diff options
| author | Sawyer X <xsawyerx@cpan.org> | 2020-06-07 09:11:24 +0300 |
|---|---|---|
| committer | Sawyer X <xsawyerx@cpan.org> | 2020-06-07 13:10:38 +0300 |
| commit | 930ee041f02371f38c7c11533f2eb8c15787be73 (patch) | |
| tree | 06d30185f31c07ab4477d1ef00b021f7b40acacb /pod | |
| parent | a192978fac97e3535f3d8ae6857c8156871bb916 (diff) | |
| download | perl-930ee041f02371f38c7c11533f2eb8c15787be73.tar.gz | |
Update perldelta on security fixes:
* CVE-2020-10543
* CVE-2020-10878
* CVE-2020-12723
They were fixed on v5.28.3 and 5.30.3 and the fixes were backported.
Diffstat (limited to 'pod')
| -rw-r--r-- | pod/perldelta.pod | 39 |
1 files changed, 38 insertions, 1 deletions
diff --git a/pod/perldelta.pod b/pod/perldelta.pod index ce00bf6560..1ad9c0077c 100644 --- a/pod/perldelta.pod +++ b/pod/perldelta.pod @@ -126,7 +126,44 @@ other information as well.) =head1 Security -There are no security-related changes. +=head2 [CVE-2020-10543] Buffer overflow caused by a crafted regular expression + +A signed C<size_t> integer overflow in the storage space calculations for +nested regular expression quantifiers could cause a heap buffer overflow in +Perl's regular expression compiler that overwrites memory allocated after the +regular expression storage space with attacker supplied data. + +The target system needs a sufficient amount of memory to allocate partial +expansions of the nested quantifiers prior to the overflow occurring. This +requirement is unlikely to be met on 64-bit systems. + +Discovered by: ManhND of The Tarantula Team, VinCSS (a member of Vingroup). + +=head2 [CVE-2020-10878] Integer overflow via malformed bytecode produced by a crafted regular expression + +Integer overflows in the calculation of offsets between instructions for the +regular expression engine could cause corruption of the intermediate language +state of a compiled regular expression. An attacker could abuse this behaviour +to insert instructions into the compiled form of a Perl regular expression. + +Discovered by: Hugo van der Sanden and Slaven Rezic. + +=head2 [CVE-2020-12723] Buffer overflow caused by a crafted regular expression + +Recursive calls to C<S_study_chunk()> by Perl's regular expression compiler to +optimize the intermediate language representation of a regular expression could +cause corruption of the intermediate language state of a compiled regular +expression. + +Discovered by: Sergey Aleynikov. + +=head2 Additional Note + +An application written in Perl would only be vulnerable to any of the above +flaws if it evaluates regular expressions supplied by the attacker. Evaluating +regular expressions in this fashion is known to be dangerous since the regular +expression engine does not protect against denial of service attacks in this +usage scenario. =head1 Incompatible Changes |