Front page | perl.perl5.porters |
Postings from August 2018
On Thu, 31 May 2018 16:22:05 -0700, tonyc wrote: > On Thu, May 31, 2018 at 02:24:18PM -0700, secresearch wrote: > > The following information pertains to information discovered by > > Fortinet's > > FortiGuard Labs. It has been determined that a vulnerability exists > > in Perl. > > To streamline the disclosure process, we have created a preliminary > > advisory > > which you can find below. This upcoming advisory is purely intended > > as a > > reference, and does not contain sensitive information such as proof > > of > > concept code. > > This is a stack overflow from parsing a regular expression with deeply > nested groups, ie: > > /<!--. ?- > K\s((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((... > > This is only exploitable as a denial of service (it crashes perl). > > We've had this reported to the security list twice before and haven't > treated it as a security issue. Also now public and merging into 132609. Tony --- via perlbug: queue: perl5 status: open https://rt.perl.org/Ticket/Display.html?id=133238