develooper Front page | perl.perl5.porters | Postings from April 2016

[perl #123562] [CVE-2015-8853] Regexp-matching "hangs" indefinitelyon illegal input using binmode :utf8 using 100%CPU

Thread Next
From:
Dominic Hargreaves via RT
Date:
April 23, 2016 21:51
Subject:
[perl #123562] [CVE-2015-8853] Regexp-matching "hangs" indefinitelyon illegal input using binmode :utf8 using 100%CPU
Message ID:
rt-4.0.18-24293-1461448309-404.123562-15-0@perl.org
On Sat Apr 23 11:40:13 2016, public@khwilliamson.com wrote:
> On 04/23/2016 03:50 AM, Dominic Hargreaves wrote:
> > On Fri, Apr 22, 2016 at 11:25:36PM -0700, yves orton via RT wrote:

> >> FYI: I pushed backport patches for Karls fix for 5.18.2 and 5.18.4
> >>
> >> I can do other backports if needed.
> >
> > Hi yves,
> >
> > Do you mean 5.20.x for one of these? I couldn't see any pushes to
> > either
> > maint-5.18 or maint-5.20, so wondering where these went.

> He prudently is smoking them first
> 
> http://perl5.git.perl.org/perl.git/shortlog/refs/heads/smoke-
> me/rt_123562_5184
> 
> http://perl5.git.perl.org/perl.git/shortlog/refs/heads/smoke-
> me/rt_123562_5182

Ah, great. Thanks for pointing that out!

I had a closer look, and I noticed that in blead, 22b433eff9a1ffa2454e18405a56650f07b385b5 was followed by d820a0ff34c7df39297a54193fd756bb42c5c06e which amends the change to use Perl_croak_nocontext(). That change did not make it into maint-5.22, nor is it in either of the above smoke branches. Is this important?

Anyway, I've pushed the same change to smoke-me/rt_123562_520 too.

Thanks,
Dominic.

---
via perlbug:  queue: perl5 status: pending release
https://rt.perl.org/Ticket/Display.html?id=123562

Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About