[CVE-2012-5195] heap buffer overrun with the 'x' string repeat operator

Bug #1069034 reported by Dominic Hargreaves
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
perl (Ubuntu)
Medium
Unassigned
Hardy
Medium
Unassigned
Lucid
Medium
Unassigned
Natty
Medium
Unassigned
Oneiric
Medium
Unassigned
Precise
Medium
Unassigned
Quantal
Medium
Unassigned
Raring
Medium
Unassigned

Bug Description

The following commit appeared in 5.14.3 and Debian 5.14.3-14:

  commit 5ee2604e72cdd836101f279f8f9e89243c7f0097
  Author: Andy Dougherty <email address hidden>
  Date: Thu Sep 27 09:52:18 2012 -0400

      avoid calling memset with a negative count

      Poorly written perl code that allows an attacker to specify the count to
      perl's 'x' string repeat operator can already cause a memory exhaustion
      denial-of-service attack. A flaw in versions of perl before 5.15.5 can
      escalate that into a heap buffer overrun; coupled with versions of glibc
      before 2.16, it possibly allows the execution of arbitrary code.

      The flaw addressed to this commit has been assigned identifier
      CVE-2012-5195.

http://www.nntp.perl.org/group/perl.perl5.porters/2012/10/msg193886.html
http://www.nntp.perl.org/group/perl.perl5.porters/2012/10/msg194057.html
http://patch-tracker.debian.org/patch/series/view/perl/5.14.2-14/fixes/string_repeat_overrun.diff

Dominic Hargreaves (dom)
information type: Private Security → Public Security
Changed in perl (Ubuntu Hardy):
status: New → Confirmed
Changed in perl (Ubuntu Lucid):
status: New → Confirmed
Changed in perl (Ubuntu Natty):
status: New → Confirmed
Changed in perl (Ubuntu Oneiric):
status: New → Confirmed
Changed in perl (Ubuntu Precise):
status: New → Confirmed
Changed in perl (Ubuntu Quantal):
status: New → Confirmed
Changed in perl (Ubuntu Raring):
status: New → Confirmed
Changed in perl (Ubuntu Hardy):
importance: Undecided → Medium
Changed in perl (Ubuntu Natty):
importance: Undecided → Medium
Changed in perl (Ubuntu Precise):
importance: Undecided → Medium
Changed in perl (Ubuntu Raring):
importance: Undecided → Medium
Changed in perl (Ubuntu Oneiric):
importance: Undecided → Medium
Changed in perl (Ubuntu Lucid):
importance: Undecided → Medium
Changed in perl (Ubuntu Quantal):
importance: Undecided → Medium
Revision history for this message
Dominic Hargreaves (dom) wrote :

Clarification: when I said 5.14.3-14 above, I meant 5.14.2-14.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package perl - 5.14.2-6ubuntu2.2

---------------
perl (5.14.2-6ubuntu2.2) precise-security; urgency=low

  * SECURITY UPDATE: Heap overflow in "x" operator (LP: #1069034)
    - CVE-2012-5195
  * SECURITY UPDATE: CGI.pm improper cookie and p3p CRLF escaping
    - CVE-2012-5526
 -- Seth Arnold <email address hidden> Mon, 26 Nov 2012 11:27:58 -0800

Changed in perl (Ubuntu Precise):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package perl - 5.8.8-12ubuntu0.7

---------------
perl (5.8.8-12ubuntu0.7) hardy-security; urgency=low

  * SECURITY UPDATE: Injection problem in Digest::new
    - CVE-2011-3597
    - http://rt.cpan.org/Public/Bug/Display.html?id=71390
  * SECURITY UPDATE: Heap overflow in "x" operator (LP: #1069034)
    - CVE-2012-5195
    - http://www.nntp.perl.org/group/perl.perl5.porters/2012/10/msg193886.html
  * SECURITY UPDATE: CGI.pm improper cookie and p3p CRLF escaping
    - CVE-2012-5526
    - http://github.com/markstos/CGI.pm/pull/23.patch
 -- Seth Arnold <email address hidden> Tue, 27 Nov 2012 23:15:32 -0800

Changed in perl (Ubuntu Hardy):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package perl - 5.10.1-8ubuntu2.2

---------------
perl (5.10.1-8ubuntu2.2) lucid-security; urgency=low

  * SECURITY UPDATE: Injection problem in Digest::new
    - CVE-2011-3597
  * SECURITY UPDATE: Off-by-one via crafted Unicode string in Unicode.xs
    - CVE-2011-2939
  * SECURITY UPDATE: Heap overflow in "x" operator (LP: #1069034)
    - CVE-2012-5195
  * SECURITY UPDATE: CGI.pm improper cookie and p3p CRLF escaping
    - CVE-2012-5526
 -- Seth Arnold <email address hidden> Mon, 26 Nov 2012 11:27:38 -0800

Changed in perl (Ubuntu Lucid):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package perl - 5.14.2-13ubuntu0.1

---------------
perl (5.14.2-13ubuntu0.1) quantal-security; urgency=low

  * SECURITY UPDATE: Heap overflow in "x" operator (LP: #1069034)
    - CVE-2012-5195
  * SECURITY UPDATE: CGI.pm improper cookie and p3p CRLF escaping
    - CVE-2012-5526
 -- Seth Arnold <email address hidden> Mon, 26 Nov 2012 11:28:12 -0800

Changed in perl (Ubuntu Quantal):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package perl - 5.12.4-4ubuntu0.1

---------------
perl (5.12.4-4ubuntu0.1) oneiric-security; urgency=low

  * SECURITY UPDATE: Injection problem in Digest::new
    - CVE-2011-3597
  * SECURITY UPDATE: Heap overflow in "x" operator (LP: #1069034)
    - CVE-2012-5195
  * SECURITY UPDATE: CGI.pm improper cookie and p3p CRLF escaping
    - CVE-2012-5526
 -- Seth Arnold <email address hidden> Mon, 26 Nov 2012 11:27:49 -0800

Changed in perl (Ubuntu Oneiric):
status: Confirmed → Fix Released
Changed in perl (Ubuntu Natty):
status: Confirmed → Won't Fix
Revision history for this message
Colin Watson (cjwatson) wrote :

Fixed some time ago in raring:

perl (5.14.2-14) unstable; urgency=high

  * [SECURITY] CVE-2012-5195: fix a heap buffer overrun with
    the 'x' string repeat operator. (Closes: #689314)

 -- Niko Tyni <email address hidden> Wed, 10 Oct 2012 21:17:36 +0300

Changed in perl (Ubuntu Raring):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.