develooper Front page | perl.perl5.porters | Postings from April 2016

Re: [perl #123562] [CVE-2015-8853] Regexp-matching "hangs"indefinitely on illegal input using binmode :utf8 using 100%CPU

Thread Previous | Thread Next
From:
Karl Williamson
Date:
April 23, 2016 22:29
Subject:
Re: [perl #123562] [CVE-2015-8853] Regexp-matching "hangs"indefinitely on illegal input using binmode :utf8 using 100%CPU
Message ID:
571BF722.1040004@khwilliamson.com
On 04/23/2016 03:51 PM, Dominic Hargreaves via RT wrote:
> On Sat Apr 23 11:40:13 2016, public@khwilliamson.com wrote:
>> On 04/23/2016 03:50 AM, Dominic Hargreaves wrote:
>>> On Fri, Apr 22, 2016 at 11:25:36PM -0700, yves orton via RT wrote:
>
>>>> FYI: I pushed backport patches for Karls fix for 5.18.2 and 5.18.4
>>>>
>>>> I can do other backports if needed.
>>>
>>> Hi yves,
>>>
>>> Do you mean 5.20.x for one of these? I couldn't see any pushes to
>>> either
>>> maint-5.18 or maint-5.20, so wondering where these went.
>
>> He prudently is smoking them first
>>
>> http://perl5.git.perl.org/perl.git/shortlog/refs/heads/smoke-
>> me/rt_123562_5184
>>
>> http://perl5.git.perl.org/perl.git/shortlog/refs/heads/smoke-
>> me/rt_123562_5182
>
> Ah, great. Thanks for pointing that out!
>
> I had a closer look, and I noticed that in blead, 22b433eff9a1ffa2454e18405a56650f07b385b5 was followed by d820a0ff34c7df39297a54193fd756bb42c5c06e which amends the change to use Perl_croak_nocontext(). That change did not make it into maint-5.22, nor is it in either of the above smoke branches. Is this important?


It would be slightly better to use change as amended, but I don't think 
it is 'important'
>
> Anyway, I've pushed the same change to smoke-me/rt_123562_520 too.
>
> Thanks,
> Dominic.
>
> ---
> via perlbug:  queue: perl5 status: pending release
> https://rt.perl.org/Ticket/Display.html?id=123562
>


Thread Previous | Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About