CLD-38 Details

Other IDs this deficiency may be known by:

CVE ID CVE-2017-12883 (nvd) (mitre) (debian) (archlinux) (red hat) (suse) (ubuntu)
Other ID(s)

Basic Information:

Affected Package(s) perl
Deficiency Type SECURITY
Date Created 2017-09-20 00:27:01
Date Last Modified 2017-09-20 14:51:11

Version Specific Information:

Cucumber 1.0 i686fixed in perl-5.22.4-i686-2
Cucumber 1.0 x86_64fixed in perl-5.22.4-x86_64-2

Cucumber 1.1 i686 fixed in perl-5.22.4-i686-2
Cucumber 1.1 x86_64 fixed in perl-5.22.4-x86_64-2


Buffer overflow in the regular expression parser in PERL before 5.24.3-RC1 and
5.26.x before 5.26.1-RC1 allows remote attackers to cause a denial of service
(crash) or leak data from memory via vectors involving use of RExC_parse in the
vFAIL macro (

Perl 5.22.4 is also vulnerable to this. Despite the fact that Perl 5.22 is
"still supported," the Perl developers apparantly do not intend to release a new
Perl version fixing this. Fortunately, we can backport their patch from
to fix it.

Note we had to change this patch slightly to get it to work with Perl 5.22.
We did this by taking their official patch URL
and changing the first commit to be the Perl 5.22.4 commit
which resulted in a URL of
We then cherry picked this one change from that diff.

The actual patch that we used to patch Perl 5.22 can be found at: