Perl UTF8 Regex Processing Double Free Bug May Let Users Execute Arbitrary Code
|
|
SecurityTracker Alert ID: 1020253
|
|
SecurityTracker URL: http://securitytracker.com/id?1020253
|
|
CVE Reference: CVE-2008-1927
(Links to External Site)
|
Date: Jun 12 2008
|
Impact: Execution of arbitrary code via local system, Execution of arbitrary code via network, User access via local system, User access via network
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Version(s): 5.8.8
|
Description: A vulnerability was reported in Perl. A user may be able to execute arbitrary code on the target system.
A user can supply a specially crafted regular expression containing UTF8 characters to trigger a double free and execute arbitrary
code on the target system with the privileges of the process running perl.
steev at hot.pl reported this vulnerability.
|
Impact: A user may be able to execute arbitrary code on the target system.
|
Solution: The vendor has issued a source code fix.
|
Cause: State error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
Reported By: steev@hot.pl
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Tue, 4 Dec 2007 11:24:14 +0100
From: steev@hot.pl
Subject: regexp: unicode char causes a 'double free corruption'
|
This is a bug report for perl from steev@hot.pl,
generated with the help of perlbug 1.35 running under perl v5.8.8.
This little program causes a core dump :
######################################################
#!/usr/bin/perl -w -CSDA
use strict;
use utf8;
use encoding 'utf8';
use locale;
my $ans='Ostrów';
$_="whatever...";
if (/^$ans| $ans/) { print "I was wrong, sorry...\n" }
######################################################
*** glibc detected *** perl: double free or corruption (!prev): 0x0977adf8 ***
======= Backtrace: =========
/lib/libc.so.6[0x44dac1]
/lib/libc.so.6(cfree+0x90)[0x4510f0]
/usr/lib/perl5/5.8.8/i386-linux-thread-multi/CORE/libperl.so(Perl_safesysfree+0x21)[0x4f5aaf1]
/usr/lib/perl5/5.8.8/i386-linux-thread-multi/CORE/libperl.so(Perl_pregfree+0x56)[0x4f46b66]
/usr/lib/perl5/5.8.8/i386-linux-thread-multi/CORE/libperl.so(Perl_op_clear+0x150)[0x4f34450]
/usr/lib/perl5/5.8.8/i386-linux-thread-multi/CORE/libperl.so(Perl_op_free+0x95)[0x4f36885]
/usr/lib/perl5/5.8.8/i386-linux-thread-multi/CORE/libperl.so(Perl_op_free+0x52)[0x4f36842]
/usr/lib/perl5/5.8.8/i386-linux-thread-multi/CORE/libperl.so(Perl_op_free+0x52)[0x4f36842]
/usr/lib/perl5/5.8.8/i386-linux-thread-multi/CORE/libperl.so(Perl_op_free+0x52)[0x4f36842]
/usr/lib/perl5/5.8.8/i386-linux-thread-multi/CORE/libperl.so(perl_destruct+0xcc)[0x4f0f78c]
perl(main+0xe7)[0x80491d7]
/lib/libc.so.6(__libc_start_main+0xe0)[0x3fa390]
perl[0x8049031]
======= Memory map: ========
[cut]
'ó' is latin letter 'o acute'
Bug ocurs usually when 'ans' contains one or more 'ó' characters (low -or uppercase)
(althought phrase 'Ó ' works, 'Ó ' dumps the core)
Words with more, different unicode characters works fine.
-----------------------------------------------------------------
[Please enter your report here]
[Please do not change anything below this line]
-----------------------------------------------------------------
---
Flags:
category=core
severity=medium
---
This perlbug was built using Perl v5.8.8 in the Red Hat build system.
It is being executed now by Perl v5.8.8 - Mon Nov 12 14:45:10 EST 2007.
Site configuration information for perl v5.8.8:
Configured by Red Hat, Inc. at Mon Nov 12 14:45:10 EST 2007.
Summary of my perl5 (revision 5 version 8 subversion 8) configuration:
Platform:
osname=linux, osvers=2.6.20-1.2952.fc6, archname=i386-linux-thread-multi
uname='linux hammer2.fedora.redhat.com 2.6.20-1.2952.fc6 #1 smp wed may 16 18:18:22 edt 2007 i686
athlon i386 gnulinux '
config_args='-des -Doptimize=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-prot
ector --param=ssp-buffer-size=4 -m32 -march=i386 -mtune=generic -fasynchronous-unwind-tables -Dversio
n=5.8.8 -Dmyhostname=localhost -Dperladmin=root@loc
|
|
