Bug#450456: perl: DSA 1400-1: heap overflow

2007-11-07 Thread Brendan O'Dea 
On Thu, Nov 08, 2007 at 12:09:30AM +1100, Steffen Joeris wrote:
Package: perl
The patch used for this update is below. The CVE number is
CVE-2007-5116. Please mention it in your changelog, when you fix this
bug.

Thanks,

will apply and build tonight.

--bod



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#450456: perl: DSA 1400-1: heap overflow

2007-11-07 Thread Steffen Joeris 
Package: perl
Version: 5.8.8-11.1
Severity: grave
Tags: security
Justification: user security hole

Hi

There has been a DSA for perl.

Will Drewry and Tavis Ormandy of the Google Security Team have
discovered a UTF-8 related heap overflow in Perl's regular expression
compiler, probably allowing attackers to execute arbitrary code by
compiling specially crafted regular expressions.

The patch used for this update is below. The CVE number is
CVE-2007-5116. Please mention it in your changelog, when you fix this
bug.

Thanks for your efforts.
Cheers
Steffen

--- perl-5.8.8.orig/regcomp.c
+++ perl-5.8.8/regcomp.c
@@ -136,6 +136,7 @@
 I32seen_zerolen;
 I32seen_evals;
 I32utf8;
+I32orig_utf8;
 #if ADD_TO_REGEXEC
 char   *starttry;  /* -Dr: where regtry was called. */
 #define RExC_starttry  (pRExC_state-starttry)
@@ -161,6 +162,7 @@
 #define RExC_seen_zerolen  (pRExC_state-seen_zerolen)
 #define RExC_seen_evals(pRExC_state-seen_evals)
 #define RExC_utf8  (pRExC_state-utf8)
+#define RExC_orig_utf8 (pRExC_state-orig_utf8)

 #defineISMULT1(c)  ((c) == '*' || (c) == '+' || (c) == '?')
 #defineISMULT2(s)  ((*s) == '*' || (*s) == '+' || (*s) == '?' || \
@@ -1750,6 +1752,7 @@
FAIL(NULL regexp argument);

 RExC_utf8 = pm-op_pmdynflags  PMdf_CMP_UTF8;
+RExC_orig_utf8 = RExC_utf8 = pm-op_pmdynflags  PMdf_CMP_UTF8;

 RExC_precomp = exp;
 DEBUG_r({
@@ -1758,6 +1761,8 @@
   PL_colors[4],PL_colors[5],PL_colors[0],
   (int)(xend - exp), RExC_precomp, PL_colors[1]);
 });
+redo_first_pass:
+RExC_precomp = exp;
 RExC_flags = pm-op_pmflags;
 RExC_sawback = 0;

@@ -1783,6 +1788,17 @@
RExC_precomp = Nullch;
return(NULL);
 }
+if (RExC_utf8  !RExC_orig_utf8) {
+   STRLEN len = xend-exp;
+   DEBUG_r(PerlIO_printf(Perl_debug_log,
+  UTF8 mismatch! Converting to utf8 for resizing and compile\n));
+   exp = (char*)Perl_bytes_to_utf8(aTHX_ (U8*)exp, len);
+   xend = exp + len;
+   RExC_orig_utf8 = RExC_utf8;
+   SAVEFREEPV(exp);
+   goto redo_first_pass;
+}
+
 DEBUG_r(PerlIO_printf(Perl_debug_log, size %IVdf , (IV)RExC_size));

 /* Small enough for pointer-storage convention?



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]