Bug 976584 – VUL-0: CVE-2015-8853: perl: regexp matching hangs indefinitely on illegal UTF-8 input

Bug 976584 - (CVE-2015-8853) VUL-0: CVE-2015-8853: perl: regexp matching hangs indefinitely on illegal UTF-8 input

(CVE-2015-8853)
Summary:	VUL-0: CVE-2015-8853: perl: regexp matching hangs indefinitely on illegal UTF...

Status:	REOPENED
Duplicates:	997948 997950 (view as bug list)

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assigned To:	Michael Schröder
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/168093/
Whiteboard:	CVSSv2:SUSE:CVE-2015-8853:7.8:(AV:N/A...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2016-04-21 10:20 UTC by Johannes Segitz
Modified:	2020-06-29 06:24 UTC (History)
CC List:	5 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Johannes Segitz 2016-04-21 10:20:11 UTC

A bug in perl can cause regular expressions an malformed UTF8 inputs
to go into a forever loop and consume 100% CPU. The issue was found to
drive a realworld web application into an infinite loop

Upstream bug: https://rt.perl.org/Public/Bug/Display.html?id=123562
Fix: http://perl5.git.perl.org/perl.git/commit/22b433eff9a1ffa2454e18405a56650f07b385b5
    
CVE-2015-8853

References:
https://bugs.debian.org/821848
https://bugzilla.redhat.com/show_bug.cgi?id=1329106
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8853
http://seclists.org/oss-sec/2016/q2/118
http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-8853.html

Comment 1 Swamp Workflow Management 2016-04-21 22:00:49 UTC

bugbot adjusting priority

Comment 7 Leonardo Chiquitto 2016-09-23 13:33:03 UTC

*** Bug 997948 has been marked as a duplicate of this bug. ***

Comment 8 Leonardo Chiquitto 2016-09-23 13:35:02 UTC

*** Bug 997950 has been marked as a duplicate of this bug. ***

Comment 9 Michael Schröder 2017-04-26 14:57:21 UTC

This is fixed, right?

Comment 12 Swamp Workflow Management 2018-06-26 08:28:12 UTC

An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2018-07-10.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/64075