Bug#825378: marked as done (perl: freeze on parsing (broken) code)

[Debian Bug Tracking System]

Your message dated Sun, 31 May 2020 13:58:28 +0300
with message-id <20200531105828.GA51706@estella.local.invalid>
and subject line Re: Bug#825378: perl: freeze on parsing (broken) code
has caused the Debian Bug report #825378,
regarding perl: freeze on parsing (broken) code
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
825378: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=825378
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: perl
Version: 5.20.2-3+deb8u4
Severity: normal
Tags: jessie

Dear Maintainer,

I've made typo in code, and found that it freezes perl on attempt to parse:
            perl -ce 's{foo}{$h->X({->aaa=>"b"},$d)}ge'
( it was meant to be 's{foo}{$h->X({-aaa=>"b"},$d)}ge' )

gdb backtrace (manually interrupted with ^C):
Program received signal SIGINT, Interrupt.
0x0806c60a in Perl_rpeep (my_perl=0x8215008, o=0x8238074) at op.c:11333
11333   op.c: No such file or directory.
(gdb) bt
#0  0x0806c60a in Perl_rpeep (my_perl=0x8215008, o=0x8238074) at op.c:11333

#1 0x08073509 in Perl_pmruntime (my_perl=0x8215008, o=0x82380f4, expr=0x8238474, isreg=true, floor=0) at op.c:4903

#2  0x080a3ae8 in Perl_yyparse (my_perl=0x8215008, gramtype=1536)
    at perly.y:1385

#3 0x0807e836 in S_parse_body (xsinit=<optimized out>, env=<optimized out>, my_perl=<optimized out>) at perl.c:2298 #4 perl_parse (my_perl=0x8215008, xsinit=0x805ef80 <xs_init>, argc=136400904, argv=0x8215008, env=0x0) at perl.c:1607

#5  0x0805ede8 in main (argc=3, argv=0xffffd674, env=0xffffd684)
    at perlmain.c:112

(Theoretically, this can be called "potential DoS on parsing untrusted code", but I'm pretty sure parsing untrusted perl code is not safe anyway).

It seems only jessie version affected, perl binaries extracted from perl-base packages from wheezy and squeeze seems correctly report error:

$ ./perl5.22.2 -ce 's{foo}{$h->X({->aaa=>"b"},$d)}ge'
syntax error at -e line 1, near "{->aaa"
syntax error at -e line 1, near ")}"
-e had compilation errors.

It seems no changes in 5.20.2-3+deb8u5 (from jessie-proposed-updates) (also freezes).

-- System Information:
Debian Release: 8.4
  APT prefers stable-updates

APT policy: (500, 'stable-updates'), (500, 'stable'), (100, 'proposed-updates')

Architecture: i386 (x86_64)
Foreign Architectures: amd64

Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=ru_RU.KOI8-R, LC_CTYPE=ru_RU.KOI8-R (charmap=KOI8-R)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages perl depends on:
ii  dpkg          1.17.26
ii  libbz2-1.0    1.0.6-7+b3
ii  libc6         2.19-18+deb8u4
ii  libdb5.3      5.3.28-9
ii  libgdbm3      1.8.3-13.1
ii  perl-base     5.20.2-3+deb8u4
ii  perl-modules  5.20.2-3+deb8u4
ii  zlib1g        1:1.2.8.dfsg-2+b1

Versions of packages perl recommends:
ii  netbase  5.3
ii  rename   0.20-3

Versions of packages perl suggests:
ii  libterm-readline-gnu-perl   1.24-2+b1
ii  libterm-readline-perl-perl  1.0303-1
ii  make                        4.0-8.1
ii  perl-doc                    5.20.2-3+deb8u4

-- no debconf information

--- End Message ---

--- Begin Message ---

Control: tag -1 - jessie

On Sat, Jun 04, 2016 at 02:13:19PM +0100, Dominic Hargreaves wrote:
> On Sun, May 29, 2016 at 12:09:17AM +0300, Yuriy M. Kaminskiy wrote:
> > On 28.05.2016 17:50, Dominic Hargreaves wrote:
> > >On Thu, May 26, 2016 at 04:47:07PM +0100, Dominic Hargreaves wrote:
> 
> > >>Just to note that I can confirm that it we get a syntax error on
> > >>wheezy (so this is a regression for jessie).

> > >>./perl -e 's{foo}{$h->X({->aaa=>"b"},$d)}ge;'

> > >Just to add to this: since perl 5.20 is out of support upstream, and
> > >this isn't a critical issue, I suspect not much more will happen on
> > >this bug from me. If someone else wants to backport the patch, I'd
> > >happily consider it for inclusion in a future stable update.
> > 
> > Something like attached? (only complication: lack of op_sibling_splice in
> > 5.20).
> > Compiled with pbuilder (BTW, needed USENETWORK=yes; otherwise it failed two
> > tests for IO::Socket::IP; looks like #759799?), minimally tested, seems
> > work.
> > Disclaimer: use with care/review carefully/IANAPH.
> 
> Thanks for the backporting! I've forwarded this upstream for review.

Unfortunately this got stalled. There's just a month of LTS support left
for jessie, we're certainly not fixing this anymore.

So closing. Thanks again and sorry it didn't work out.
-- 
Niko Tyni   nt...@debian.org

--- End Message ---