Title: Perl Unicode '\Q...\E' Quoting Construct Regular Expression Buffer Overflow Vulnerability
Severity: HIGH
Description:
Perl is prone to a buffer-overflow vulnerability because it fails to sufficiently bounds-check user-supplied input.
This issue presents itself when certain Unicode data is passed as a part of a regular expression. This issue will occur if the offending characters are contained in a variable reference protected by the '\Q...\E' quoting construct.
Successfully exploiting this issue may allow attackers to execute arbitrary machine code in the context of Perl applications using regular expressions in a vulnerable manner. This facilitates the remote compromise of affected computers. Failed exploits can cause denial-of-service conditions.
Perl 5.8.8 is vulnerable to this issue; other versions may also be affected.
NOTE: This issue may be related to BID 26350 ('Perl Unicode Regular Expression Buffer Overflow Vulnerability').
Affected Products:
- Debian Linux 4.0
- Debian Linux 4.0 alpha
- Debian Linux 4.0 amd64
- Debian Linux 4.0 arm
- Debian Linux 4.0 hppa
- Debian Linux 4.0 ia-32
- Debian Linux 4.0 ia-64
- Debian Linux 4.0 m68k
- Debian Linux 4.0 mips
- Debian Linux 4.0 mipsel
- Debian Linux 4.0 powerpc
- Debian Linux 4.0 s/390
- Debian Linux 4.0 sparc
- Gentoo Linux
- Larry Wall Perl 5.8.8
- MandrakeSoft Corporate Server 3.0.0
- MandrakeSoft Corporate Server 3.0.0 x86_64
- MandrakeSoft Corporate Server 4.0
- MandrakeSoft Corporate Server 4.0.0 x86_64
- MandrakeSoft Linux Mandrake 2007.1
- MandrakeSoft Linux Mandrake 2007.1 x86_64
- MandrakeSoft Linux Mandrake 2008.0
- MandrakeSoft Linux Mandrake 2008.0 x86_64
- MandrakeSoft Multi Network Firewall 2.0.0
- RedHat Fedora 7
- RedHat Fedora 8
References:
- Debian Linux: Debian Bug # 454792 double free and segfault on utf8 containing regexes version
- Perl: Perl Home Page
- David Landgren: This Week on perl5-porters - 6-12 April 2008