develooper Front page | perl.perl5.porters | Postings from August 2019

[perl #131990] Heap-buffer-over-flow in Storable::retrieve thatcould lead to RCE

From:
Tony Cook via RT
Date:
August 6, 2019 04:47
Subject:
[perl #131990] Heap-buffer-over-flow in Storable::retrieve thatcould lead to RCE
Message ID:
rt-4.0.24-29332-1565066838-1428.131990-15-0@perl.org
On Thu, 14 Dec 2017 19:16:27 -0800, tonyc wrote:
> On Wed, 29 Nov 2017 01:29:23 -0800, davem wrote:
> > On Tue, Aug 29, 2017 at 09:25:54AM -0700, Nguyen Duc Manh wrote:
> > > I found a RCE bug in Storable::retrieve.
> >
> > This bug is still present in blead:
> >
> > $ valgrind ./perl -Ilib -e'use Storable; retrieve("/tmp/crafted1")'
> > ...
> > ==11265== Invalid write of size 1
> >
> >
> > I don't know what the status of the various Storable WIP branches is,
> > or whether any of them fix this issue.
> 
> As with the other Storable bug reported to the security this, we don't
> treat Storable issues as security issues, so I've moved this to the
> public queue.
> 
> This issue is fixed in my work-in-progress branch.

This was merged as commit 0a406809258c9d03a34e12c0b7e6028f7fe59ec9 which was included in perl 5.28.0.

Tony

---
via perlbug:  queue: perl5 status: open
https://rt.perl.org/Ticket/Display.html?id=131990



nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About