develooper Front page | perl.perl5.porters | Postings from September 2018

[perl #132655] PERL-5.26.1 heap-buffer-overflow READ of size 11

From:
Tony Cook via RT
Date:
September 21, 2018 05:16
Subject:
[perl #132655] PERL-5.26.1 heap-buffer-overflow READ of size 11
Message ID:
rt-4.0.24-1690-1537506959-1104.132655-15-0@perl.org
On Sun, 19 Aug 2018 23:32:55 -0700, tonyc wrote:
> On Mon, 09 Apr 2018 08:53:03 -0700, davem wrote:
> > On Mon, Jan 22, 2018 at 09:14:09PM -0800, Tony Cook via RT wrote:
> > > The problem here is the "u" decoder, which creates a new SV
> > > (upgraded
> > > to SVt_PV in the case that matters) and sets POK on it.
> > >
> > > When the "ab" fails to decode, no changes are made to the PV,
> > > leaving
> > > it unterminated.
> > > This should only cause perl to crash, there's nothing that will
> > > write
> > > to the memory block.
> > >
> > > This issue can only occur if the first byte in the string is not a
> > > uuencoding character - so no decoded data is emitted, so the
> > > attacker
> > > has zero control over what ends up the SV that's causing the
> > > problem.
> > >
> > > In the past we've treated similar issues as *not* being security
> > > issues.
> > >
> > > I don't think this is a security issue.
> >
> > Agreed. I think you should go ahead apply the patch.
> 
> Here's the patch, I'll apply it in a couple of days, unless someone
> suggests we make this a security issue.

More than a couple of days.

Applied as 12cad9bd99725bba72029e2651b2b7f0cab2e0b0.  This ticket is now public.

Tony



---
via perlbug:  queue: perl5 status: open
https://rt.perl.org/Ticket/Display.html?id=132655



nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About