Bug#450456: marked as done (perl: DSA 1400-1: heap overflow)

[Debian Bug Tracking System]

Your message dated Mon, 12 Nov 2007 05:25:27 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#450456: fixed in perl 5.8.8-12
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--- Begin Message ---

Package: perl
Version: 5.8.8-11.1
Severity: grave
Tags: security
Justification: user security hole

Hi

There has been a DSA for perl.

Will Drewry and Tavis Ormandy of the Google Security Team have
discovered a UTF-8 related heap overflow in Perl's regular expression
compiler, probably allowing attackers to execute arbitrary code by
compiling specially crafted regular expressions.

The patch used for this update is below. The CVE number is
CVE-2007-5116. Please mention it in your changelog, when you fix this
bug.

Thanks for your efforts.
Cheers
Steffen

--- perl-5.8.8.orig/regcomp.c
+++ perl-5.8.8/regcomp.c
@@ -136,6 +136,7 @@
     I32                seen_zerolen;
     I32                seen_evals;
     I32                utf8;
+    I32                orig_utf8;
 #if ADD_TO_REGEXEC
     char       *starttry;              /* -Dr: where regtry was called. */
 #define RExC_starttry  (pRExC_state->starttry)
@@ -161,6 +162,7 @@
 #define RExC_seen_zerolen      (pRExC_state->seen_zerolen)
 #define RExC_seen_evals        (pRExC_state->seen_evals)
 #define RExC_utf8      (pRExC_state->utf8)
+#define RExC_orig_utf8 (pRExC_state->orig_utf8)

 #define        ISMULT1(c)      ((c) == '*' || (c) == '+' || (c) == '?')
 #define        ISMULT2(s)      ((*s) == '*' || (*s) == '+' || (*s) == '?' || \
@@ -1750,6 +1752,7 @@
        FAIL("NULL regexp argument");

     RExC_utf8 = pm->op_pmdynflags & PMdf_CMP_UTF8;
+    RExC_orig_utf8 = RExC_utf8 = pm->op_pmdynflags & PMdf_CMP_UTF8;

     RExC_precomp = exp;
     DEBUG_r({
@@ -1758,6 +1761,8 @@
                       PL_colors[4],PL_colors[5],PL_colors[0],
                       (int)(xend - exp), RExC_precomp, PL_colors[1]);
     });
+redo_first_pass:
+    RExC_precomp = exp;
     RExC_flags = pm->op_pmflags;
     RExC_sawback = 0;

@@ -1783,6 +1788,17 @@
        RExC_precomp = Nullch;
        return(NULL);
     }
+    if (RExC_utf8 && !RExC_orig_utf8) {
+       STRLEN len = xend-exp;
+       DEBUG_r(PerlIO_printf(Perl_debug_log,
+          "UTF8 mismatch! Converting to utf8 for resizing and compile\n"));
+       exp = (char*)Perl_bytes_to_utf8(aTHX_ (U8*)exp, &len);
+       xend = exp + len;
+       RExC_orig_utf8 = RExC_utf8;
+       SAVEFREEPV(exp);
+       goto redo_first_pass;
+    }
+
     DEBUG_r(PerlIO_printf(Perl_debug_log, "size %"IVdf" ", (IV)RExC_size));

     /* Small enough for pointer-storage convention?

--- End Message ---

--- Begin Message ---

Source: perl
Source-Version: 5.8.8-12

We believe that the bug you reported is fixed in the latest version of
perl, which is due to be installed in the Debian FTP archive:

libcgi-fast-perl_5.8.8-12_all.deb
  to pool/main/p/perl/libcgi-fast-perl_5.8.8-12_all.deb
libperl-dev_5.8.8-12_sparc.deb
  to pool/main/p/perl/libperl-dev_5.8.8-12_sparc.deb
libperl5.8_5.8.8-12_sparc.deb
  to pool/main/p/perl/libperl5.8_5.8.8-12_sparc.deb
perl-base_5.8.8-12_sparc.deb
  to pool/main/p/perl/perl-base_5.8.8-12_sparc.deb
perl-debug_5.8.8-12_sparc.deb
  to pool/main/p/perl/perl-debug_5.8.8-12_sparc.deb
perl-doc_5.8.8-12_all.deb
  to pool/main/p/perl/perl-doc_5.8.8-12_all.deb
perl-modules_5.8.8-12_all.deb
  to pool/main/p/perl/perl-modules_5.8.8-12_all.deb
perl-suid_5.8.8-12_sparc.deb
  to pool/main/p/perl/perl-suid_5.8.8-12_sparc.deb
perl_5.8.8-12.diff.gz
  to pool/main/p/perl/perl_5.8.8-12.diff.gz
perl_5.8.8-12.dsc
  to pool/main/p/perl/perl_5.8.8-12.dsc
perl_5.8.8-12_sparc.deb
  to pool/main/p/perl/perl_5.8.8-12_sparc.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Brendan O'Dea <[EMAIL PROTECTED]> (supplier of updated perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Thu, 08 Nov 2007 08:42:01 +1100
Source: perl
Binary: perl-base libcgi-fast-perl libperl-dev perl-debug perl-modules perl 
libperl5.8 perl-suid perl-doc
Architecture: source sparc all
Version: 5.8.8-12
Distribution: unstable
Urgency: high
Maintainer: Brendan O'Dea <[EMAIL PROTECTED]>
Changed-By: Brendan O'Dea <[EMAIL PROTECTED]>
Description: 
 libcgi-fast-perl - CGI::Fast Perl module
 libperl-dev - Perl library: development files
 libperl5.8 - Shared Perl library
 perl       - Larry Wall's Practical Extraction and Report Language
 perl-base  - The Pathologically Eclectic Rubbish Lister
 perl-debug - Debug-enabled Perl interpreter
 perl-doc   - Perl documentation
 perl-modules - Core Perl modules
 perl-suid  - Runs setuid Perl scripts
Closes: 448965 449549 450456
Changes: 
 perl (5.8.8-12) unstable; urgency=high
 .
   * SECURITY [CVE-2007-5116] (closes: #450456): Apply patch from
     Will Drewry and Tavis Ormandy of the Google Security Team to fix a
     UTF-8 related heap overflow in Perl's regular expression compiler,
     probably allowing attackers to execute arbitrary code by compiling
     specially crafted regular expressions.
 .
   * Support "nocheck" option in DEB_BUILD_OPTIONS (closes: #449549).
   * Suppress Configure test for ualarm() so that setitimer() emulation
     is used (closes: #448965).
Files: 
 3b64748f6100b9b24eb00304a35c13e5 731 perl standard perl_5.8.8-12.dsc
 b22ed2f3de336cd639f6f343b17bc466 104470 perl standard perl_5.8.8-12.diff.gz
 1b261a5cf2120403b5d27e106a9c57a1 41686 perl optional 
libcgi-fast-perl_5.8.8-12_all.deb
 b26cf5a4096ba7ac796a76221a759998 7357324 doc optional perl-doc_5.8.8-12_all.deb
 ebfaf592b223e30467dcd50723b2e597 2299850 perl standard 
perl-modules_5.8.8-12_all.deb
 d905e9b7a5c5d3408ecd58a13c66e287 806636 perl required 
perl-base_5.8.8-12_sparc.deb
 c87cae63f4f547a4b7d77d528dae698f 2768650 perl optional 
perl-debug_5.8.8-12_sparc.deb
 81f351ae36aa850d4f94f6bda68ec0ea 32836 perl optional 
perl-suid_5.8.8-12_sparc.deb
 3c3221d4a9fe277c55e6db88553f7d85 1010 libs optional 
libperl5.8_5.8.8-12_sparc.deb
 b91015bad889d527498eb361f10cec90 593838 libdevel optional 
libperl-dev_5.8.8-12_sparc.deb
 f3facc937a6d8e12b5de6c91ad5ced93 3682020 perl standard perl_5.8.8-12_sparc.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (Darwin)

iD8DBQFHMrnF8NyOALKMWZURAkqyAJ974dlfDu/+7DV7hYtY/7KMQidFUQCeM/a7
SMdod/9vm4RG9qMrphXbdUI=
=NC9j
-----END PGP SIGNATURE-----

--- End Message ---