CLD-39 Details
Other IDs this deficiency may be known by:
Basic Information:
Affected Package(s) |
perl |
Deficiency Type |
SECURITY |
Date Created |
2017-09-20 00:27:11 |
Date Last Modified |
2017-10-04 16:00:00 |
Version Specific Information:
Cucumber 1.0 i686 | fixed in perl-5.22.4-i686-3 |
Cucumber 1.0 x86_64 | fixed in perl-5.22.4-x86_64-3 |
Cucumber 1.1 i686 |
fixed in perl-5.26.1-i686-1 |
Cucumber 1.1 x86_64 |
fixed in perl-5.26.1-x86_64-1 |
Details:
Heap-based buffer overflow in the regular expression compiler in PERL before
5.24.3-RC1 and 5.26.x before 5.26.1-RC1 allows remote attackers to cause a
denial of service (crash) via a crafted regular expression with the
case-insensitive modifier (https://nvd.nist.gov/vuln/detail/CVE-2017-12837).
Perl 5.22.4 is also vulnerable to this. Despite the fact that Perl 5.22 is
"still supported," the Perl developers apparantly do not intend to release a new
Perl version fixing this. Fortunately, we can backport their patch from
https://perl5.git.perl.org/perl.git/commitdiff/96c83ed78aeea1a0496dd2b2d935869a822dc8a5#patch1
to fix it.
EDIT:
It was originally claimed that this was fixed in perl-5.22.4-2, however the
patch fixing it was not applied properly. It has now been applied properly in
perl-5.22.4-i686-3 (Cucumber 1.0) and perl-5.26.1-i686-1 (Cucumber 1.1).