SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


Try our Premium Alert Service
 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service





Category:   Application (Generic)  >   Perl Vendors:   Wall, Larry
Perl Heap Overflows Let Users Obtain Potentially Sensitive Information, Deny Service, and Execute Arbitrary Code
SecurityTracker Alert ID:  1040681
SecurityTracker URL:  http://securitytracker.com/id/1040681
CVE Reference:   CVE-2018-6797, CVE-2018-6798, CVE-2018-6913   (Links to External Site)
Updated:  Apr 15 2018
Original Entry Date:  Apr 15 2018
Impact:   Denial of service via local system, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via local system, User access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  

Description:   Several vulnerabilities were reported in Perl. A local user can execute arbitrary code or cause denial of service conditions on the target system. A local user can obtain potentially sensitive information.

A local user can run Perl code with a specially crafted regular expression to trigger a heap overflow S_regatom() in 'regcomp.c' and execute arbitrary code on the target system or cause the target system to crash [CVE-2018-6797].

A local user can run Perl code with a specially crafted locale dependent regular expression to trigger a heap buffer overread and access potentially sensitive information on the target system [CVE-2018-6798].

A local user can run Perl code with a specially crafted pack() function call to trigger a heap overflow and execute arbitrary code on the target system or cause the target system to crash [CVE-2018-6913].

These vulnerabilities can also be exploited by remote or remote authenticated users with the ability to upload and execute Perl scripts.

Brian Carpenter, Nguyen Duc Manh, and GwanYeong Kim reported these vulnerabilities.

Impact:   A local user can execute arbitrary code on the target system.

A local user can cause denial of service conditions on the target system.

A local user can obtain potentially sensitive information.

Solution:   The vendor has issued a fix (5.26.2).

The vendor advisories are available at:

http://search.cpan.org/~shay/perl/pod/perldelta.pod
https://rt.perl.org/Public/Bug/Display.html?id=132227
https://rt.perl.org/Public/Bug/Display.html?id=132063
https://rt.perl.org/Public/Bug/Display.html?id=131844

Vendor URL:  perl.org/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Apr 17 2018 (Ubuntu Issues Fix) Perl Heap Overflows Let Users Obtain Potentially Sensitive Information, Deny Service, and Execute Arbitrary Code
Ubuntu has issued a fix for Ubuntu Linux 14.04 LTS, 16.04 LTS, and 17.10.



 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2018, SecurityGlobal.net LLC