Package: perl
Version: 5.8.8-11.1
Severity: grave
Tags: security
Justification: user security hole
Hi
There has been a DSA for perl.
Will Drewry and Tavis Ormandy of the Google Security Team have
discovered a UTF-8 related heap overflow in Perl's regular expression
compiler, probably allowing attackers to execute arbitrary code by
compiling specially crafted regular expressions.
The patch used for this update is below. The CVE number is
CVE-2007-5116. Please mention it in your changelog, when you fix this
bug.
Thanks for your efforts.
Cheers
Steffen
--- perl-5.8.8.orig/regcomp.c
+++ perl-5.8.8/regcomp.c
@@ -136,6 +136,7 @@
I32seen_zerolen;
I32seen_evals;
I32utf8;
+I32orig_utf8;
#if ADD_TO_REGEXEC
char *starttry; /* -Dr: where regtry was called. */
#define RExC_starttry (pRExC_state-starttry)
@@ -161,6 +162,7 @@
#define RExC_seen_zerolen (pRExC_state-seen_zerolen)
#define RExC_seen_evals(pRExC_state-seen_evals)
#define RExC_utf8 (pRExC_state-utf8)
+#define RExC_orig_utf8 (pRExC_state-orig_utf8)
#defineISMULT1(c) ((c) == '*' || (c) == '+' || (c) == '?')
#defineISMULT2(s) ((*s) == '*' || (*s) == '+' || (*s) == '?' || \
@@ -1750,6 +1752,7 @@
FAIL(NULL regexp argument);
RExC_utf8 = pm-op_pmdynflags PMdf_CMP_UTF8;
+RExC_orig_utf8 = RExC_utf8 = pm-op_pmdynflags PMdf_CMP_UTF8;
RExC_precomp = exp;
DEBUG_r({
@@ -1758,6 +1761,8 @@
PL_colors[4],PL_colors[5],PL_colors[0],
(int)(xend - exp), RExC_precomp, PL_colors[1]);
});
+redo_first_pass:
+RExC_precomp = exp;
RExC_flags = pm-op_pmflags;
RExC_sawback = 0;
@@ -1783,6 +1788,17 @@
RExC_precomp = Nullch;
return(NULL);
}
+if (RExC_utf8 !RExC_orig_utf8) {
+ STRLEN len = xend-exp;
+ DEBUG_r(PerlIO_printf(Perl_debug_log,
+ UTF8 mismatch! Converting to utf8 for resizing and compile\n));
+ exp = (char*)Perl_bytes_to_utf8(aTHX_ (U8*)exp, len);
+ xend = exp + len;
+ RExC_orig_utf8 = RExC_utf8;
+ SAVEFREEPV(exp);
+ goto redo_first_pass;
+}
+
DEBUG_r(PerlIO_printf(Perl_debug_log, size %IVdf , (IV)RExC_size));
/* Small enough for pointer-storage convention?
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]