develooper Front page | perl.perl5.porters | Postings from September 2019

[perl #134329] Use-After-Free in regcomp.c:5617

From:
Sawyer X via RT
Date:
September 19, 2019 06:11
Subject:
[perl #134329] Use-After-Free in regcomp.c:5617
Message ID:
rt-4.0.24-12434-1568873494-528.134329-15-0@perl.org
On Sat, 31 Aug 2019 07:40:43 -0700, nguyenmanhdung1710@gmail.com wrote:
> On Fri, 30 Aug 2019 07:23:52 -0700, khw wrote:
> > Thanks for finding and reporting this
> > Fixed by
> > 
> > 3b2e5620ed4a6b341f97ffd1d4b6466cc2c4bc5b
> 
> Can I request a CVE for this bug? Thanks.

Hi,

[I've included this response in RT#134325 as well.

I'm quoting Tony Cook here:

    All cases for both tickets are bad reads, either of freed memory, or
    beyond the end of a buffer.

    None of the reads result in returning data to a potential attacker
    that I can see.

    According to our usual criteria such reads aren't a security issue.

    Can an attacker craft a regexp with data at the offset 65535 point to
    do undesirable things?  Could they make the engine loop at regexp
    compile time or runtime so control isn't returned to the calling perl
    code?

    I'm not sure.

While we are looking into this, we would appreciate any help in proving this. If we can answer Tony's questions, we can discern better if this suits as a security issue.

---
via perlbug:  queue: perl5 status: pending release
https://rt.perl.org/Ticket/Display.html?id=134329



nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About