Products Openwall GNU/*/Linux   server OS John the Ripper   password cracker Free & Open Source for any platform Pro for Linux Pro for Mac OS X Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) phpass   password hashing in PHP crypt_blowfish   ditto in C/C++ tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repository (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 08 Apr 2010 18:48:14 +0200
From: Jan Lieskovsky <jlieskov@...hat.com>
To: "Steven M. Christey" <coley@...us.mitre.org>
CC: oss-security <oss-security@...ts.openwall.com>
Subject: CVE Request -- perl v5.8.* -- stack overflow by processing certain
 regex (Gentoo BTS#313565 / RH BZ#580605)

Hi Steve, vendors,

   1, wouldn't like to open a can of worms,
   2, but for purpose of properly tracking it, requesting a CVE id for the
      following Perl regular expression engine issue:

Bruce Merry reported:
   [1] http://bugs.gentoo.org/show_bug.cgi?id=313565

an integer overflow, leading to stack overflow in the way
Perl regular expression engine processed certain regular
expression(s). Remote attacker could use this flaw to cause
a denial of service (crash of an application, using the
Perl regular expression engine).

Public PoC from [1]:
--------------------
   perl -e 'if ((("a " x 100000) . "a\n") =~ /\A\S+(?: \S+)*\n\z/) {}'

References:
   [2] http://bugs.gentoo.org/show_bug.cgi?id=313565
   [3] https://bugzilla.redhat.com/show_bug.cgi?id=580605

Affected Perl versions:
   Issue tested and confirmed in Perl of versions v5.8.*.
   Versions of Perl v5.10.* are not affected by this.

Steve, what's the Mitre's opinion on cases like this --
denial of service reachable via certain regular expression.

Should we track them on per issue basis? Or only for cases,
where more than a DoS is possible? (doesn't seem to be
this case though).

Thanks && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ