Bug#962005: perl: regexp security issues: CVE-2020-10543, CVE-2020-10878, CVE-2020-12723

Dominic Hargreaves dom at earth.li
Mon Jun 1 22:10:28 BST 2020 

Source: perl
Version: 5.30.2-1
Severity: important
Tags: security pending
X-Debbugs-Cc: team at security.debian.org

These three issues have all been judged to be no-dsa. An unstable
release will be forthcoming and we hope to provide fixes for stable and
oldstable via point releases.

The following text comes from
<https://metacpan.org/release/XSAWYERX/perl-5.30.3>.

[CVE-2020-10543] Buffer overflow caused by a crafted regular expression

A signed size_t integer overflow in the storage space calculations for
nested regular expression quantifiers could cause a heap buffer overflow in
Perl's regular expression compiler that overwrites memory allocated after
the regular expression storage space with attacker supplied data.

The target system needs a sufficient amount of memory to allocate partial
expansions of the nested quantifiers prior to the overflow occurring. This
requirement is unlikely to be met on 64-bit systems.

Discovered by: ManhND of The Tarantula Team, VinCSS (a member of Vingroup).
[CVE-2020-10878] Integer overflow via malformed bytecode produced by a
crafted regular expression

Integer overflows in the calculation of offsets between instructions for the
regular expression engine could cause corruption of the intermediate
language state of a compiled regular expression. An attacker could abuse
this behaviour to insert instructions into the compiled form of a Perl
regular expression.

Discovered by: Hugo van der Sanden and Slaven Rezic.
[CVE-2020-12723] Buffer overflow caused by a crafted regular expression

Recursive calls to S_study_chunk() by Perl's regular expression compiler to
optimize the intermediate language representation of a regular expression
could cause corruption of the intermediate language state of a compiled
regular expression.

Discovered by: Sergey Aleynikov.
Additional Note

An application written in Perl would only be vulnerable to any of the above
flaws if it evaluates regular expressions supplied by the attacker.
Evaluating regular expressions in this fashion is known to be dangerous
since the regular expression engine does not protect against denial of
service attacks in this usage scenario.

More information about the Perl-maintainers mailing list