Bug#454792: marked as done (double free and segfault on utf8 containing regexes)

[Debian Bug Tracking System]

Your message dated Sat, 26 Jul 2008 09:57:50 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#454792: fixed in perl 5.8.8-7etch3
has caused the Debian Bug report #454792,
regarding double free and segfault on utf8 containing regexes
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)


-- 
454792: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=454792
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems

--- Begin Message ---

Package: perl
Severity: serious
Version: 5.8.8-7etch1
Tags: security

A trivial program containing a regex with UTF8 characters causes a
double free error and segfault:

#!/usr/bin/perl -w -CSDA
use strict;
use utf8;
use encoding 'utf8';
use locale;

my $ans='Ostrów';
$_="whatever...";
if (/^$ans| $ans/) { print "I was wrong, sorry...\n"}

[Attached as well for convenience, along with output.]

I've set the severity to serious and tagged with security as there is
(apparently) a possibility that this could result in execution of
arbitrary code. [I don't have any proof of concept for this or a CVE
though, so feel free to detag and lower severity.]

This is also filed upstream as #48156 [will mark it forwarded after I
receive the ack.]

[We're seeing this quite a bit in the anti-spam bits of the BTS, so a
patch which fixes this would be nice. ;-)]


Don Armstrong

-- 
Clothes make the man. Naked people have little or no influence on
society.
 -- Mark Twain 

http://www.donarmstrong.com              http://rzlab.ucr.edu

*** glibc detected *** debugperl: double free or corruption (!prev): 0x081e20e0 
***
======= Backtrace: =========
/lib/i686/cmov/libc.so.6[0xb7dfa735]
/lib/i686/cmov/libc.so.6(cfree+0x90)[0xb7dfe1a0]
debugperl(Perl_safesysfree+0xb5)[0x80d1ac5]
debugperl(Perl_pregfree+0x1c5)[0x80c9eda]
debugperl(Perl_op_clear+0x34a)[0x80a137f]
debugperl(Perl_op_free+0x1ad)[0x80a1028]
debugperl(Perl_op_free+0x149)[0x80a0fc4]
debugperl(Perl_op_free+0x149)[0x80a0fc4]
debugperl(Perl_op_free+0x149)[0x80a0fc4]
debugperl(perl_destruct+0x2ca)[0x8065b4d]
debugperl(main+0x108)[0x80638dc]
/lib/i686/cmov/libc.so.6(__libc_start_main+0xe0)[0xb7da5450]
debugperl[0x8063771]
======= Memory map: ========
08048000-081b0000 r-xp 00000000 fd:01 1179944    /usr/bin/debugperl
081b0000-081ba000 rw-p 00167000 fd:01 1179944    /usr/bin/debugperl
081ba000-08282000 rw-p 081ba000 00:00 0          [heap]
b7a00000-b7a21000 rw-p b7a00000 00:00 0 
b7a21000-b7b00000 ---p b7a21000 00:00 0 
b7bdc000-b7be6000 r-xp 00000000 fd:00 147509     /lib/libgcc_s.so.1
b7be6000-b7be7000 rw-p 00009000 fd:00 147509     /lib/libgcc_s.so.1
b7bf8000-b7c00000 r-xp 00000000 fd:01 510515     
/usr/lib/perl/5.8.8/auto/Encode/Encode.so
b7c00000-b7c01000 rw-p 00007000 fd:01 510515     
/usr/lib/perl/5.8.8/auto/Encode/Encode.so
b7c01000-b7c22000 rw-p b7c01000 00:00 0 
b7c22000-b7d5c000 r--p 00000000 fd:01 508672     /usr/lib/locale/locale-archive
b7d5c000-b7d5d000 rw-p b7d5c000 00:00 0 
b7d5d000-b7d66000 r-xp 00000000 fd:00 163946     /lib/i686/cmov/libcrypt-2.7.so
b7d66000-b7d68000 rw-p 00008000 fd:00 163946     /lib/i686/cmov/libcrypt-2.7.so
b7d68000-b7d8f000 rw-p b7d68000 00:00 0 
b7d8f000-b7ed6000 r-xp 00000000 fd:00 163942     /lib/i686/cmov/libc-2.7.so
b7ed6000-b7ed7000 r--p 00147000 fd:00 163942     /lib/i686/cmov/libc-2.7.so
b7ed7000-b7ed9000 rw-p 00148000 fd:00 163942     /lib/i686/cmov/libc-2.7.so
b7ed9000-b7edc000 rw-p b7ed9000 00:00 0 
b7edc000-b7ef0000 r-xp 00000000 fd:00 163970     
/lib/i686/cmov/libpthread-2.7.so
b7ef0000-b7ef2000 rw-p 00013000 fd:00 163970     
/lib/i686/cmov/libpthread-2.7.so
b7ef2000-b7ef5000 rw-p b7ef2000 00:00 0 
b7ef5000-b7f18000 r-xp 00000000 fd:00 163950     /lib/i686/cmov/libm-2.7.so
b7f18000-b7f1a000 rw-p 00023000 fd:00 163950     /lib/i686/cmov/libm-2.7.so
b7f1a000-b7f1c000 r-xp 00000000 fd:00 163948     /lib/i686/cmov/libdl-2.7.so
b7f1c000-b7f1e000 rw-p 00001000 fd:00 163948     /lib/i686/cmov/libdl-2.7.so
b7f29000-b7f2e000 r-xp 00000000 fd:01 511378     
/usr/lib/perl/5.8.8/auto/PerlIO/encoding/encoding.so
b7f2e000-b7f2f000 rw-p 00005000 fd:01 511378     
/usr/lib/perl/5.8.8/auto/PerlIO/encoding/encoding.so
b7f2f000-b7f31000 rw-p b7f2f000 00:00 0 
b7f31000-b7f4d000 r-xp 00000000 fd:00 147922     /lib/ld-2.7.so
b7f4d000-b7f4f000 rw-p 0001b000 fd:00 147922     /lib/ld-2.7.so
bf80d000-bf823000 rw-p bf80d000 00:00 0          [stack]
ffffe000-fffff000 r-xp 00000000 00:00 0          [vdso]
Aborted (core dumped)

#!/usr/bin/perl -w -CSDA
use strict;
use utf8;
use encoding 'utf8';
use locale;

my $ans='Ostrów';
$_="whatever...";
if (/^$ans| $ans/) { print "I was wrong, sorry...\n"}

--- End Message ---

--- Begin Message ---

Source: perl
Source-Version: 5.8.8-7etch3

We believe that the bug you reported is fixed in the latest version of
perl, which is due to be installed in the Debian FTP archive:

libcgi-fast-perl_5.8.8-7etch3_all.deb
  to pool/main/p/perl/libcgi-fast-perl_5.8.8-7etch3_all.deb
libperl-dev_5.8.8-7etch3_amd64.deb
  to pool/main/p/perl/libperl-dev_5.8.8-7etch3_amd64.deb
libperl5.8_5.8.8-7etch3_amd64.deb
  to pool/main/p/perl/libperl5.8_5.8.8-7etch3_amd64.deb
perl-base_5.8.8-7etch3_amd64.deb
  to pool/main/p/perl/perl-base_5.8.8-7etch3_amd64.deb
perl-debug_5.8.8-7etch3_amd64.deb
  to pool/main/p/perl/perl-debug_5.8.8-7etch3_amd64.deb
perl-doc_5.8.8-7etch3_all.deb
  to pool/main/p/perl/perl-doc_5.8.8-7etch3_all.deb
perl-modules_5.8.8-7etch3_all.deb
  to pool/main/p/perl/perl-modules_5.8.8-7etch3_all.deb
perl-suid_5.8.8-7etch3_amd64.deb
  to pool/main/p/perl/perl-suid_5.8.8-7etch3_amd64.deb
perl_5.8.8-7etch3.diff.gz
  to pool/main/p/perl/perl_5.8.8-7etch3.diff.gz
perl_5.8.8-7etch3.dsc
  to pool/main/p/perl/perl_5.8.8-7etch3.dsc
perl_5.8.8-7etch3_amd64.deb
  to pool/main/p/perl/perl_5.8.8-7etch3_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Florian Weimer <[EMAIL PROTECTED]> (supplier of updated perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Fri, 25 Apr 2008 21:12:00 +0200
Source: perl
Binary: perl-base libcgi-fast-perl libperl-dev perl-debug perl-modules perl 
libperl5.8 perl-suid perl-doc
Architecture: source amd64 all
Version: 5.8.8-7etch3
Distribution: stable-security
Urgency: high
Maintainer: Brendan O'Dea <[EMAIL PROTECTED]>
Changed-By: Florian Weimer <[EMAIL PROTECTED]>
Description: 
 libcgi-fast-perl - CGI::Fast Perl module
 libperl-dev - Perl library: development files
 libperl5.8 - Shared Perl library
 perl       - Larry Wall's Practical Extraction and Report Language
 perl-base  - The Pathologically Eclectic Rubbish Lister
 perl-debug - Debug-enabled Perl interpreter
 perl-doc   - Perl documentation
 perl-modules - Core Perl modules
 perl-suid  - Runs setuid Perl scripts
Closes: 454792
Changes: 
 perl (5.8.8-7etch3) stable-security; urgency=high
 .
   * Actually apply the patch to fix CVE-2008-1927, a heap overflow in the
     UTF-8 regexp compiler.  Closes: #454792.
Files: 
 a64a02ca01379537d6b203f10b4057b0 1033 perl standard perl_5.8.8-7etch3.dsc
 ac6b2e452c2062c5e98148f55220b9f3 99389 perl standard perl_5.8.8-7etch3.diff.gz
 dfc3818aa0723f40b5ef8d5ca73d06e6 41038 perl optional 
libcgi-fast-perl_5.8.8-7etch3_all.deb
 36d0578f3232446b96d10f3488c23949 7348642 doc optional 
perl-doc_5.8.8-7etch3_all.deb
 6150633786b45319e72c73ab60a20d5a 2313550 perl standard 
perl-modules_5.8.8-7etch3_all.deb
 02d678a10a760c707043700080fe6677 809292 perl required 
perl-base_5.8.8-7etch3_amd64.deb
 cc9d44d140168420a31f976087a6848b 2735170 perl optional 
perl-debug_5.8.8-7etch3_amd64.deb
 153d300bc6ffad71441acf04afde4803 32798 perl optional 
perl-suid_5.8.8-7etch3_amd64.deb
 650fb6254665901c0cb840f910954a11 1010 libs optional 
libperl5.8_5.8.8-7etch3_amd64.deb
 14542161388a8c503c7a7abb6d33d4d4 630678 libdevel optional 
libperl-dev_5.8.8-7etch3_amd64.deb
 6e0392904c08c4fba6bb93ee1ace7dd0 4237990 perl standard 
perl_5.8.8-7etch3_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iQEVAwUBSBIz7r97/wQC1SS+AQLk0Af/bJfCFzsX+UaTgjQWVaSkIZKVzRAX4tUA
5W5OJ3MoTXmR64bQnPIv1anS6ovz/Y9pIj7iqMcslkICXQUMdIba85z36HgoOcRz
2M1y08OSbj52xv4p+Bip+B+8hMfNQbz99Tb3vKoCYE9hK8aQ3fBmPG6YG35FgHA2
w+gSIkMFw6dWOpV0ZSzU5U7WxcBn+JDVXcxiaBHG6ShOQa5a1IuFFuMEyP1cDp2E
jhLXYzF3CkRT5oo0GCobzUqlT1nzb1PicSEsnw1UmN8i0juumw1T/Qcpz8aS7/yk
dHa1AOXNCMl61aG6LFCheH62VXhI4lbdPrZBnwuHKRdtRAtB2p79Pw==
=gmuV
-----END PGP SIGNATURE-----

--- End Message ---