Bug#450456: perl: DSA 1400-1: heap overflow

Wed, 07 Nov 2007 08:15:39 -0800 

Package: perl
Version: 5.8.8-11.1
Severity: grave
Tags: security
Justification: user security hole

Hi

There has been a DSA for perl.

Will Drewry and Tavis Ormandy of the Google Security Team have
discovered a UTF-8 related heap overflow in Perl's regular expression
compiler, probably allowing attackers to execute arbitrary code by
compiling specially crafted regular expressions.

The patch used for this update is below. The CVE number is
CVE-2007-5116. Please mention it in your changelog, when you fix this
bug.

Thanks for your efforts.
Cheers
Steffen

--- perl-5.8.8.orig/regcomp.c
+++ perl-5.8.8/regcomp.c
@@ -136,6 +136,7 @@
     I32                seen_zerolen;
     I32                seen_evals;
     I32                utf8;
+    I32                orig_utf8;
 #if ADD_TO_REGEXEC
     char       *starttry;              /* -Dr: where regtry was called. */
 #define RExC_starttry  (pRExC_state->starttry)
@@ -161,6 +162,7 @@
 #define RExC_seen_zerolen      (pRExC_state->seen_zerolen)
 #define RExC_seen_evals        (pRExC_state->seen_evals)
 #define RExC_utf8      (pRExC_state->utf8)
+#define RExC_orig_utf8 (pRExC_state->orig_utf8)

 #define        ISMULT1(c)      ((c) == '*' || (c) == '+' || (c) == '?')
 #define        ISMULT2(s)      ((*s) == '*' || (*s) == '+' || (*s) == '?' || \
@@ -1750,6 +1752,7 @@
        FAIL("NULL regexp argument");

     RExC_utf8 = pm->op_pmdynflags & PMdf_CMP_UTF8;
+    RExC_orig_utf8 = RExC_utf8 = pm->op_pmdynflags & PMdf_CMP_UTF8;

     RExC_precomp = exp;
     DEBUG_r({
@@ -1758,6 +1761,8 @@
                       PL_colors[4],PL_colors[5],PL_colors[0],
                       (int)(xend - exp), RExC_precomp, PL_colors[1]);
     });
+redo_first_pass:
+    RExC_precomp = exp;
     RExC_flags = pm->op_pmflags;
     RExC_sawback = 0;

@@ -1783,6 +1788,17 @@
        RExC_precomp = Nullch;
        return(NULL);
     }
+    if (RExC_utf8 && !RExC_orig_utf8) {
+       STRLEN len = xend-exp;
+       DEBUG_r(PerlIO_printf(Perl_debug_log,
+          "UTF8 mismatch! Converting to utf8 for resizing and compile\n"));
+       exp = (char*)Perl_bytes_to_utf8(aTHX_ (U8*)exp, &len);
+       xend = exp + len;
+       RExC_orig_utf8 = RExC_utf8;
+       SAVEFREEPV(exp);
+       goto redo_first_pass;
+    }
+
     DEBUG_r(PerlIO_printf(Perl_debug_log, "size %"IVdf" ", (IV)RExC_size));

     /* Small enough for pointer-storage convention?



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to