CLD-39 Details

Other IDs this deficiency may be known by:

CVE ID CVE-2017-12837 (nvd) (mitre) (debian) (archlinux) (red hat) (suse) (ubuntu)
Other ID(s)

Basic Information:

Affected Package(s) perl
Deficiency Type SECURITY
Date Created 2017-09-20 00:27:11
Date Last Modified 2017-10-04 16:00:00

Version Specific Information:

Cucumber 1.0 i686fixed in perl-5.22.4-i686-3
Cucumber 1.0 x86_64fixed in perl-5.22.4-x86_64-3

Cucumber 1.1 i686 fixed in perl-5.26.1-i686-1
Cucumber 1.1 x86_64 fixed in perl-5.26.1-x86_64-1

Details:

Heap-based buffer overflow in the regular expression compiler in PERL before
5.24.3-RC1 and 5.26.x before 5.26.1-RC1 allows remote attackers to cause a
denial of service (crash) via a crafted regular expression with the
case-insensitive modifier (https://nvd.nist.gov/vuln/detail/CVE-2017-12837).

Perl 5.22.4 is also vulnerable to this. Despite the fact that Perl 5.22 is
"still supported," the Perl developers apparantly do not intend to release a new
Perl version fixing this. Fortunately, we can backport their patch from
https://perl5.git.perl.org/perl.git/commitdiff/96c83ed78aeea1a0496dd2b2d935869a822dc8a5#patch1
to fix it.

EDIT:
It was originally claimed that this was fixed in perl-5.22.4-2, however the
patch fixing it was not applied properly. It has now been applied properly in
perl-5.22.4-i686-3 (Cucumber 1.0) and perl-5.26.1-i686-1 (Cucumber 1.1).