perl regex vulnerability - debian - pcre only?

Nicholas Clark nick at ccl4.org
Tue Nov 6 13:23:40 GMT 2007


On Tue, Nov 06, 2007 at 12:59:29PM +0000, Mike Astle wrote:
> That don't look so good:
> 
> ----
> 
> "[...] discovered a flaw in Perl's regular
> expression engine. Specially crafted input to a regular expression can
> cause Perl to improperly allocate memory, resulting in the possible
> execution of arbitrary code with the permissions of the user running
> Perl."
> 
> https://rhn.redhat.com/errata/RHSA-2007-0966.html
> 
> Also...
> 
> http://www.debian.org/security/2007/dsa-1399
> 
> ----
> 
> I only see new pcre3 packages for debian.  Is this a problem with just 
> pcre or perl itself?

It's a subtle bug in the regexp engine, whereby a pattern that happens to be
expressed as ASCII but actually creates UTF-8 regexp nodes can cause the
engine to under-allocate memory. At the time I got the impression that it
would be hard to exploit to do anything nasty locally, let alone remotely.
(Well, any more nasty than you can currently manage with the 5.8.x regexp
engine, whereby you feed it a pattern and it busts the C stack. If one is
letting people pass in external regexps to one's code, one already had a big
hole)

The original reporter from Google did tell us about it a month ago, it
turned out already to have been fixed for 5.10, (so possibly tricky to
backport) and that's the last we heard from anyone. I assume that he assumed
that the Linux vendors would keep us informed. We've not been kept in the
loop at all. Has Debian?

Nicholas Clark


More information about the london.pm mailing list