='Mcc'
PATCHLEVEL='8'
PERL_API_REVISION='5'
PERL_API_SUBVERSION='0'
PERL_API_VERSION='8'
PERL_CONFIG_SH='true'
PERL_REVISION='5'
PERL_SUBVERSION='7'
PERL_VERSION='8'
RCSfile='$RCSfile'
Revision='$Revision'
SUBVERSION='7'
Source=''
State=''
_a='.a'
_exe=''
_o='.o'
afs='false'
afsroot='/afs'
alignbytes='4'
ansi2knr=''
aphostname='/bin/hostname'
api_revision='5'
api_subversion='0'
api_version='8'
api_versionstring='5.8.0'
ar='ar'
archlib='/usr/lib/perl/5.8'
archlibexp='/usr/lib/perl/5.8'
archname='i486-linux-gnu-thread-multi'
archname64=''
archobjs=''
asctime_r_proto='REENTRANT_PROTO_B_SB'
awk='awk'
baserev='5.0'
bash=''
bin='/usr/bin'
binexp='/usr/bin'
bison='bison'
byacc='byacc'
byteorder='1234'
c=''
castflags='0'
cat='cat'
cc='cc'
cccdlflags='-fPIC'
ccdlflags='-Wl,-E'
ccflags='-D_REENTRANT -D_GNU_SOURCE -DTHREADS_HAVE_PIDS -DDEBIAN
-fno-strict-aliasing -pipe -I/usr/local/include -D_LARGEFILE_SOURCE
-D_FILE_OFFSET_BITS=64'
ccflags_nolargefiles='-D_REENTRANT -D_GNU_SOURCE -DTHREADS_HAVE_PIDS
-DDEBIAN -fno-strict-aliasing -pipe -I/usr/local/include '
ccflags_uselargefiles='-D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64'
ccname='gcc'
ccsymbols=''
ccversion=''
cf_by='Debian Project'
cf_email='perl@​packages.debian.org'
cf_time='Sat Jul 9 12​:13​:16 EST 2005'
charsize='1'
chgrp=''
chmod='chmod'
chown=''
clocktype='clock_t'
comm='comm'
compress=''
config_arg0='Configure'
config_arg1='-Dusethreads'
config_arg10='-Dvendorlib=/usr/share/perl5'
config_arg11='-Dvendorarch=/usr/lib/perl5'
config_arg12='-Dsiteprefix=/usr/local'
config_arg13='-Dsitelib=/usr/local/share/perl/5.8.7'
config_arg14='-Dsitearch=/usr/local/lib/perl/5.8.7'
config_arg15='-Dman1dir=/usr/share/man/man1'
config_arg16='-Dman3dir=/usr/share/man/man3'
config_arg17='-Dsiteman1dir=/usr/local/man/man1'
config_arg18='-Dsiteman3dir=/usr/local/man/man3'
config_arg19='-Dman1ext=1'
config_arg2='-Duselargefiles'
config_arg20='-Dman3ext=3perl'
config_arg21='-Dpager=/usr/bin/sensible-pager'
config_arg22='-Uafs'
config_arg23='-Ud_csh'
config_arg24='-Uusesfio'
config_arg25='-Uusenm'
config_arg26='-Duseshrplib'
config_arg27='-Dlibperl=libperl.so.5.8.7'
config_arg28='-Dd_dosuid'
config_arg29='-des'
config_arg3='-Dccflags=-DDEBIAN'
config_arg4='-Dcccdlflags=-fPIC'
config_arg5='-Darchname=i486-linux-gnu'
config_arg6='-Dprefix=/usr'
config_arg7='-Dprivlib=/usr/share/perl/5.8'
config_arg8='-Darchlib=/usr/lib/perl/5.8'
config_arg9='-Dvendorprefix=/usr'
config_argc='29'
config_args='-Dusethreads -Duselargefiles -Dccflags=-DDEBIAN
-Dcccdlflags=-fPIC -Darchname=i486-linux-gnu -Dprefix=/usr
-Dprivlib=/usr/share/perl/5.8 -Darchlib=/usr/lib/perl/5.8
-Dvendorprefix=/usr -Dvendorlib=/usr/share/perl5
-Dvendorarch=/usr/lib/perl5 -Dsiteprefix=/usr/local
-Dsitelib=/usr/local/share/perl/5.8.7
-Dsitearch=/usr/local/lib/perl/5.8.7 -Dman1dir=/usr/share/man/man1
-Dman3dir=/usr/share/man/man3 -Dsiteman1dir=/usr/local/man/man1
-Dsiteman3dir=/usr/local/man/man3 -Dman1ext=1 -Dman3ext=3perl
-Dpager=/usr/bin/sensible-pager -Uafs -Ud_csh -Uusesfio -Uusenm
-Duseshrplib -Dlibperl=libperl.so.5.8.7 -Dd_dosuid -des'
contains='grep'
cp='cp'
cpio=''
cpp='cpp'
cpp_stuff='42'
cppccsymbols=''
cppflags='-D_REENTRANT -D_GNU_SOURCE -DTHREADS_HAVE_PIDS -DDEBIAN
-fno-strict-aliasing -pipe -I/usr/local/include'
cpplast='-'
cppminus='-'
cpprun='cc -E'
cppstdin='cc -E'
cppsymbols='__ELF__=1 _FILE_OFFSET_BITS=64 __GLIBC__=2 __GLIBC_MINOR__=3
__GNUC__=4 __GNUC_MINOR__=1 __GNU_LIBRARY__=6 _GNU_SOURCE=1
_LARGEFILE64_SOURCE=1 _LARGEFILE_SOURCE=1 _POSIX_C_SOURCE=199506
_POSIX_SOURCE=1 _REENTRANT=1 __STDC__=1 __USE_BSD=1
__USE_FILE_OFFSET64=1 __USE_GNU=1 __USE_LARGEFILE=1 __USE_LARGEFILE64=1
__USE_MISC=1 __USE_POSIX=1 __USE_POSIX199309=1 __USE_POSIX199506=1
__USE_POSIX2=1 __USE_REENTRANT=1 __USE_SVID=1 __USE_UNIX98=1
__USE_XOPEN=1 __USE_XOPEN_EXTENDED=1 _XOPEN_SOURCE=600
_XOPEN_SOURCE_EXTENDED=1 i386=1 __i386=1 __i386__=1 __i486=1 __i486__=1
linux=1 __linux=1 __linux__=1 unix=1 __unix=1 __unix__=1'
crypt_r_proto='REENTRANT_PROTO_B_CCS'
cryptlib=''
csh='csh'
ctermid_r_proto='0'
ctime_r_proto='REENTRANT_PROTO_B_SB'
d_Gconvert='gcvt((x),(n),(b))'
d_PRIEUldbl='define'
d_PRIFUldbl='define'
d_PRIGUldbl='define'
d_PRIXU64='define'
d_PRId64='define'
d_PRIeldbl='define'
d_PRIfldbl='define'
d_PRIgldbl='define'
d_PRIi64='define'
d_PRIo64='define'
d_PRIu64='define'
d_PRIx64='define'
d_SCNfldbl='define'
d__fwalk=''
d_access='define'
d_accessx=''
d_aintl=''
d_alarm='define'
d_archlib='define'
d_asctime_r='define'
d_atolf=''
d_atoll='define'
d_attribut='define'
d_bcmp='define'
d_bcopy='define'
d_bsd=''
d_bsdgetpgrp=''
d_bsdsetpgrp=''
d_bzero='define'
d_casti32=''
d_castneg='define'
d_charvspr='define'
d_chown='define'
d_chroot='define'
d_chsize=''
d_class=''
d_closedir='define'
d_cmsghdr_s='define'
d_const='define'
d_copysignl='define'
d_crypt='define'
d_crypt_r='define'
d_csh=''
d_ctermid_r=''
d_ctime_r='define'
d_cuserid='define'
d_dbl_dig='define'
d_dbminitproto='define'
d_difftime='define'
d_dirfd='define'
d_dirnamlen=''
d_dlerror='define'
d_dlopen='define'
d_dlsymun=''
d_dosuid='define'
d_drand48_r='define'
d_drand48proto='define'
d_dup2='define'
d_eaccess=''
d_endgrent='define'
d_endgrent_r=''
d_endhent='define'
d_endhostent_r=''
d_endnent='define'
d_endnetent_r=''
d_endpent='define'
d_endprotoent_r=''
d_endpwent='define'
d_endpwent_r=''
d_endsent='define'
d_endservent_r=''
d_eofnblk='define'
d_eunice=''
d_faststdio=''
d_fchdir='define'
d_fchmod='define'
d_fchown='define'
d_fcntl='define'
d_fcntl_can_lock='define'
d_fd_macros='define'
d_fd_set='define'
d_fds_bits='define'
d_fgetpos='define'
d_finite='define'
d_finitel='define'
d_flexfnam='define'
d_flock='define'
d_flockproto='define'
d_fork='define'
d_fp_class=''
d_fpathconf='define'
d_fpclass=''
d_fpclassify=''
d_fpclassl=''
d_fpos64_t=''
d_frexpl='define'
d_fs_data_s=''
d_fseeko='define'
d_fsetpos='define'
d_fstatfs='define'
d_fstatvfs='define'
d_fsync='define'
d_ftello='define'
d_ftime=''
d_getcwd='define'
d_getespwnam=''
d_getfsstat=''
d_getgrent='define'
d_getgrent_r='define'
d_getgrgid_r='define'
d_getgrnam_r='define'
d_getgrps='define'
d_gethbyaddr='define'
d_gethbyname='define'
d_gethent='define'
d_gethname='define'
d_gethostbyaddr_r='define'
d_gethostbyname_r='define'
d_gethostent_r='define'
d_gethostprotos='define'
d_getitimer='define'
d_getlogin='define'
d_getlogin_r='define'
d_getmnt=''
d_getmntent='define'
d_getnbyaddr='define'
d_getnbyname='define'
d_getnent='define'
d_getnetbyaddr_r='define'
d_getnetbyname_r='define'
d_getnetent_r='define'
d_getnetprotos='define'
d_getpagsz='define'
d_getpbyname='define'
d_getpbynumber='define'
d_getpent='define'
d_getpgid='define'
d_getpgrp='define'
d_getpgrp2=''
d_getppid='define'
d_getprior='define'
d_getprotobyname_r='define'
d_getprotobynumber_r='define'
d_getprotoent_r='define'
d_getprotoprotos='define'
d_getprpwnam=''
d_getpwent='define'
d_getpwent_r='define'
d_getpwnam_r='define'
d_getpwuid_r='define'
d_getsbyname='define'
d_getsbyport='define'
d_getsent='define'
d_getservbyname_r='define'
d_getservbyport_r='define'
d_getservent_r='define'
d_getservprotos='define'
d_getspnam='define'
d_getspnam_r='define'
d_gettimeod='define'
d_gmtime_r='define'
d_gnulibc='define'
d_grpasswd='define'
d_hasmntopt='define'
d_htonl='define'
d_ilogbl='define'
d_index=''
d_inetaton='define'
d_int64_t='define'
d_isascii='define'
d_isfinite=''
d_isinf='define'
d_isnan='define'
d_isnanl='define'
d_killpg='define'
d_lchown='define'
d_ldbl_dig='define'
d_libm_lib_version='define'
d_link='define'
d_localtime_r='define'
d_locconv='define'
d_lockf='define'
d_longdbl='define'
d_longlong='define'
d_lseekproto='define'
d_lstat='define'
d_madvise='define'
d_mblen='define'
d_mbstowcs='define'
d_mbtowc='define'
d_memchr='define'
d_memcmp='define'
d_memcpy='define'
d_memmove='define'
d_memset='define'
d_mkdir='define'
d_mkdtemp='define'
d_mkfifo='define'
d_mkstemp='define'
d_mkstemps=''
d_mktime='define'
d_mmap='define'
d_modfl='define'
d_modfl_pow32_bug=''
d_modflproto='define'
d_mprotect='define'
d_msg='define'
d_msg_ctrunc='define'
d_msg_dontroute='define'
d_msg_oob='define'
d_msg_peek='define'
d_msg_proxy='define'
d_msgctl='define'
d_msgget='define'
d_msghdr_s='define'
d_msgrcv='define'
d_msgsnd='define'
d_msync='define'
d_munmap='define'
d_mymalloc=''
d_nice='define'
d_nl_langinfo='define'
d_nv_preserves_uv='define'
d_off64_t='define'
d_old_pthread_create_joinable=''
d_oldpthreads=''
d_oldsock=''
d_open3='define'
d_pathconf='define'
d_pause='define'
d_perl_otherlibdirs=''
d_phostname=''
d_pipe='define'
d_poll='define'
d_portable='define'
d_procselfexe='define'
d_pthread_atfork='define'
d_pthread_attr_setscope='define'
d_pthread_yield='define'
d_pwage=''
d_pwchange=''
d_pwclass=''
d_pwcomment=''
d_pwexpire=''
d_pwgecos='define'
d_pwpasswd='define'
d_pwquota=''
d_qgcvt='define'
d_quad='define'
d_random_r='define'
d_readdir='define'
d_readdir64_r='define'
d_readdir_r='define'
d_readlink='define'
d_readv='define'
d_recvmsg='define'
d_rename='define'
d_rewinddir='define'
d_rmdir='define'
d_safebcpy=''
d_safemcpy=''
d_sanemcmp='define'
d_sbrkproto='define'
d_scalbnl='define'
d_sched_yield='define'
d_scm_rights='define'
d_seekdir='define'
d_select='define'
d_sem='define'
d_semctl='define'
d_semctl_semid_ds='define'
d_semctl_semun='define'
d_semget='define'
d_semop='define'
d_sendmsg='define'
d_setegid='define'
d_seteuid='define'
d_setgrent='define'
d_setgrent_r=''
d_setgrps='define'
d_sethent='define'
d_sethostent_r=''
d_setitimer='define'
d_setlinebuf='define'
d_setlocale='define'
d_setlocale_r=''
d_setnent='define'
d_setnetent_r=''
d_setpent='define'
d_setpgid='define'
d_setpgrp='define'
d_setpgrp2=''
d_setprior='define'
d_setproctitle=''
d_setprotoent_r=''
d_setpwent='define'
d_setpwent_r=''
d_setregid='define'
d_setresgid='define'
d_setresuid='define'
d_setreuid='define'
d_setrgid=''
d_setruid=''
d_setsent='define'
d_setservent_r=''
d_setsid='define'
d_setvbuf='define'
d_sfio=''
d_shm='define'
d_shmat='define'
d_shmatprototype='define'
d_shmctl='define'
d_shmdt='define'
d_shmget='define'
d_sigaction='define'
d_sigprocmask='define'
d_sigsetjmp='define'
d_sockatmark='define'
d_sockatmarkproto='define'
d_socket='define'
d_socklen_t='define'
d_sockpair='define'
d_socks5_init=''
d_sqrtl='define'
d_srand48_r='define'
d_srandom_r='define'
d_sresgproto='define'
d_sresuproto='define'
d_statblks='define'
d_statfs_f_flags=''
d_statfs_s='define'
d_statvfs='define'
d_stdio_cnt_lval=''
d_stdio_ptr_lval=''
d_stdio_ptr_lval_nochange_cnt=''
d_stdio_ptr_lval_sets_cnt=''
d_stdio_stream_array=''
d_stdiobase=''
d_stdstdio=''
d_strchr='define'
d_strcoll='define'
d_strctcpy='define'
d_strerrm='strerror(e)'
d_strerror='define'
d_strerror_r='define'
d_strftime='define'
d_strlcat=''
d_strlcpy=''
d_strtod='define'
d_strtol='define'
d_strtold='define'
d_strtoll='define'
d_strtoq='define'
d_strtoul='define'
d_strtoull='define'
d_strtouq='define'
d_strxfrm='define'
d_suidsafe=''
d_symlink='define'
d_syscall='define'
d_syscallproto='define'
d_sysconf='define'
d_sysernlst=''
d_syserrlst='define'
d_system='define'
d_tcgetpgrp='define'
d_tcsetpgrp='define'
d_telldir='define'
d_telldirproto='define'
d_time='define'
d_times='define'
d_tm_tm_gmtoff='define'
d_tm_tm_zone='define'
d_tmpnam_r='define'
d_truncate='define'
d_ttyname_r='define'
d_tzname='define'
d_u32align=''
d_ualarm='define'
d_umask='define'
d_uname='define'
d_union_semun=''
d_unordered=''
d_usleep='define'
d_usleepproto='define'
d_ustat='define'
d_vendorarch='define'
d_vendorbin='define'
d_vendorlib='define'
d_vendorscript='define'
d_vfork=''
d_void_closedir=''
d_voidsig='define'
d_voidtty=''
d_volatile='define'
d_vprintf='define'
d_wait4='define'
d_waitpid='define'
d_wcstombs='define'
d_wctomb='define'
d_writev='define'
d_xenix=''
date='date'
db_hashtype='u_int32_t'
db_prefixtype='size_t'
db_version_major='4'
db_version_minor='2'
db_version_patch='52'
defvoidused='15'
direntrytype='struct dirent'
dlext='so'
dlsrc='dl_dlopen.xs'
doublesize='8'
drand01='drand48()'
drand48_r_proto='REENTRANT_PROTO_I_ST'
dynamic_ext='B ByteLoader Cwd DB_File Data/Dumper Devel/DProf
Devel/PPPort Devel/Peek Digest/MD5 Encode Fcntl File/Glob
Filter/Util/Call GDBM_File I18N/Langinfo IO IPC/SysV List/Util
MIME/Base64 NDBM_File ODBM_File Opcode POSIX PerlIO/encoding
PerlIO/scalar PerlIO/via SDBM_File Socket Storable Sys/Hostname
Sys/Syslog Time/HiRes Unicode/Normalize XS/APItest XS/Typemap attrs re
threads threads/shared'
eagain='EAGAIN'
ebcdic=''
echo='echo'
egrep='egrep'
emacs=''
endgrent_r_proto='0'
endhostent_r_proto='0'
endnetent_r_proto='0'
endprotoent_r_proto='0'
endpwent_r_proto='0'
endservent_r_proto='0'
eunicefix='​:'
exe_ext=''
expr='expr'
extensions='B ByteLoader Cwd DB_File Data/Dumper Devel/DProf
Devel/PPPort Devel/Peek Digest/MD5 Encode Fcntl File/Glob
Filter/Util/Call GDBM_File I18N/Langinfo IO IPC/SysV List/Util
MIME/Base64 NDBM_File ODBM_File Opcode POSIX PerlIO/encoding
PerlIO/scalar PerlIO/via SDBM_File Socket Storable Sys/Hostname
Sys/Syslog Time/HiRes Unicode/Normalize XS/APItest XS/Typemap attrs re
threads threads/shared Errno'
extras=''
fflushNULL='define'
fflushall=''
find=''
firstmakefile='makefile'
flex=''
fpossize='16'
fpostype='fpos_t'
freetype='void'
from='​:'
full_ar='/usr/bin/ar'
full_csh='/bin/csh'
full_sed='/bin/sed'
gccansipedantic=''
gccosandvers=''
gccversion='4.0.1 20050701 (prerelease) (Debian 4.0.0-12)'
getgrent_r_proto='REENTRANT_PROTO_I_SBWR'
getgrgid_r_proto='REENTRANT_PROTO_I_TSBWR'
getgrnam_r_proto='REENTRANT_PROTO_I_CSBWR'
gethostbyaddr_r_proto='REENTRANT_PROTO_I_TsISBWRE'
gethostbyname_r_proto='REENTRANT_PROTO_I_CSBWRE'
gethostent_r_proto='REENTRANT_PROTO_I_SBWRE'
getlogin_r_proto='REENTRANT_PROTO_I_BW'
getnetbyaddr_r_proto='REENTRANT_PROTO_I_uISBWRE'
getnetbyname_r_proto='REENTRANT_PROTO_I_CSBWRE'
getnetent_r_proto='REENTRANT_PROTO_I_SBWRE'
getprotobyname_r_proto='REENTRANT_PROTO_I_CSBWR'
getprotobynumber_r_proto='REENTRANT_PROTO_I_ISBWR'
getprotoent_r_proto='REENTRANT_PROTO_I_SBWR'
getpwent_r_proto='REENTRANT_PROTO_I_SBWR'
getpwnam_r_proto='REENTRANT_PROTO_I_CSBWR'
getpwuid_r_proto='REENTRANT_PROTO_I_TSBWR'
getservbyname_r_proto='REENTRANT_PROTO_I_CCSBWR'
getservbyport_r_proto='REENTRANT_PROTO_I_ICSBWR'
getservent_r_proto='REENTRANT_PROTO_I_SBWR'
getspnam_r_proto='REENTRANT_PROTO_I_CSBWR'
gidformat='"lu"'
gidsign='1'
gidsize='4'
gidtype='gid_t'
glibpth='/usr/shlib /lib /usr/lib /usr/lib/386 /lib/386 /usr/ccs/lib
/usr/ucblib /usr/local/lib '
gmake='gmake'
gmtime_r_proto='REENTRANT_PROTO_S_TS'
gnulibc_version='2.3.2'
grep='grep'
groupcat='cat /etc/group'
groupstype='gid_t'
gzip='gzip'
h_fcntl='false'
h_sysfile='true'
hint='recommended'
hostcat='cat /etc/hosts'
html1dir=' '
html1direxp=''
html3dir=' '
html3direxp=''
i16size='2'
i16type='short'
i32size='4'
i32type='long'
i64size='8'
i64type='long long'
i8size='1'
i8type='char'
i_arpainet='define'
i_bsdioctl=''
i_crypt='define'
i_db='define'
i_dbm='define'
i_dirent='define'
i_dld=''
i_dlfcn='define'
i_fcntl=''
i_float='define'
i_fp=''
i_fp_class=''
i_gdbm='define'
i_grp='define'
i_ieeefp=''
i_inttypes='define'
i_langinfo='define'
i_libutil=''
i_limits='define'
i_locale='define'
i_machcthr=''
i_malloc='define'
i_math='define'
i_memory=''
i_mntent='define'
i_ndbm='define'
i_netdb='define'
i_neterrno=''
i_netinettcp='define'
i_niin='define'
i_poll='define'
i_prot=''
i_pthread='define'
i_pwd='define'
i_rpcsvcdbm=''
i_sfio=''
i_sgtty=''
i_shadow='define'
i_socks=''
i_stdarg='define'
i_stddef='define'
i_stdlib='define'
i_string='define'
i_sunmath=''
i_sysaccess=''
i_sysdir='define'
i_sysfile='define'
i_sysfilio=''
i_sysin=''
i_sysioctl='define'
i_syslog='define'
i_sysmman='define'
i_sysmode=''
i_sysmount='define'
i_sysndir=''
i_sysparam='define'
i_sysresrc='define'
i_syssecrt=''
i_sysselct='define'
i_syssockio=''
i_sysstat='define'
i_sysstatfs='define'
i_sysstatvfs='define'
i_systime='define'
i_systimek=''
i_systimes='define'
i_systypes='define'
i_sysuio='define'
i_sysun='define'
i_sysutsname='define'
i_sysvfs='define'
i_syswait='define'
i_termio=''
i_termios='define'
i_time='define'
i_unistd='define'
i_ustat='define'
i_utime='define'
i_values='define'
i_varargs=''
i_varhdr='stdarg.h'
i_vfork=''
ignore_versioned_solibs='y'
inc_version_list='5.8.6 5.8.4 5.8.3 5.8.2 5.8.1 5.8.0'
inc_version_list_init='"5.8.6","5.8.4","5.8.3","5.8.2","5.8.1","5.8.0",0'
incpath=''
inews=''
installarchlib='/usr/lib/perl/5.8'
installbin='/usr/bin'
installhtml1dir=''
installhtml3dir=''
installman1dir='/usr/share/man/man1'
installman3dir='/usr/share/man/man3'
installprefix='/usr'
installprefixexp='/usr'
installprivlib='/usr/share/perl/5.8'
installscript='/usr/bin'
installsitearch='/usr/local/lib/perl/5.8.7'
installsitebin='/usr/local/bin'
installsitehtml1dir=''
installsitehtml3dir=''
installsitelib='/usr/local/share/perl/5.8.7'
installsiteman1dir='/usr/local/man/man1'
installsiteman3dir='/usr/local/man/man3'
installsitescript='/usr/local/bin'
installstyle='lib/perl5'
installusrbinperl=''
installvendorarch='/usr/lib/perl5'
installvendorbin='/usr/bin'
installvendorhtml1dir=''
installvendorhtml3dir=''
installvendorlib='/usr/share/perl5'
installvendorman1dir='/usr/share/man/man1'
installvendorman3dir='/usr/share/man/man3'
installvendorscript='/usr/bin'
intsize='4'
issymlink='test -h'
ivdformat='"ld"'
ivsize='4'
ivtype='long'
known_extensions='B ByteLoader Cwd DB_File Data/Dumper Devel/DProf
Devel/PPPort Devel/Peek Digest/MD5 Encode Fcntl File/Glob
Filter/Util/Call GDBM_File I18N/Langinfo IO IPC/SysV List/Util
MIME/Base64 NDBM_File ODBM_File Opcode POSIX PerlIO/encoding
PerlIO/scalar PerlIO/via SDBM_File Socket Storable Sys/Hostname
Sys/Syslog Thread Time/HiRes Unicode/Normalize XS/APItest XS/Typemap
attrs re threads threads/shared'
ksh=''
ld='cc'
lddlflags='-shared -L/usr/local/lib'
ldflags=' -L/usr/local/lib'
ldflags_nolargefiles=' -L/usr/local/lib'
ldflags_uselargefiles=''
ldlibpthname='LD_LIBRARY_PATH'
less='less'
lib_ext='.a'
libc='/lib/libc-2.3.2.so'
libperl='libperl.so.5.8.7'
libpth='/usr/local/lib /lib /usr/lib'
libs='-lgdbm -lgdbm_compat -ldb -ldl -lm -lpthread -lc -lcrypt'
libs_nolargefiles='-lgdbm -lgdbm_compat -ldb -ldl -lm -lpthread -lc -lcrypt'
libsdirs=' /usr/lib'
libsfiles=' libgdbm.so libgdbm_compat.so libdb.so libdl.so libm.so
libpthread.so libc.so libcrypt.so'
libsfound=' /usr/lib/libgdbm.so /usr/lib/libgdbm_compat.so
/usr/lib/libdb.so /usr/lib/libdl.so /usr/lib/libm.so
/usr/lib/libpthread.so /usr/lib/libc.so /usr/lib/libcrypt.so'
libspath=' /usr/local/lib /lib /usr/lib'
libswanted='gdbm gdbm_compat db dl m pthread c crypt'
libswanted_nolargefiles='gdbm gdbm_compat db dl m pthread c crypt'
libswanted_uselargefiles=''
line=''
lint=''
lkflags=''
ln='ln'
lns='/bin/ln -s'
localtime_r_proto='REENTRANT_PROTO_S_TS'
locincpth='/usr/local/include /opt/local/include /usr/gnu/include
/opt/gnu/include /usr/GNU/include /opt/GNU/include'
loclibpth='/usr/local/lib /opt/local/lib /usr/gnu/lib /opt/gnu/lib
/usr/GNU/lib /opt/GNU/lib'
longdblsize='12'
longlongsize='8'
longsize='4'
lp=''
lpr=''
ls='ls'
lseeksize='8'
lseektype='off_t'
mail=''
mailx=''
make='make'
make_set_make='#'
mallocobj=''
mallocsrc=''
malloctype='void *'
man1dir='/usr/share/man/man1'
man1direxp='/usr/share/man/man1'
man1ext='1p'
man3dir='/usr/share/man/man3'
man3direxp='/usr/share/man/man3'
man3ext='3pm'
mips_type=''
mistrustnm=''
mkdir='mkdir'
mmaptype='void *'
modetype='mode_t'
more='more'
multiarch=''
mv=''
myarchname='i686-linux'
mydomain=''
myhostname='localhost'
myuname='linux kosh 2.4.27-ti1211 #1 sun sep 19 18​:17​:45 est 2004 i686
gnulinux '
n='-n'
need_va_copy=''
netdb_hlen_type='size_t'
netdb_host_type='const void *'
netdb_name_type='const char *'
netdb_net_type='in_addr_t'
nm='nm'
nm_opt=''
nm_so_opt='--dynamic'
nonxs_ext='Errno'
nroff='nroff'
nvEUformat='"E"'
nvFUformat='"F"'
nvGUformat='"G"'
nv_preserves_uv_bits='32'
nveformat='"e"'
nvfformat='"f"'
nvgformat='"g"'
nvsize='8'
nvtype='double'
o_nonblock='O_NONBLOCK'
obj_ext='.o'
old_pthread_create_joinable=''
optimize='-O2'
orderlib='false'
osname='linux'
osvers='2.4.27-ti1211'
otherlibdirs=' '
package='perl5'
pager='/usr/bin/sensible-pager'
passcat='cat /etc/passwd'
patchlevel='8'
path_sep='​:'
perl=''
perl5='/usr/bin/perl'
perl_patchlevel=''
perladmin='root@​localhost'
perllibs='-ldl -lm -lpthread -lc -lcrypt'
perlpath='/usr/bin/perl'
pg='pg'
phostname='hostname'
pidtype='pid_t'
plibpth=''
pmake=''
pr=''
prefix='/usr'
prefixexp='/usr'
privlib='/usr/share/perl/5.8'
privlibexp='/usr/share/perl/5.8'
procselfexe='"/proc/self/exe"'
prototype='define'
ptrsize='4'
quadkind='3'
quadtype='long long'
randbits='48'
randfunc='drand48'
random_r_proto='REENTRANT_PROTO_I_St'
randseedtype='long'
ranlib='​:'
rd_nodata='-1'
readdir64_r_proto='REENTRANT_PROTO_I_TSR'
readdir_r_proto='REENTRANT_PROTO_I_TSR'
revision='5'
rm='rm'
rmail=''
run=''
runnm='false'
sPRIEUldbl='"LE"'
sPRIFUldbl='"LF"'
sPRIGUldbl='"LG"'
sPRIXU64='"LX"'
sPRId64='"Ld"'
sPRIeldbl='"Le"'
sPRIfldbl='"Lf"'
sPRIgldbl='"Lg"'
sPRIi64='"Li"'
sPRIo64='"Lo"'
sPRIu64='"Lu"'
sPRIx64='"Lx"'
sSCNfldbl='"Lf"'
sched_yield='sched_yield()'
scriptdir='/usr/bin'
scriptdirexp='/usr/bin'
sed='sed'
seedfunc='srand48'
selectminbits='32'
selecttype='fd_set *'
sendmail=''
setgrent_r_proto='0'
sethostent_r_proto='0'
setlocale_r_proto='0'
setnetent_r_proto='0'
setprotoent_r_proto='0'
setpwent_r_proto='0'
setservent_r_proto='0'
sh='/bin/sh'
shar=''
sharpbang='#!'
shmattype='void *'
shortsize='2'
shrpenv=''
shsharp='true'
sig_count='65'
sig_name='ZERO HUP INT QUIT ILL TRAP ABRT BUS FPE KILL USR1 SEGV USR2
PIPE ALRM TERM STKFLT CHLD CONT STOP TSTP TTIN TTOU URG XCPU XFSZ VTALRM
PROF WINCH IO PWR SYS NUM32 NUM33 NUM34 RTMIN NUM36 NUM37 NUM38 NUM39
NUM40 NUM41 NUM42 NUM43 NUM44 NUM45 NUM46 NUM47 NUM48 NUM49 NUM50 NUM51
NUM52 NUM53 NUM54 NUM55 NUM56 NUM57 NUM58 NUM59 NUM60 NUM61 NUM62 NUM63
RTMAX IOT CLD POLL UNUSED '
sig_name_init='"ZERO", "HUP", "INT", "QUIT", "ILL", "TRAP", "ABRT",
"BUS", "FPE", "KILL", "USR1", "SEGV", "USR2", "PIPE", "ALRM", "TERM",
"STKFLT", "CHLD", "CONT", "STOP", "TSTP", "TTIN", "TTOU", "URG", "XCPU",
"XFSZ", "VTALRM", "PROF", "WINCH", "IO", "PWR", "SYS", "NUM32", "NUM33",
"NUM34", "RTMIN", "NUM36", "NUM37", "NUM38", "NUM39", "NUM40", "NUM41",
"NUM42", "NUM43", "NUM44", "NUM45", "NUM46", "NUM47", "NUM48", "NUM49",
"NUM50", "NUM51", "NUM52", "NUM53", "NUM54", "NUM55", "NUM56", "NUM57",
"NUM58", "NUM59", "NUM60", "NUM61", "NUM62", "NUM63", "RTMAX", "IOT",
"CLD", "POLL", "UNUSED", 0'
sig_num='0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47
48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 6 17 29 31 '
sig_num_init='0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16,
17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34,
35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52,
53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 6, 17, 29, 31, 0'
sig_size='69'
signal_t='void'
sitearch='/usr/local/lib/perl/5.8.7'
sitearchexp='/usr/local/lib/perl/5.8.7'
sitebin='/usr/local/bin'
sitebinexp='/usr/local/bin'
sitehtml1dir=''
sitehtml1direxp=''
sitehtml3dir=''
sitehtml3direxp=''
sitelib='/usr/local/share/perl/5.8.7'
sitelib_stem=''
sitelibexp='/usr/local/share/perl/5.8.7'
siteman1dir='/usr/local/man/man1'
siteman1direxp='/usr/local/man/man1'
siteman3dir='/usr/local/man/man3'
siteman3direxp='/usr/local/man/man3'
siteprefix='/usr/local'
siteprefixexp='/usr/local'
sitescript='/usr/local/bin'
sitescriptexp='/usr/local/bin'
sizesize='4'
sizetype='size_t'
sleep=''
smail=''
so='so'
sockethdr=''
socketlib=''
socksizetype='socklen_t'
sort='sort'
spackage='Perl5'
spitshell='cat'
srand48_r_proto='REENTRANT_PROTO_I_LS'
srandom_r_proto='REENTRANT_PROTO_I_TS'
src='.'
ssizetype='ssize_t'
startperl='#!/usr/bin/perl'
startsh='#!/bin/sh'
static_ext=' '
stdchar='char'
stdio_base='((fp)->_IO_read_base)'
stdio_bufsiz='((fp)->_IO_read_end - (fp)->_IO_read_base)'
stdio_cnt='((fp)->_IO_read_end - (fp)->_IO_read_ptr)'
stdio_filbuf=''
stdio_ptr='((fp)->_IO_read_ptr)'
stdio_stream_array=''
strerror_r_proto='REENTRANT_PROTO_B_IBW'
strings='/usr/include/string.h'
submit=''
subversion='7'
sysman='/usr/share/man/man1'
tail=''
tar=''
targetarch=''
tbl=''
tee=''
test='test'
timeincl='/usr/include/sys/time.h /usr/include/time.h '
timetype='time_t'
tmpnam_r_proto='REENTRANT_PROTO_B_B'
to='​:'
touch='touch'
tr='tr'
trnl='\n'
troff=''
ttyname_r_proto='REENTRANT_PROTO_I_IBW'
u16size='2'
u16type='unsigned short'
u32size='4'
u32type='unsigned long'
u64size='8'
u64type='unsigned long long'
u8size='1'
u8type='unsigned char'
uidformat='"lu"'
uidsign='1'
uidsize='4'
uidtype='uid_t'
uname='uname'
uniq='uniq'
uquadtype='unsigned long long'
use5005threads=''
use64bitall=''
use64bitint=''
usecrosscompile=''
usedl='define'
usefaststdio='define'
useithreads='define'
uselargefiles='define'
uselongdouble=''
usemallocwrap='define'
usemorebits=''
usemultiplicity='define'
usemymalloc='n'
usenm='false'
useopcode='true'
useperlio='define'
useposix='true'
usereentrant=''
usesfio='false'
useshrplib='true'
usesitecustomize=''
usesocks=''
usethreads='define'
usevendorprefix='define'
usevfork='false'
usrinc='/usr/include'
uuname=''
uvXUformat='"lX"'
uvoformat='"lo"'
uvsize='4'
uvtype='unsigned long'
uvuformat='"lu"'
uvxformat='"lx"'
vendorarch='/usr/lib/perl5'
vendorarchexp='/usr/lib/perl5'
vendorbin='/usr/bin'
vendorbinexp='/usr/bin'
vendorhtml1dir=' '
vendorhtml1direxp=''
vendorhtml3dir=' '
vendorhtml3direxp=''
vendorlib='/usr/share/perl5'
vendorlib_stem=''
vendorlibexp='/usr/share/perl5'
vendorman1dir='/usr/share/man/man1'
vendorman1direxp='/usr/share/man/man1'
vendorman3dir='/usr/share/man/man3'
vendorman3direxp='/usr/share/man/man3'
vendorprefix='/usr'
vendorprefixexp='/usr'
vendorscript='/usr/bin'
vendorscriptexp='/usr/bin'
version='5.8.7'
version_patchlevel_string='version 8 subversion 7'
versiononly=''
vi=''
voidflags='15'
xlibpth='/usr/lib/386 /lib/386'
yacc='yacc'
yaccflags=''
zcat=''
zip='zip'

email protected and scanned by AdvascanTM - keeping email useful - www.advascan.com

From sad@eltex.net

bugtest.pl

From sad@eltex.net

From​: "Kills Body Bacteria" <ukzphdpra@​royal.net>
To​: vvvvvv@​dd.dd

CERTIFIED BY BBC/ABC News

From @ysth

On Tue, Aug 23, 2005 at 04​:28​:30AM -0700, Eugene Morozov wrote​:

I'm attaching single script and a test data file. This script hangs on
regexp match, though I think it shouldn't.

It doesn't hang if it's run in untainted mode, or study is commented.

Confirmed in bleadperl@​25216. -Dr shows it looping on
"Found anchored substr "To​:" at offset -1..."​:

$ perl5.9.3 -Dr -T bugtest.pl
Compiling REx "^To​:\s\w+\@​\w\n"
size 12 Got 100 bytes for offset annotations.
first at 2
rarest char @​ at 0
rarest char : at 2
  1​: MBOL(2)
  2​: EXACT <To​:>(4)
  4​: SPACE(5)
  5​: PLUS(7)
  6​: ALNUM(0)
  7​: EXACT <@​>(9)
  9​: ALNUM(10)
  10​: EXACT <\n>(12)
  12​: END(0)
anchored "To​:" at 0 floating "@​" at 5..2147483647 (checking anchored) anchored(MBOL) minlen 8
Offsets​: [12]
  1[1] 2[3] 0[0] 5[2] 9[1] 7[2] 10[2] 0[0] 12[2] 14[1] 0[0] 16[0]
Omitting $` $&amp; $' support.

EXECUTING...

Guessing start of match, REx "^To​:\s\w+\@​\w\n" against "From​: "Kills Body Bacteria" <ukzphdpra@​royal.net>
To​: vvvvvv..."...
Found anchored substr "To​:" at offset 50...
Found floating substr "@​" at offset 60...
Starting position does not contradict /^/m...
Guessed​: match at offset 50
Matching REx "^To​:\s\w+\@​\w\n" against "To​: vvvvvv@​dd.dd

CERTIFIED BY BBC/ABC News

"
  Setting an EVAL scope, savestack=7
  50 <net>

<To​: vvv> | 1​: MBOL
  50 <net>
<To​: vvv> | 2​: EXACT <To​:>
  53 <>
To​:> < vvvvvv> | 4​: SPACE
  54 <
To​: > <vvvvvv@​> | 5​: PLUS
  ALNUM can match 6 times out of 2147483647...
  Setting an EVAL scope, savestack=7
  60 <vvvvv> <@​dd.dd
| 7​: EXACT <@​>
  61 <vvvv@​> <dd.dd

| 9​: ALNUM
  62 <vvv@​d> <d.dd

| 10​: EXACT <\n>
  failed...
  failed...
Guessing start of match, REx "^To​:\s\w+\@​\w\n" against "o​: vvvvvv@​dd.dd

CERTIFIED BY BBC/ABC News

"...
Found anchored substr "To​:" at offset -1...
Found floating substr "@​" at offset 9...
Starting position does not contradict /^/m...
Guessed​: match at offset -1
  Setting an EVAL scope, savestack=7
  50 <net>

<To​: vvv> | 1​: MBOL
  50 <net>
<To​: vvv> | 2​: EXACT <To​:>
  53 <>
To​:> < vvvvvv> | 4​: SPACE
  54 <
To​: > <vvvvvv@​> | 5​: PLUS
  ALNUM can match 6 times out of 2147483647...
  Setting an EVAL scope, savestack=7
  60 <vvvvv> <@​dd.dd
| 7​: EXACT <@​>
  61 <vvvv@​> <dd.dd

| 9​: ALNUM
  62 <vvv@​d> <d.dd

| 10​: EXACT <\n>
  failed...
  failed...
Guessing start of match, REx "^To​:\s\w+\@​\w\n" against "o​: vvvvvv@​dd.dd

CERTIFIED BY BBC/ABC News

"...
Found anchored substr "To​:" at offset -1...
Found floating substr "@​" at offset 9...
Starting position does not contradict /^/m...
Guessed​: match at offset -1
  Setting an EVAL scope, savestack=7
  50 <net>

<To​: vvv> | 1​: MBOL

The RT System itself - Status changed from 'new' to 'open'

From quarl@cs.berkeley.edu

Created by quarl@cs.berkeley.edu

Dear Perl hackers,

Perl 5.6.1+ hangs when​:
(1) Taint mode (-T) is used
(2) 'study' is used
(3) Regular expression match with an expression starting
  with "^", containing ".*" (or ".*?") matched by a
  newline, using the /m flag, but not the /s flag.

Test case​:

# ---------- cut ----------

#!/usr/bin/perl -T

my $DATA = <<'END'
line1 is here
line2 is here
line3 is here
line4 is here

END
  ;

sub read_some_tainted_data() {
  return substr($ENV{HOME},0,1);
}

warn "tainting data";
$DATA .= read_some_tainted_data();

warn "studying data";
study $DATA;

warn "trying to match...";

## don't set $SIG{ALRM}, since we'd never get to a user-level handler as perl
## is stuck in a regexp infinite loop!

alarm(1);

if ($DATA =~ /^line2.*line4/m) {
  print "match\n";
} else {
  print "no match\n";
}

warn "match didn't hang!";

# ---------- cut ----------

The output of 'perl -T -Drv testcase' may be informative​:
 
  Compiling REx `^line2.*line4'
  size 10 Got 84 bytes for offset annotations.
  first at 2
  rarest char 4 at 4
  rarest char 2 at 4
  1​: MBOL(2)
  2​: EXACT <line2>(5)
  5​: STAR(7)
  6​: REG_ANY(0)
  7​: EXACT <line4>(10)
  10​: END(0)
  anchored "line2" at 0 floating "line4" at 5..2147483647 (checking floating) anchored(MBOL) minlen 10
  Offsets​: [10]
  1[1] 2[5] 0[0] 0[0] 8[1] 7[1] 9[5] 0[0] 0[0] 14[0]
  Omitting $` $&amp; $' support.
 
  EXECUTING...
 
  tainting data at a line 28.
  studying data at a line 33.
  trying to match... at a line 37.
  Guessing start of match, REx "^line2.*line4" against "line1 is here
  line2 is here
  line3 is here
  line4 is here
 
  /"...
  Found floating substr "line4" at offset 42...
  Found anchored substr "line2" at offset 14...
  Starting position does not contradict /^/m...
  Guessed​: match at offset 14
  Matching REx "^line2.*line4" against "line2 is here
  line3 is here
  line4 is here
 
  /"
  Setting an EVAL scope, savestack=12
  14 <here
  > <line2 i> | 1​: MBOL
  14 <here
  > <line2 i> | 2​: EXACT <line2>
  19 <line2> < is her> | 5​: STAR
  REG_ANY can match 8 times out of 2147483647...
  Setting an EVAL scope, savestack=12
  failed...
  Guessing start of match, REx "^line2.*line4" against "ine2 is here
  line3 is here
  line4 is here
 
  /"...
  Found floating substr "line4" at offset 27...
  Contradicts anchored substr "line2", trying floating at offset 28...
  Found floating substr "line4" at offset 27...
  Contradicts anchored substr "line2", trying floating at offset 28...
  Found floating substr "line4" at offset 27...
  Contradicts anchored substr "line2", trying floating at offset 28...
  Found floating substr "line4" at offset 27...
  Contradicts anchored substr "line2", trying floating at offset 28...

... continues infinitely until killed.

Gdb backtrace​:
 
  #0 0x08151d5b in PerlIO_printf (f=0x8191d6c, fmt=0x8170151 "%s %s substr \"%s%.*s%s\"%s%s") at perlio.c​:4918
  #1 0x081321f8 in Perl_re_intuit_start (prog=0x81a4f50, sv=0x819edb0, strpos=0x81a2677 "ine2 is here\nline3 is here\nline4 is here\n\n/",
  strend=0x81a26a2 "", flags=6, data=0x0) at regexec.c​:581
  #2 0x08136aed in Perl_regexec_flags (prog=0x81a4f50, stringarg=0x81a2676 "line2 is here\nline3 is here\nline4 is here\n\n/", strend=0x81a26a2 "",
  strbeg=0x81a2668 "line1 is here\nline2 is here\nline3 is here\nline4 is here\n\n/", minend=0, sv=0x819edb0, data=0x0, flags=6) at regexec.c​:1778
  #3 0x080d5941 in Perl_pp_match () at pp_hot.c​:1340
  #4 0x080bc6b6 in Perl_runops_debug () at dump.c​:1459
  #5 0x0806295e in S_run_body (oldscope=1) at perl.c​:2366
  #6 0x080624e7 in perl_run (my_perl=0x8182008) at perl.c​:2283
  #7 0x0805e8b1 in main (argc=4, argv=0xbfd44f04, env=0xbfd44f18) at perlmain.c​:99

This bug appears in Perl versions 5.6.1 and 5.8.x,
OS-agnostic, arch-agnostic (I tested on 5.6.1, 5.8.4, 5.8.4,
5.8.5, 5.8.6, 5.8.8 on Linux, Solaris; IA-32, Sparc; but I'm
pretty sure OS/arch are irrelevant.)

The bug doesn't appear in Perl 5.6.0, 5.005, 5.004.

Specifically, the bug causes an unexpected DoS in
applications such as SpamAssassin, so I believe this is a
high-importance bug, but please change the severity if I
didn't set it appropriately.

I believe the bug was introduced in change 7407 by jhi on
2000-10-23 (while fixing another bug); not sure why it
lasted so long​:

  http​://public.activestate.com/cgi-bin/perlbrowse/p/7407
 
  Change 7407 by jhi@​chaos on 2000/10/23 03​:43​:12
 
  Subject​: Re​: [ID 20001021.005] SEGV with regex match
  From​: Hugo <hv@​crypt.compulink.co.uk>
  Date​: Mon, 23 Oct 2000 00​:47​:22 +0100
  Message-Id​: <200010222347.AAA09697@​crypt.compulink.co.uk>
 
  Affected files ...
 
  ... //depot/perl/regexec.c#127 edit
  ... //depot/perl/t/op/pat.t#59 edit

Below is a patch to regexec.c that fixes the problem for me
while passing all existing test cases on my platform, plus a
new regression test t/op/taintstudy.t that now passes but
did not before. (Two versions of regexec.c patch against
5.6.1 and 5.8.8; I imagine all intermediate versions are
similar.)

--- perl-5.6.1/regexec.c.orig	2007-03-14 20:03:38.000000000 -0700
+++ perl-5.6.1/regexec.c	2007-03-14 20:57:18.000000000 -0700
@@ -378,7 +378,12 @@
 	DEBUG_r(PerlIO_printf(Perl_debug_log, "String too short...\n"));
 	goto fail;
     }
-    strbeg = (sv && SvPOK(sv)) ? strend - SvCUR(sv) : strpos;
+    /* quarl 2007-03-14
+     *     Need to check SvPOKp rather than SvPOK in case of taint mode +
+     *     studied regexp.  Reference: 615e0643-ac86-4c31-9cd3-3526b2fc883c */
+    strbeg = (sv && (SvPOK(sv) || SvPOKp(sv))) ? strend - SvCUR(sv) : strpos;
+    /* DEBUG_r( PerlIO_printf(Perl_debug_log, "## sv_flags=%p, SvPOK=%d, SvPOKp=%d, strbeg = %p\n", sv ? sv->sv_flags : 0, (sv && SvPOK(sv) ? 1:0), (sv && SvPOKp(sv) ? 1:0), strbeg) ); */
+
     check = prog->check_substr;
     if (prog->reganch & ROPT_ANCH) {	/* Match at beg-of-str or after \n */
 	ml_anch = !( (prog->reganch & ROPT_ANCH_SINGLE)

--- perl-5.8.8/regexec.c.orig	2007-03-14 20:02:20.000000000 -0700
+++ perl-5.8.8/regexec.c	2007-03-14 20:57:24.000000000 -0700
@@ -454,7 +454,11 @@
 			      "String too short... [re_intuit_start]\n"));
 	goto fail;
     }
-    strbeg = (sv && SvPOK(sv)) ? strend - SvCUR(sv) : strpos;
+    /* quarl 2007-03-14
+     *     Need to check SvPOKp rather than SvPOK in case of taint mode +
+     *     studied regexp.  Reference: 615e0643-ac86-4c31-9cd3-3526b2fc883c */
+    strbeg = (sv && (SvPOK(sv) || SvPOKp(sv))) ? strend - SvCUR(sv) : strpos;
+    /* DEBUG_r( PerlIO_printf(Perl_debug_log, "## sv_flags=%p, SvPOK=%d, SvPOKp=%d, strbeg = %p\n", sv ? sv->sv_flags : 0, (sv && SvPOK(sv) ? 1:0), (sv && SvPOKp(sv) ? 1:0), strbeg) ); */
     PL_regeol = strend;
     if (do_utf8) {
 	if (!prog->check_utf8 && prog->check_substr)


--- /dev/null	2006-06-06 21:11:25.651033888 -0700
+++ perl-5.8.8/t/op/taintstudy.t	2007-03-14 20:51:25.000000000 -0700
@@ -0,0 +1,77 @@
+#!./perl -T
+
+BEGIN {
+    chdir 't' if -d 't';
+    @INC = '../lib';
+}
+
+$Ok_Level = 0;
+my $test = 1;
+sub ok ($;$) {
+    my($ok, $name) = @_;
+
+    local $_;
+
+    # You have to do it this way or VMS will get confused.
+    printf "%s $test%s\n", $ok   ? 'ok' : 'not ok',
+                           $name ? " - $name" : '';
+
+    printf "# Failed test at line %d\n", (caller($Ok_Level))[2] unless $ok;
+
+    $test++;
+    return $ok;
+}
+
+sub nok ($;$) {
+    my($nok, $name) = @_;
+    local $Ok_Level = 1;
+    ok( !$nok, $name );
+}
+
+use Config;
+my $have_alarm = $Config{d_alarm};
+sub alarm_ok (&) {
+    my $test = shift;
+
+    # quarl 2007-03-14
+    #     ***Don't*** set $SIG{ALRM}, because if we do, we'll never get to the
+    #     user-code handler, as the perl interpreter is stuck in an infinite loop
+    #     inside the regexp engine.  If we don't set it, the default is for
+    #     the OS to kill the process.
+
+    # local $SIG{ALRM} = sub { die "timeout\n" };
+
+    my $match;
+    eval {
+        alarm(2) if $have_alarm;
+        $match = $test->();
+        alarm(0) if $have_alarm;
+    };
+
+    local $Ok_Level = 1;
+    ok( !$match && !$@, 'testing studys that used to hang' );
+}
+
+print "1..1\n";
+
+
+my $DATA = <<'END'
+line1 is here
+line2 is here
+line3 is here
+line4 is here
+
+END
+    ;
+
+sub read_some_tainted_data() {
+    return substr($ENV{HOME},0,1);
+}
+
+$DATA .= read_some_tainted_data();
+
+study $DATA;
+
+# reference: 615e0643-ac86-4c31-9cd3-3526b2fc883c
+alarm_ok { $DATA =~ /^line2.*line4/m };
+

-- 

Regards, Karl

Flags:
    category=core
    severity=high

Site configuration information for perl v5.8.8:

Configured by Debian Project at Wed Dec  6 23:17:41 UTC 2006.

Summary of my perl5 (revision 5 version 8 subversion 8) configuration:
  Platform:
    osname=linux, osvers=2.6.18.3, archname=i486-linux-gnu-thread-multi
    uname='linux saens 2.6.18.3 #1 smp sat nov 25 13:39:52 est 2006 i686 gnulinux '
    config_args='-Dusethreads -Duselargefiles -Dccflags=-DDEBIAN -Dcccdlflags=-fPIC -Darchname=i486-linux-gnu -Dprefix=/usr -Dprivlib=/usr/share/perl/5.8 -Darchlib=/usr/lib/perl/5.8 -Dvendorprefix=/usr -Dvendorlib=/usr/share/perl5 -Dvendorarch=/usr/lib/perl5 -Dsiteprefix=/usr/local -Dsitelib=/usr/local/share/perl/5.8.8 -Dsitearch=/usr/local/lib/perl/5.8.8 -Dman1dir=/usr/share/man/man1 -Dman3dir=/usr/share/man/man3 -Dsiteman1dir=/usr/local/man/man1 -Dsiteman3dir=/usr/local/man/man3 -Dman1ext=1 -Dman3ext=3perl -Dpager=/usr/bin/sensible-pager -Uafs -Ud_csh -Uusesfio -Uusenm -Duseshrplib -Dlibperl=libperl.so.5.8.8 -Dd_dosuid -des'
    hint=recommended, useposix=true, d_sigaction=define
    usethreads=define use5005threads=undef useithreads=define usemultiplicity=define
    useperlio=define d_sfio=undef uselargefiles=define usesocks=undef
    use64bitint=undef use64bitall=undef uselongdouble=undef
    usemymalloc=n, bincompat5005=undef
  Compiler:
    cc='cc', ccflags ='-D_REENTRANT -D_GNU_SOURCE -DTHREADS_HAVE_PIDS -DDEBIAN -fno-strict-aliasing -pipe -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64',
    optimize='-O2',
    cppflags='-D_REENTRANT -D_GNU_SOURCE -DTHREADS_HAVE_PIDS -DDEBIAN -fno-strict-aliasing -pipe -I/usr/local/include'
    ccversion='', gccversion='4.1.2 20061115 (prerelease) (Debian 4.1.1-20)', gccosandvers=''
    intsize=4, longsize=4, ptrsize=4, doublesize=8, byteorder=1234
    d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=12
    ivtype='long', ivsize=4, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=8
    alignbytes=4, prototype=define
  Linker and Libraries:
    ld='cc', ldflags =' -L/usr/local/lib'
    libpth=/usr/local/lib /lib /usr/lib
    libs=-lgdbm -lgdbm_compat -ldb -ldl -lm -lpthread -lc -lcrypt
    perllibs=-ldl -lm -lpthread -lc -lcrypt
    libc=/lib/libc-2.3.6.so, so=so, useshrplib=true, libperl=libperl.so.5.8.8
    gnulibc_version='2.3.6'
  Dynamic Linking:
    dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,-E'
    cccdlflags='-fPIC', lddlflags='-shared -L/usr/local/lib'

Locally applied patches:
    


@INC for perl v5.8.8:
    /home/quarl/lib/perl
    /etc/perl
    /usr/local/lib/perl/5.8.8
    /usr/local/share/perl/5.8.8
    /usr/lib/perl5
    /usr/share/perl5
    /usr/lib/perl/5.8
    /usr/share/perl/5.8
    /usr/local/lib/site_perl
    /usr/local/lib/perl/5.8.7
    /usr/local/share/perl/5.8.7
    .


Environment for perl v5.8.8:
    HOME=/home/quarl
    LANG=en_US.UTF-8
    LANGUAGE=en_US:en_GB:en
    LC_TIME=en_DK
    LD_LIBRARY_PATH=/usr/local/lib
    LOGDIR (unset)
    PATH=/home/quarl/proj/vulnivore/bin:/home/quarl/local/bin:/home/quarl/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/bin:/sbin:/usr/games
    PERLLIB=/home/quarl/lib/perl
    PERL_BADLANG (unset)
    SHELL=/bin/zsh

From @Tux

On Wed, 14 Mar 2007 22​:01​:55 -0700, "quarl@​cs.berkeley.edu (via RT)"
<perlbug-followup@​perl.org> wrote​:

Dear Perl hackers,

Perl 5.6.1+ hangs when​:
(1) Taint mode (-T) is used
(2) 'study' is used
(3) Regular expression match with an expression starting
with "^", containing ".*" (or ".*?") matched by a
newline, using the /m flag, but not the /s flag.

Test case​:

# ---------- cut ----------

#!/usr/bin/perl -T

my $DATA = <<'END'
line1 is here
line2 is here
line3 is here
line4 is here

END
;

sub read_some_tainted_data() {
return substr($ENV{HOME},0,1);
}

warn "tainting data";
$DATA .= read_some_tainted_data();

warn "studying data";
study $DATA;

warn "trying to match...";

## don't set $SIG{ALRM}, since we'd never get to a user-level handler as perl
## is stuck in a regexp infinite loop!

alarm(1);

if ($DATA =~ /^line2.*line4/m) {
print "match\n";
} else {
print "no match\n";
}

warn "match didn't hang!";

Current state of affairs (devel or blead) does not show this `flaw'​:

nb09​:/pro/3gl/CPAN/perl-current 113 > ./perl -T -Ilib /tmp/xx.pl
tainting data at /tmp/xx.pl line 16.
studying data at /tmp/xx.pl line 19.
trying to match... at /tmp/xx.pl line 22.
no match
match didn't hang! at /tmp/xx.pl line 35.

And neither does the current maint branch (leading up to 5.8.9)​:

nb09​:/pro/3gl/CPAN/perl-5.8.x-dor 117 > ./perl -T -Ilib /tmp/xx.pl
tainting data at /tmp/xx.pl line 16.
studying data at /tmp/xx.pl line 19.
trying to match... at /tmp/xx.pl line 22.
no match
match didn't hang! at /tmp/xx.pl line 35.

I've got the regex guru sitting next to me, and he says he
definitely changed that code a while back (but as he's just
awake, he'll have to have a closer look)

Would you be able to do your test on the most recent blead (devel)
and/or maint? See perlhack to see how to sync up with that.

--
H.Merijn Brand Amsterdam Perl Mongers (http​://amsterdam.pm.org/)
using & porting perl 5.6.2, 5.8.x, 5.9.x on HP-UX 10.20, 11.00, 11.11,
& 11.23, SuSE 10.0 & 10.2, AIX 4.3 & 5.2, and Cygwin. http​://qa.perl.org
http​://mirrors.develooper.com/hpux/ http​://www.test-smoke.org
  http​://www.goldmark.org/jeff/stupid-disclaimers/

The RT System itself - Status changed from 'new' to 'open'

From quarl+dated+1174444136.16e51e@nospam.quarl.org

On 2007-03-15 02​:35 PDT, H Merijn Brand writes​:

  Merijn> Current state of affairs (devel or blead) does not
  Merijn> show this `flaw'​:

  Merijn> Would you be able to do your test on the most recent
  Merijn> blead (devel) and/or maint? See perlhack to see how to
  Merijn> sync up with that.

Hi, thank you for checking. You're right -- perl-current doesn't
show this flaw. I wish I had checked earlier, but at least I
learned something about perl internals :). The regression test
might still be worth committing.

Could the fix be extracted from the 5.8.9 line so it can be
backported for Debian, etc. ?

--
Karl 2007-03-15 19​:28

From @nwc10

On Thu, Mar 15, 2007 at 07​:34​:33PM -0700, Karl Chen wrote​:

Hi, thank you for checking. You're right -- perl-current doesn't
show this flaw. I wish I had checked earlier, but at least I
learned something about perl internals :). The regression test
might still be worth committing.

Good point. I thought it better to adapt your sample code, rather than adding
a whole new test script, so it's in as change 30608.

Could the fix be extracted from the 5.8.9 line so it can be
backported for Debian, etc. ?

5.8.9 isn't a line, so much as the not-yet-made release on the 5.8.x line,
the current stable release line. In the past Debian have been rather fast
at updating their stable perl with changes merged to maint between official
5.8.x releases, so they may already have this change. This may have changed,
I'm mostly not using Debian systems.

Nicholas Clark

From quarl@cs.berkeley.edu

On 2007-03-17 10​:01 PDT, Nicholas Clark writes​:

  Nicholas> Good point. I thought it better to adapt your sample
  Nicholas> code, rather than adding a whole new test script, so
  Nicholas> it's in as change 30608.

Thank you!

Was the commenting-out of the 'study' line intentional? Because
the bug only shows up WITH study. It wouldn't hurt to have the
non-study version also, but it might already be covered by other
tests.

  >> Could the fix be extracted from the 5.8.9 line so it can be
  >> backported for Debian, etc. ?

  Nicholas> 5.8.9 isn't a line, so much as the not-yet-made
  Nicholas> release on the 5.8.x line, the current stable
  Nicholas> release line. In the past Debian have been rather
  Nicholas> fast at updating their stable perl with changes
  Nicholas> merged to maint between official 5.8.x releases, so
  Nicholas> they may already have this change. This may have
  Nicholas> changed, I'm mostly not using Debian systems.

Current Debian stable/testing/unstable all have the bug, which is
how I encountered it. It's also in other OS distributions (and
apparently has been there for 7 years! :) Anyways I will file a
Debian bug to encourage the Debian developers to update/backport
the fix.

--
Karl 2007-03-17 16​:52

@smpeters - Status changed from 'open' to 'resolved'

From @cpansprout

This was fixed in perl 5.8.9 and 5.10.0.

@cpansprout - Status changed from 'open' to 'resolved'