StarlingX

CVE-2018-18311: Perl Buffer Overflow

Bug #1820757 reported by Ken Young
22
This bug affects 1 person
Affects Status Importance Assigned to Milestone
StarlingX
Fix Released
High
Mawrer Amed Ramirez Martinez

Bug Description

Title
-----
CVE-2018-18311: Perl Buffer Overflow

Brief Description
-----------------
Perl before 5.26.3 and 5.28.x before 5.28.1 has a buffer overflow via a crafted regular expression that triggers invalid write operations.

+----------------+----------------------------------------------------------------------------------+
| CVE-2018-18311 | |
+----------------+----------------------------------------------------------------------------------+
| Max Score | 9.8 CRITICAL (nvd) |
| nvd | 9.8/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CRITICAL |
| redhat | 8.1/CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H IMPORTANT |
| nvd | 7.5/AV:N/AC:L/Au:N/C:P/I:P/A:P HIGH |
| Summary | Perl before 5.26.3 and 5.28.x before 5.28.1 has a buffer overflow via a crafted |
| | regular expression that triggers invalid write operations. |
| CWE | CWE-190: Integer Overflow or Wraparound (redhat) |
| CWE | CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') |
| | (redhat) |
| CWE | CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer |
| | (nvd) |
| Affected Pkg | perl-4:5.16.3-293.el7 -> 4:5.16.3-294.el7_6 (updates) |
| Affected Pkg | perl-Pod-Escapes-1:1.04-293.el7 -> 1:1.04-294.el7_6 (updates) |
| Affected Pkg | perl-libs-4:5.16.3-293.el7 -> 4:5.16.3-294.el7_6 (updates) |
| Affected Pkg | perl-macros-4:5.16.3-293.el7 -> 4:5.16.3-294.el7_6 (updates) |
| Confidence | 100 / OvalMatch |
| Source | https://nvd.nist.gov/vuln/detail/CVE-2018-18311 |
| CVSSv2 Calc | https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?name=CVE-2018-18311 |
| CVSSv3 Calc | https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2018-18311 |
| RHEL-CVE | https://access.redhat.com/security/cve/CVE-2018-18311 |
| CWE | https://cwe.mitre.org/data/definitions/CWE-190.html |
| CWE | https://cwe.mitre.org/data/definitions/CWE-120.html |
| CWE | https://cwe.mitre.org/data/definitions/CWE-119.html |
+----------------+----------------------------------------------------------------------------------+

Severity
--------
<Major: System/Feature is usable but degraded>

Steps to Reproduce
------------------
N/A

Expected Behavior
------------------
N/A

Actual Behavior
----------------
N/A

Reproducibility
---------------
N/A

System Configuration
--------------------
N/A

Branch/Pull Time/Commit
-----------------------
N/A

Timestamp/Logs
--------------
N/A

CVE References

Ken Young (kenyis)
information type: Public → Private Security
Changed in starlingx:
importance: Undecided → High
Ghada Khalil (gkhalil)
tags: added: stx.2019.05 stx.security
Bruce Jones (brucej)
Changed in starlingx:
assignee: nobody → Cesar Lara (clara1)
Revision history for this message
Victor Manuel Rodriguez Bahena (vm-rod25) wrote : Re: [Bug 1820757] Re: CVE-2018-18311: Perl Buffer Overflow
Download full text (4.0 KiB)

This is the patch that fix it. We might need to rebase. Whoever is going to
be on charge of fix it, this is a good hint

https://github.com/Perl/perl5/commit/34716e2a6ee2af96078d62b065b7785c001194be

:)

On Mon, Mar 18, 2019, 17:50 Bruce Jones <email address hidden> wrote:

> ** Changed in: starlingx
> Assignee: (unassigned) => Cesar Lara (clara1)
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1820757
>
> Title:
> CVE-2018-18311: Perl Buffer Overflow
>
> Status in StarlingX:
> New
>
> Bug description:
> Title
> -----
> CVE-2018-18311: Perl Buffer Overflow
>
> Brief Description
> -----------------
> Perl before 5.26.3 and 5.28.x before 5.28.1 has a buffer overflow via a
> crafted regular expression that triggers invalid write operations.
>
>
> +----------------+----------------------------------------------------------------------------------+
> | CVE-2018-18311 |
> |
>
> +----------------+----------------------------------------------------------------------------------+
> | Max Score | 9.8 CRITICAL (nvd)
> |
> | nvd | 9.8/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
> CRITICAL |
> | redhat | 8.1/CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
> IMPORTANT |
> | nvd | 7.5/AV:N/AC:L/Au:N/C:P/I:P/A:P HIGH
> |
> | Summary | Perl before 5.26.3 and 5.28.x before 5.28.1 has a
> buffer overflow via a crafted |
> | | regular expression that triggers invalid write
> operations. |
> | CWE | CWE-190: Integer Overflow or Wraparound (redhat)
> |
> | CWE | CWE-120: Buffer Copy without Checking Size of Input
> ('Classic Buffer Overflow') |
> | | (redhat)
> |
> | CWE | CWE-119: Improper Restriction of Operations within
> the Bounds of a Memory Buffer |
> | | (nvd)
> |
> | Affected Pkg | perl-4:5.16.3-293.el7 -> 4:5.16.3-294.el7_6
> (updates) |
> | Affected Pkg | perl-Pod-Escapes-1:1.04-293.el7 -> 1:1.04-294.el7_6
> (updates) |
> | Affected Pkg | perl-libs-4:5.16.3-293.el7 -> 4:5.16.3-294.el7_6
> (updates) |
> | Affected Pkg | perl-macros-4:5.16.3-293.el7 -> 4:5.16.3-294.el7_6
> (updates) |
> | Confidence | 100 / OvalMatch
> |
> | Source | https://nvd.nist.gov/vuln/detail/CVE-2018-18311
> |
> | CVSSv2 Calc |
> https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?name=CVE-2018-18311
> |
> | CVSSv3 Calc |
> https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2018-18311
> |
> | RHEL-CVE | https://access.redhat.com/security/cve/CVE-2018-18311
> |
> | CWE | https://cwe.mitre.org/data/definitions/CWE-190.html
> |
...

Read more...

Revision history for this message
Ken Young (kenyis) wrote :

This CVE has been fixed upstream on January 21st. To fix this, please update the following packages:

perl-4:5.16.3-293.el7 -> 4:5.16.3-294.el7_6 (updates)
perl-Pod-Escapes-1:1.04-293.el7 -> 1:1.04-294.el7_6 (updates)
perl-libs-4:5.16.3-293.el7 -> 4:5.16.3-294.el7_6 (updates)
perl-macros-4:5.16.3-293.el7 -> 4:5.16.3-294.el7_6 (updates)

Ghada Khalil (gkhalil)
Changed in starlingx:
status: New → Triaged
Ken Young (kenyis)
tags: added: stx.build
Revision history for this message
Ken Young (kenyis) wrote :

Review is here:

https://review.openstack.org/#/c/648788/

Revision history for this message
Michel Thebeau [WIND] (mthebeau) wrote :

The CentOS security announcement lists all of the affected packages; this URL should have been listed in the bug description:
https://lists.centos.org/pipermail/centos-announce/2019-January/023148.html

Sometimes there may be more than one CentOS security annoucement for a CVE; all of these should be listed in the bug description.

A method can be used to verify the RPM files listed in the CentOS announcement(s) are updated:

list="perl perl-core perl-CPAN perl-devel perl-devel perl-ExtUtils-CBuilder perl-ExtUtils-Embed perl-ExtUtils-Install perl-IO-Zlib perl-libs perl-libs perl-Locale-Maketext-Simple perl-macros perl-Module-CoreList perl-Module-Loaded perl-Object-Accessor perl-Package-Constants perl-Pod-Escapes perl-tests perl-Time-Piece"
find . | xargs rpm -qp --queryformat="%{NAME},%{SOURCERPM}\n" 2>/dev/null | grep "^\($( echo $list | sed "s; ;\\\|;g" )\),"
perl-macros,perl-5.16.3-293.el7.src.rpm
perl-libs,perl-5.16.3-293.el7.src.rpm
perl,perl-5.16.3-293.el7.src.rpm
perl-devel,perl-5.16.3-293.el7.src.rpm
perl-Pod-Escapes,perl-5.16.3-293.el7.src.rpm
perl-ExtUtils-Install,perl-5.16.3-293.el7.src.rpm
perl-ExtUtils-Embed,perl-5.16.3-293.el7.src.rpm

Revision history for this message
Mawrer Amed Ramirez Martinez (marami3) wrote :

The new review is here:

https://review.openstack.org/#/c/649151/

now it includes the following list of perl packages:

perl-macros,perl-5.16.3-293.el7.src.rpm
perl-libs,perl-5.16.3-293.el7.src.rpm
perl,perl-5.16.3-293.el7.src.rpm
perl-devel,perl-5.16.3-293.el7.src.rpm
perl-Pod-Escapes,perl-5.16.3-293.el7.src.rpm
perl-ExtUtils-Install,perl-5.16.3-293.el7.src.rpm
perl-ExtUtils-Embed,perl-5.16.3-293.el7.src.rpm

Revision history for this message
Michel Thebeau [WIND] (mthebeau) wrote :

Thanks; please comment about the testing which is performed for this change.

Revision history for this message
Michel Thebeau [WIND] (mthebeau) wrote :

I audited the version of perl in containers. These are up-to-date with the version we want. The containers showing perl installed are:

starlingx/stx-magnum
starlingx/stx-neutron
starlingx/stx-ceilometer
starlingx/stx-nova
starlingx/stx-glance

This report is still required for the installed hosts (ISO image)

Ken Young (kenyis)
tags: added: stx.2.0
removed: stx.2019.05
Ken Young (kenyis)
Changed in starlingx:
assignee: Cesar Lara (clara1) → Mawrer Amed Ramirez Martinez (marami3)
Ken Young (kenyis)
Changed in starlingx:
status: Triaged → Fix Released
Ken Young (kenyis)
information type: Private Security → Public
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.