Ubuntu
perl package

[perl] [cve-2007-5116] heap overflow

Bug #160693 reported by disabled.user on 2007-11-07

258

Affects		Status	Importance	Assigned to
	perl (Ubuntu)	Fix Released	Undecided	Stephan Rügamer
Nominated for Dapper by Missi
Nominated for Edgy by Missi
Nominated for Feisty by Missi
Nominated for Gutsy by Missi

Bug Description

Binary package hint: perl

References:
[1] http://www.debian.org/security/2007/dsa-1400
[2] Bug #160454

From [1]:
"Will Drewry and Tavis Ormandy of the Google Security Team have discovered a UTF-8 related heap overflow in Perl's regular expression compiler, probably allowing attackers to execute arbitrary code by compiling specially crafted regular expressions."

CVE References

2007-5116

Revision history for this message

Steve Peters (steve-fisharerojo) wrote on 2007-11-07: Re: [Bug 160693] [perl] [cve-2007-5116] heap overflow

Download full text (4.1 KiB)

The patch applied to the Perl core is the following...

==== //depot/maint-5.8/perl/regcomp.c#109 (text) ====

@@ -117,7 +117,10 @@
     I32 extralen;
     I32 seen_zerolen;
     I32 seen_evals;
- I32 utf8;
+ I32 utf8; /* whether the pattern is utf8 or not */
+ I32 orig_utf8; /* whether the pattern was originally in utf8 */
+ /* XXX use this for future optimisation of case
+ * where pattern must be upgraded to utf8. */
#if ADD_TO_REGEXEC
     char *starttry; /* -Dr: where regtry was called. */
#define RExC_starttry (pRExC_state->starttry)
@@ -143,6 +146,7 @@
#define RExC_seen_zerolen (pRExC_state->seen_zerolen)
#define RExC_seen_evals (pRExC_state->seen_evals)
#define RExC_utf8 (pRExC_state->utf8)
+#define RExC_orig_utf8 (pRExC_state->orig_utf8)

#define ISMULT1(c) ((c) == '*' || (c) == '+' || (c) == '?')
#define ISMULT2(s) ((*s) == '*' || (*s) == '+' || (*s) == '?' || \
@@ -1720,15 +1724,17 @@
if (exp == NULL)
FAIL("NULL regexp argument");

- RExC_utf8 = pm->op_pmdynflags & PMdf_CMP_UTF8;
+ RExC_utf8 = RExC_orig_utf8 = pm->op_pmdynflags & PMdf_CMP_UTF8;

- RExC_precomp = exp;
     DEBUG_r({
   if (!PL_colorset) reginitcolors();
   PerlIO_printf(Perl_debug_log, "%sCompiling REx%s `%s%*s%s'\n",
          PL_colors[4],PL_colors[5],PL_colors[0],
          (int)(xend - exp), RExC_precomp, PL_colors[1]);
     });
+
+redo_first_pass:
+ RExC_precomp = exp;
     RExC_flags = pm->op_pmflags;
     RExC_sawback = 0;
@@ -1730,7 +1730,7 @@
   if (!PL_colorset) reginitcolors();
   PerlIO_printf(Perl_debug_log, "%sCompiling REx%s `%s%*s%s'\n",
          PL_colors[4],PL_colors[5],PL_colors[0],
- (int)(xend - exp), RExC_precomp, PL_colors[1]);
+ (int)(xend - exp), exp, PL_colors[1]);
     });

redo_first_pass:
@@ -1754,6 +1760,25 @@
  RExC_precomp = NULL;
  return(NULL);
     }
+ if (RExC_utf8 && !RExC_orig_utf8) {
+ /* It's possible to write a regexp in ascii that represents unicode
+ codepoints outside of the byte range, such as via \x{100}. If we
+ detect such a sequence we have to convert the entire pattern to utf8
+ and then recompile, as our sizing calculation will have been based
+ on 1 byte == 1 character, but we will need to use utf8 to encode
+ at least some part of the pattern, and therefore must convert the whole
+ thing.
+ XXX: somehow figure out how to make this less expensive...
+ -- dmq */
+ STRLEN len = xend-exp;
+ DEBUG_r(PerlIO_printf(Perl_debug_log,
+ "UTF8 mismatch! Converting to utf8 for resizing and compile\n"));
+ exp = (char*)Perl_bytes_to_utf8(aTHX_ (U8*)exp, &len);
+ xend = exp + len;
+ RExC_orig_utf8 = RExC_utf8;
+ SAVEFREEPV(exp);
+ goto redo_first_pass;
+ }
     DEBUG_r(PerlIO_printf(Perl_debug_log, "size %"IVdf" ", (IV)RExC_size));

/* Small enough for pointer-storage convention?

==== //depot/maint-5.8/perl/t/op/pat.t#46 (xtext) ====

@@ -3771,5 +3771,15 @@
iseq($count,1,"should have matched once only [RT#36046]");
}

+{
+ use warnings;
+ local $Message = "ASCII pattern that really is utf8";
+ my @w;
+ local $SIG{__WA...

The patch applied to the Perl core is the following...

==== //depot/maint-5.8/perl/regcomp.c#109 (text) ====

@@ -117,7 +117,10 @@
     I32		extralen;
     I32		seen_zerolen;
     I32		seen_evals;
-    I32		utf8;
+    I32		utf8;		/* whether the pattern is utf8 or not */
+    I32		orig_utf8;	/* whether the pattern was originally in utf8 */
+				/* XXX use this for future optimisation of case
+				 * where pattern must be upgraded to utf8. */
 #if ADD_TO_REGEXEC
     char 	*starttry;		/* -Dr: where regtry was called. */
 #define RExC_starttry	(pRExC_state->starttry)
@@ -143,6 +146,7 @@
 #define RExC_seen_zerolen	(pRExC_state->seen_zerolen)
 #define RExC_seen_evals	(pRExC_state->seen_evals)
 #define RExC_utf8	(pRExC_state->utf8)
+#define RExC_orig_utf8	(pRExC_state->orig_utf8)

#define	ISMULT1(c)	((c) == '*' || (c) == '+' || (c) == '?')
 #define	ISMULT2(s)	((*s) == '*' || (*s) == '+' || (*s) == '?' || \
@@ -1720,15 +1724,17 @@
     if (exp == NULL)
 	FAIL("NULL regexp argument");

-    RExC_utf8 = pm->op_pmdynflags & PMdf_CMP_UTF8;
+    RExC_utf8 = RExC_orig_utf8 = pm->op_pmdynflags & PMdf_CMP_UTF8;

-    RExC_precomp = exp;
     DEBUG_r({
 	 if (!PL_colorset) reginitcolors();
 	 PerlIO_printf(Perl_debug_log, "%sCompiling REx%s `%s%*s%s'\n",
 		       PL_colors[4],PL_colors[5],PL_colors[0],
 		       (int)(xend - exp), RExC_precomp, PL_colors[1]);
     });
+
+redo_first_pass:
+    RExC_precomp = exp;
     RExC_flags = pm->op_pmflags;
     RExC_sawback = 0;
@@ -1730,7 +1730,7 @@
 	 if (!PL_colorset) reginitcolors();
 	 PerlIO_printf(Perl_debug_log, "%sCompiling REx%s `%s%*s%s'\n",
 		       PL_colors[4],PL_colors[5],PL_colors[0],
-		       (int)(xend - exp), RExC_precomp, PL_colors[1]);
+		       (int)(xend - exp), exp, PL_colors[1]);
     });

redo_first_pass:
@@ -1754,6 +1760,25 @@
 	RExC_precomp = NULL;
 	return(NULL);
     }
+    if (RExC_utf8 && !RExC_orig_utf8) {
+        /* It's possible to write a regexp in ascii that represents unicode
+        codepoints outside of the byte range, such as via \x{100}. If we
+        detect such a sequence we have to convert the entire pattern to utf8
+        and then recompile, as our sizing calculation will have been based
+        on 1 byte == 1 character, but we will need to use utf8 to encode
+        at least some part of the pattern, and therefore must convert the whole
+        thing.
+        XXX: somehow figure out how to make this less expensive...
+        -- dmq */
+        STRLEN len = xend-exp;
+        DEBUG_r(PerlIO_printf(Perl_debug_log,
+	    "UTF8 mismatch! Converting to utf8 for resizing and compile\n"));
+        exp = (char*)Perl_bytes_to_utf8(aTHX_ (U8*)exp, &len);
+        xend = exp + len;
+        RExC_orig_utf8 = RExC_utf8;
+        SAVEFREEPV(exp);
+        goto redo_first_pass;
+    }
     DEBUG_r(PerlIO_printf(Perl_debug_log, "size %"IVdf" ", (IV)RExC_size));

/* Small enough for pointer-storage convention?

==== //depot/maint-5.8/perl/t/op/pat.t#46 (xtext) ====

@@ -3771,5 +3771,15 @@
     iseq($count,1,"should have matched once only [RT#36046]");
 }

+{
+    use warnings;
+    local $Message = "ASCII pattern that really is utf8";
+    my @w;
+    local $SIG{__WARN__}=sub{push @w,"@_"};
+    my $c=qq(\x{DF});
+    ok($c=~/${c}|\x{100}/);
+    ok(@w==0);
+}
+
 # Don't forget to update this!
-BEGIN{print "1..1251\n"};
+BEGIN{print "1..1253\n"};

On 11/7/07, hk47 <bugtracker@slideomania.com> wrote:
> Public bug reported:
>
> Binary package hint: perl
>
> References:
> [1] http://www.debian.org/security/2007/dsa-1400
> [2] Bug #160454
>
> >From [1]:
> "Will Drewry and Tavis Ormandy of the Google Security Team have discovered a UTF-8 related heap overflow in Perl's regular expression compiler, probably allowing attackers to execute arbitrary code by compiling specially crafted regular expressions."
>
> ** Affects: perl (Ubuntu)
>      Importance: Undecided
>          Status: New
>
> ** Visibility changed to: Public
>
> ** CVE added: http://www.cve.mitre.org/cgi-
> bin/cvename.cgi?name=2007-5116
>
>
> --
> [perl] [cve-2007-5116] heap overflow
> https://bugs.launchpad.net/bugs/160693
> You received this bug notification because you are a bug contact for
> perl in ubuntu.
>

Revision history for this message

Stephan Rügamer (sruegamer) wrote on 2007-11-12:

Preparing debdiff for gutsy and hopefully all other supported ubuntu release

Revision history for this message

Stephan Rügamer (sruegamer) wrote on 2007-11-12:

Well,

there is a problem with the feisty version of perl.
I can't rebuild even the archive version in a clean feisty chroot with updates and security archives enabled.

If anyone can reproduce this bug, please update this bug, thx.

\sh

Revision history for this message

Stephan Rügamer (sruegamer) wrote on 2007-11-12:

fixed debdiff (-p1 now) for gutsy Edit (3.4 KiB, text/plain)

Revision history for this message

Stephan Rügamer (sruegamer) wrote on 2007-11-12:

#10

fixed debdiff (-p1 now) for edgy Edit (3.4 KiB, text/plain)

Revision history for this message

Stephan Rügamer (sruegamer) wrote on 2007-11-12:

#11

Thx to blueyed,

he can see the same error....

      ../miniperl -I../lib enc2xs.PL
      Extracting enc2xs (with variable substitutions)
      ../miniperl -I../lib xsubpp.PL
      Extracting xsubpp (with variable substitutions)
      make[2]: Leaving directory `/tmp/buildd/perl-5.8.8/utils'
              Making x2p stuff
      make[2]: Entering directory `/tmp/buildd/perl-5.8.8/x2p'
      You haven't done a "make depend" yet!
      make[2]: *** [hash.o] Error 1
      make[2]: Leaving directory `/tmp/buildd/perl-5.8.8/x2p'
      make[1]: *** [translators] Error 2
      make[1]: Leaving directory `/tmp/buildd/perl-5.8.8'
      make: *** [libperl.so.5.8.8] Error 1
      pbuilder: Failed autobuilding of package
       -> Aborting with an error
       -> unmounting dev/pts filesystem
       -> unmounting proc filesystem
       -> cleaning the build env
          -> removing directory /var/cache/pbuilder/build//15826 and its subdirectories

Revision history for this message

Stephan Rügamer (sruegamer) wrote on 2007-11-12:

#12

debdiff of feisty version.
after perl will compile again on feisty it works as expected :)

Revision history for this message

Stephan Rügamer (sruegamer) wrote on 2007-11-12:

#13

dapper debdiff to fix this security issue Edit (3.4 KiB, text/plain)

Revision history for this message

Stephan Rügamer (sruegamer) wrote on 2007-11-13:

#14

fixed debdiff for feisty Edit (4.1 KiB, text/plain)

Stephan Rügamer (sruegamer) on 2007-11-19

Changed in perl:
assignee:	nobody → shermann
status:	New → In Progress

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2007-12-11:

#15

http://www.ubuntu.com/usn/usn-552-1

Changed in perl:
status:	In Progress → Fix Released

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Patches

Add patch

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntuperl package

[perl] [cve-2007-5116] heap overflow

Bug Description

CVE References

Other bug subscribers

Patches

Remote bug watches

Ubuntu
perl package