CLD-38 Details

Other IDs this deficiency may be known by:

CVE ID CVE-2017-12883 (nvd) (mitre) (debian) (archlinux) (red hat) (suse) (ubuntu)
Other ID(s)

Basic Information:

Affected Package(s) perl
Deficiency Type SECURITY
Date Created 2017-09-20 00:27:01
Date Last Modified 2017-09-20 14:51:11

Version Specific Information:

Cucumber 1.0 i686 fixed in perl-5.22.4-i686-2
Cucumber 1.0 x86_64 fixed in perl-5.22.4-x86_64-2

Cucumber 1.1 i686 fixed in perl-5.22.4-i686-2
Cucumber 1.1 x86_64 fixed in perl-5.22.4-x86_64-2

Details:

Buffer overflow in the regular expression parser in PERL before 5.24.3-RC1 and
5.26.x before 5.26.1-RC1 allows remote attackers to cause a denial of service
(crash) or leak data from memory via vectors involving use of RExC_parse in the
vFAIL macro (https://nvd.nist.gov/vuln/detail/CVE-2017-12883).

Perl 5.22.4 is also vulnerable to this. Despite the fact that Perl 5.22 is
"still supported," the Perl developers apparantly do not intend to release a new
Perl version fixing this. Fortunately, we can backport their patch from
https://perl5.git.perl.org/perl.git/blobdiff/f7e5417e7bffba03947b66e4d8622d7c220f2876..40b3cdad3649334585cee8f4630ec9a025e62be6:/regcomp.c
to fix it.

Note we had to change this patch slightly to get it to work with Perl 5.22.
We did this by taking their official patch URL
(https://perl5.git.perl.org/perl.git/blobdiff/f7e5417e7bffba03947b66e4d8622d7c220f2876..40b3cdad3649334585cee8f4630ec9a025e62be6:/regcomp.c)
and changing the first commit to be the Perl 5.22.4 commit
(a26666a1317770d8a2228ac3657ba58020c3511f),
which resulted in a URL of
https://perl5.git.perl.org/perl.git/blobdiff/a26666a1317770d8a2228ac3657ba58020c3511f..40b3cdad3649334585cee8f4630ec9a025e62be6:/regcomp.c.
We then cherry picked this one change from that diff.

The actual patch that we used to patch Perl 5.22 can be found at:
http://mirror.cucumberlinux.com/cucumber/cucumber-1.0/source/lang-base/perl/patches/CVE-2017-12883.patch