Bug 728662 - VUL-0: CVE-2011-2939: perl: decode_xs heap-based buffer overflow
VUL-0: CVE-2011-2939: perl: decode_xs heap-based buffer overflow
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: General
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
maint:released:11.3:44303 maint:relea...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2011-11-07 14:03 UTC by Matthias Weckbecker
Modified: 2011-11-25 10:40 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Matthias Weckbecker 2011-11-07 14:03:23 UTC
-----------------------------------------------------------------------
Perl bundles `Encode' module (http://search.cpan.org/~dankogai/Encode/) that
contains `Unicode.xs' file where a heap overflow bug has been fixed recently
(http://cpansearch.perl.org/src/DANKOGAI/Encode-2.44/Changes):

$Revision: 2.44 $ $Date: 2011/08/09 07:49:44 $
! Unicode/Unicode.xs
  Addressed the following:
    Date: Fri, 22 Jul 2011 13:58:43 +0200
    From: Robert Zacek <zacek@avast.com>
    To: perl5-security-report@perl.org
    Subject: Unicode.xs!decode_xs n-byte heap-overflow

The patch has been merged into perl development tree
(http://perl5.git.perl.org/perl.git/commitdiff/e46d973584785af1f445c4dedbee4243419cb860#patch5):


diff --git a/cpan/Encode/Unicode/Unicode.xs b/cpan/Encode/Unicode/Unicode.xs

index 16f4cd1..039f155 100644 (file)


--- a/cpan/Encode/Unicode/Unicode.xs
+++ b/cpan/Encode/Unicode/Unicode.xs
@@ -1,5 +1,5 @@
 /*
- $Id: Unicode.xs,v 2.7 2010/12/31 22:48:48 dankogai Exp $
+ $Id: Unicode.xs,v 2.8 2011/08/09 07:49:44 dankogai Exp dankogai $
  */

 #define PERL_NO_GET_CONTEXT
@@ -256,7 +256,10 @@ CODE:
               This prevents allocating too much in the rogue case of a large
               input consisting initially of long sequence uft8-byte unicode
               chars followed by single utf8-byte chars. */
-           STRLEN remaining = (e - s)/usize;
+            /* +1 
+               fixes  Unicode.xs!decode_xs n-byte heap-overflow
+              */
+           STRLEN remaining = (e - s)/usize + 1; /* +1 to avoid the leak */
            STRLEN max_alloc = remaining + (8*1024*1024);
            STRLEN est_alloc = remaining * UTF8_MAXLEN;
            STRLEN newlen = SvLEN(result) + /* min(max_alloc, est_alloc) */

Debian has applied the fix for Perl 5.12 and 5.14 versions
(http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=637376) so far but recognized
the bug in all Perl releases since 5.10.0.

No reproducer or other details are known now. This flaw is public.
Non-replied question has been post to perl-ports mailing list
(http://permalink.gmane.org/gmane.comp.lang.perl.perl5.porters/98004).
-----------------------------------------------------------------------
Comment 1 Swamp Workflow Management 2011-11-08 13:07:27 UTC
The SWAMPID for this issue is 44048.
This issue was rated as moderate.
Please submit fixed packages until 2011-11-22.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 2 Michael Schröder 2011-11-21 17:21:14 UTC
seems like only 11.3 and 11.4 are affected.
Comment 3 Michael Schröder 2011-11-21 17:30:03 UTC
Fixed packages submitted.
Comment 4 Swamp Workflow Management 2011-11-23 14:29:28 UTC
Update released for: perl, perl-base, perl-base-debuginfo, perl-debuginfo, perl-debuginfo-32bit, perl-debuginfo-x86, perl-debugsource, perl-doc
Products:
openSUSE 11.3 (debug, i586, x86_64)
openSUSE 11.4 (debug, i586, x86_64)
Comment 5 Matthias Weckbecker 2011-11-23 15:00:18 UTC
released