CLD-38 Details
Other IDs this deficiency may be known by:
Basic Information:
Affected Package(s) |
perl |
Deficiency Type |
SECURITY |
Date Created |
2017-09-20 00:27:01 |
Date Last Modified |
2017-09-20 14:51:11 |
Version Specific Information:
Cucumber 1.0 i686 | fixed in perl-5.22.4-i686-2 |
Cucumber 1.0 x86_64 | fixed in perl-5.22.4-x86_64-2 |
Cucumber 1.1 i686 |
fixed in perl-5.22.4-i686-2 |
Cucumber 1.1 x86_64 |
fixed in perl-5.22.4-x86_64-2 |
Details:
Buffer overflow in the regular expression parser in PERL before 5.24.3-RC1 and
5.26.x before 5.26.1-RC1 allows remote attackers to cause a denial of service
(crash) or leak data from memory via vectors involving use of RExC_parse in the
vFAIL macro (https://nvd.nist.gov/vuln/detail/CVE-2017-12883).
Perl 5.22.4 is also vulnerable to this. Despite the fact that Perl 5.22 is
"still supported," the Perl developers apparantly do not intend to release a new
Perl version fixing this. Fortunately, we can backport their patch from
https://perl5.git.perl.org/perl.git/blobdiff/f7e5417e7bffba03947b66e4d8622d7c220f2876..40b3cdad3649334585cee8f4630ec9a025e62be6:/regcomp.c
to fix it.
Note we had to change this patch slightly to get it to work with Perl 5.22.
We did this by taking their official patch URL
(https://perl5.git.perl.org/perl.git/blobdiff/f7e5417e7bffba03947b66e4d8622d7c220f2876..40b3cdad3649334585cee8f4630ec9a025e62be6:/regcomp.c)
and changing the first commit to be the Perl 5.22.4 commit
(a26666a1317770d8a2228ac3657ba58020c3511f),
which resulted in a URL of
https://perl5.git.perl.org/perl.git/blobdiff/a26666a1317770d8a2228ac3657ba58020c3511f..40b3cdad3649334585cee8f4630ec9a025e62be6:/regcomp.c.
We then cherry picked this one change from that diff.
The actual patch that we used to patch Perl 5.22 can be found at:
http://mirror.cucumberlinux.com/cucumber/cucumber-1.0/source/lang-base/perl/patches/CVE-2017-12883.patch