[CVE-2015-8853] Regexp-matching "hangs" indefinitely on illegal input using binmode :utf8 using 100%CPU

[p5pRT]

Migrated from rt.perl.org#123562 (status was 'resolved')

Searchable as RT123562$

[p5pRT]

From torge.husfeldt@1und1.de

Created by torge.husfeldt@1und1.de

This only gets triggered for specific regexes. I stumbled upon this
while feeding utf-8-filehandles to MIME​::Parser which in hindsight seems
to be a bad idea.

To reproduce​:
echo -e "a\x80" | perl -e 'binmode STDIN, "​:utf8"; while
(<>){/(\n\r|\r)$/ ; print "DONE\n"}'

Result​: 100% CPU + no progress

Expected Result​: some kind of error message

Perl Info

Flags:
    category=core
    severity=low

Site configuration information for perl 5.18.2:

Configured by Debian Project at Thu Mar 27 18:28:21 UTC 2014.

Summary of my perl5 (revision 5 version 18 subversion 2) configuration:

  Platform:
    osname=linux, osvers=3.2.0-58-generic,
archname=x86_64-linux-gnu-thread-multi
    uname='linux brownie 3.2.0-58-generic #88-ubuntu smp tue dec 3
17:37:58 utc 2013 x86_64 x86_64 x86_64 gnulinux '
    config_args='-Dusethreads -Duselargefiles -Dccflags=-DDEBIAN
-D_FORTIFY_SOURCE=2 -g -O2 -fstack-protector --param=ssp-buffer-size=4
-Wformat -Werror=format-security -Dldflags= -Wl,-Bsymbolic-functions
-Wl,-z,relro -Dlddlflags=-shared -Wl,-Bsymbolic-functions -Wl,-z,relro
-Dcccdlflags=-fPIC -Darchname=x86_64-linux-gnu -Dprefix=/usr
-Dprivlib=/usr/share/perl/5.18 -Darchlib=/usr/lib/perl/5.18
-Dvendorprefix=/usr -Dvendorlib=/usr/share/perl5
-Dvendorarch=/usr/lib/perl5 -Dsiteprefix=/usr/local
-Dsitelib=/usr/local/share/perl/5.18.2
-Dsitearch=/usr/local/lib/perl/5.18.2 -Dman1dir=/usr/share/man/man1
-Dman3dir=/usr/share/man/man3 -Dsiteman1dir=/usr/local/man/man1
-Dsiteman3dir=/usr/local/man/man3 -Duse64bitint -Dman1ext=1
-Dman3ext=3perl -Dpager=/usr/bin/sensible-pager -Uafs -Ud_csh -Ud_ualarm
-Uusesfio -Uusenm -Ui_libutil -Uversiononly -DDEBUGGING=-g
-Doptimize=-O2 -Duseshrplib -Dlibperl=libperl.so.5.18.2 -des'
    hint=recommended, useposix=true, d_sigaction=define
    useithreads=define, usemultiplicity=define
    useperlio=define, d_sfio=undef, uselargefiles=define, usesocks=undef
    use64bitint=define, use64bitall=define, uselongdouble=undef
    usemymalloc=n, bincompat5005=undef
  Compiler:
    cc='cc', ccflags ='-D_REENTRANT -D_GNU_SOURCE -DDEBIAN
-fstack-protector -fno-strict-aliasing -pipe -I/usr/local/include
-D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64',
    optimize='-O2 -g',
    cppflags='-D_REENTRANT -D_GNU_SOURCE -DDEBIAN -fstack-protector
-fno-strict-aliasing -pipe -I/usr/local/include'
    ccversion='', gccversion='4.8.2', gccosandvers=''
    intsize=4, longsize=8, ptrsize=8, doublesize=8, byteorder=12345678
    d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=16
    ivtype='long', ivsize=8, nvtype='double', nvsize=8, Off_t='off_t',
lseeksize=8
    alignbytes=8, prototype=define
  Linker and Libraries:
    ld='cc', ldflags =' -fstack-protector -L/usr/local/lib'
    libpth=/usr/local/lib /lib/x86_64-linux-gnu /lib/../lib
/usr/lib/x86_64-linux-gnu /usr/lib/../lib /lib /usr/lib
    libs=-lgdbm -lgdbm_compat -ldb -ldl -lm -lpthread -lc -lcrypt
    perllibs=-ldl -lm -lpthread -lc -lcrypt
    libc=, so=so, useshrplib=true, libperl=libperl.so.5.18.2
    gnulibc_version='2.19'
  Dynamic Linking:
    dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,-E'
    cccdlflags='-fPIC', lddlflags='-shared -L/usr/local/lib
-fstack-protector'

Locally applied patches:
    DEBPKG:debian/cpan_definstalldirs - Provide a sensible INSTALLDIRS
default for modules installed from CPAN.
    DEBPKG:debian/db_file_ver - http://bugs.debian.org/340047 Remove
overly restrictive DB_File version check.
    DEBPKG:debian/doc_info - Replace generic man(1) instructions with
Debian-specific information.
    DEBPKG:debian/enc2xs_inc - http://bugs.debian.org/290336 Tweak
enc2xs to follow symlinks and ignore missing @INC directories.
    DEBPKG:debian/errno_ver - http://bugs.debian.org/343351 Remove Errno
version check due to upgrade problems with long-running processes.
    DEBPKG:debian/libperl_embed_doc - http://bugs.debian.org/186778 Note
that libperl-dev package is required for embedded linking
    DEBPKG:fixes/respect_umask - Respect umask during installation
    DEBPKG:debian/writable_site_dirs - Set umask approproately for site
install directories
    DEBPKG:debian/extutils_set_libperl_path - EU:MM: Set location of
libperl.a to /usr/lib
    DEBPKG:debian/no_packlist_perllocal - Don't install .packlist or
perllocal.pod for perl or vendor
    DEBPKG:debian/prefix_changes - Fiddle with *PREFIX and variables
written to the makefile
    DEBPKG:debian/fakeroot - Postpone LD_LIBRARY_PATH evaluation to the
binary targets.
    DEBPKG:debian/instmodsh_doc - Debian policy doesn't install
.packlist files for core or vendor.
    DEBPKG:debian/ld_run_path - Remove standard libs from LD_RUN_PATH as
per Debian policy.
    DEBPKG:debian/libnet_config_path - Set location of libnet.cfg to
/etc/perl/Net as /usr may not be writable.
    DEBPKG:debian/mod_paths - Tweak @INC ordering for Debian
    DEBPKG:debian/module_build_man_extensions -
http://bugs.debian.org/479460 Adjust Module::Build manual page
extensions for the Debian Perl policy
    DEBPKG:debian/prune_libs - http://bugs.debian.org/128355 Prune the
list of libraries wanted to what we actually need.
    DEBPKG:fixes/net_smtp_docs - [rt.cpan.org #36038]
http://bugs.debian.org/100195 Document the Net::SMTP 'Port' option
    DEBPKG:debian/perlivp - http://bugs.debian.org/510895 Make perlivp
skip include directories in /usr/local
    DEBPKG:debian/cpanplus_definstalldirs -
http://bugs.debian.org/533707 Configure CPANPLUS to use the site
directories by default.
    DEBPKG:debian/cpanplus_config_path - Save local versions of
CPANPLUS::Config::System into /etc/perl.
    DEBPKG:debian/deprecate-with-apt - http://bugs.debian.org/702096
Point users to Debian packages of deprecated core modules
    DEBPKG:debian/squelch-locale-warnings -
http://bugs.debian.org/508764 Squelch locale warnings in Debian package
maintainer scripts
    DEBPKG:debian/skip-upstream-git-tests - Skip tests specific to the
upstream Git repository
    DEBPKG:debian/patchlevel - http://bugs.debian.org/567489 List
packaged patches for 5.18.2-2ubuntu1 in patchlevel.h
    DEBPKG:debian/skip-kfreebsd-crash - http://bugs.debian.org/628493
[perl #96272] Skip a crashing test case in t/op/threads.t on GNU/kFreeBSD
    DEBPKG:fixes/document_makemaker_ccflags -
http://bugs.debian.org/628522 [rt.cpan.org #68613] Document that CCFLAGS
should include $Config{ccflags}
    DEBPKG:debian/find_html2text - http://bugs.debian.org/640479
Configure CPAN::Distribution with correct name of html2text
    DEBPKG:debian/hurd_test_skip_stack - http://bugs.debian.org/650175
Disable failing GNU/Hurd tests dist/threads/t/stack.t
    DEBPKG:fixes/manpage_name_Test-Harness -
http://bugs.debian.org/650451 [rt.cpan.org #73399] cpan/Test-Harness:
add NAME headings in modules with POD
    DEBPKG:debian/makemaker-pasthru - http://bugs.debian.org/660195
[rt.cpan.org #28632] Make EU::MM pass LD through to recursive
Makefile.PL invocations
    DEBPKG:debian/perl5db-x-terminal-emulator.patch -
http://bugs.debian.org/668490 Invoke x-terminal-emulator rather than
xterm in perl5db.pl
    DEBPKG:debian/cpan-missing-site-dirs - http://bugs.debian.org/688842
Fix CPAN::FirstTime defaults with nonexisting site dirs if a parent is
writable
    DEBPKG:fixes/memoize_storable_nstore - [rt.cpan.org #77790]
http://bugs.debian.org/587650 Memoize::Storable: respect 'nstore' option
not respected
    DEBPKG:fixes/net_ftp_failed_command - [rt.cpan.org #37700]
http://bugs.debian.org/491062 Net::FTP: cope gracefully with a failed
command
    DEBPKG:fixes/perlbug-patchlist - [3541c11]
http://bugs.debian.org/710842 [perl #118433] Make perlbug look up the
list of local patches at run time
    DEBPKG:fixes/module_metadata_security_doc - [68cdd4b] CVE-2013-1437
documentation fix
    DEBPKG:fixes/module_metadata_taint_fix - [bff978f]
http://bugs.debian.org/722210 [rt.cpan.org #88576] untaint version, if
needed, in Module::Metadata
    DEBPKG:fixes/IPC-SysV-spelling - http://bugs.debian.org/730558
[rt.cpan.org #86736] Fix spelling of IPC_CREAT in IPC-SysV documentation
    DEBPKG:fixes/fix-undef-source -


@INC for perl 5.18.2:
    /etc/perl
    /usr/local/lib/perl/5.18.2
    /usr/local/share/perl/5.18.2
    /usr/lib/perl5
    /usr/share/perl5
    /usr/lib/perl/5.18
    /usr/share/perl/5.18
    /usr/local/lib/site_perl
    .


Environment for perl 5.18.2:
    HOME=/home/thusfeldt
    LANG=de_DE.UTF-8
    LANGUAGE=de_DE
    LD_LIBRARY_PATH (unset)
    LOGDIR (unset)

PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games
    PERL_BADLANG (unset)
    SHELL=/bin/bash

-- 
Torge Husfeldt

Senior Anti-Abuse Engineer
Abuse-Department 1&1 International

1&1 Internet Service GmbH | Brauerstraße 50 | 76135 Karlsruhe | Germany
Phone: +49 721 91374-4795
E-Mail: torge.husfeldt@1und1.de | Web: www.1und1.de

Hauptsitz Montabaur, Amtsgericht Montabaur, HRB 20141

Geschäftsführer: Frank Einhellinger, Uwe Lamnek, Jan Oetjen


Member of United Internet

Diese E-Mail kann vertrauliche und/oder gesetzlich geschützte
Informationen enthalten. Wenn Sie nicht der bestimmungsgemäße Adressat
sind oder diese E-Mail irrtümlich erhalten haben, unterrichten Sie bitte
den Absender und vernichten Sie diese E-Mail. Anderen als dem
bestimmungsgemäßen Adressaten ist untersagt, diese E-Mail zu speichern,
weiterzuleiten oder ihren Inhalt auf welche Weise auch immer zu verwenden.

This e-mail may contain confidential and/or privileged information. If
you are not the intended recipient of this e-mail, you are hereby
notified that saving, distribution or use of the content of this e-mail
in any way is prohibited. If you have received this e-mail in error,
please notify the sender and delete the e-mail.

[p5pRT]

From @jkeenan

On Wed Jan 07 07​:15​:24 2015, torge.husfeldt@​1und1.de wrote​:

This is a bug report for perl from torge.husfeldt@​1und1.de,
generated with the help of perlbug 1.39 running under perl 5.18.2.

Confirmed with blead (3147e83) on Ubuntu Linux 14.04 LTS.

---

[Please describe your issue here]

This only gets triggered for specific regexes. I stumbled upon this
while feeding utf-8-filehandles to MIME​::Parser which in hindsight
seems
to be a bad idea.

To reproduce​:
echo -e "a\x80" | perl -e 'binmode STDIN, "​:utf8"; while
(<>){/(\n\r|\r)$/ ; print "DONE\n"}'

Result​: 100% CPU + no progress

Expected Result​: some kind of error message

[Please do not change anything below this line]
-----------------------------------------------------------------
---
Flags​:
category=core
severity=low
---
Site configuration information for perl 5.18.2​:

Configured by Debian Project at Thu Mar 27 18​:28​:21 UTC 2014.

Summary of my perl5 (revision 5 version 18 subversion 2)
configuration​:

Platform​:
osname=linux, osvers=3.2.0-58-generic,
archname=x86_64-linux-gnu-thread-multi
uname='linux brownie 3.2.0-58-generic #88-ubuntu smp tue dec 3
17​:37​:58 utc 2013 x86_64 x86_64 x86_64 gnulinux '
config_args='-Dusethreads -Duselargefiles -Dccflags=-DDEBIAN
-D_FORTIFY_SOURCE=2 -g -O2 -fstack-protector --param=ssp-buffer-size=4
-Wformat -Werror=format-security -Dldflags= -Wl,-Bsymbolic-functions
-Wl,-z,relro -Dlddlflags=-shared -Wl,-Bsymbolic-functions -Wl,-z,relro
-Dcccdlflags=-fPIC -Darchname=x86_64-linux-gnu -Dprefix=/usr
-Dprivlib=/usr/share/perl/5.18 -Darchlib=/usr/lib/perl/5.18
-Dvendorprefix=/usr -Dvendorlib=/usr/share/perl5
-Dvendorarch=/usr/lib/perl5 -Dsiteprefix=/usr/local
-Dsitelib=/usr/local/share/perl/5.18.2
-Dsitearch=/usr/local/lib/perl/5.18.2 -Dman1dir=/usr/share/man/man1
-Dman3dir=/usr/share/man/man3 -Dsiteman1dir=/usr/local/man/man1
-Dsiteman3dir=/usr/local/man/man3 -Duse64bitint -Dman1ext=1
-Dman3ext=3perl -Dpager=/usr/bin/sensible-pager -Uafs -Ud_csh
-Ud_ualarm
-Uusesfio -Uusenm -Ui_libutil -Uversiononly -DDEBUGGING=-g
-Doptimize=-O2 -Duseshrplib -Dlibperl=libperl.so.5.18.2 -des'
hint=recommended, useposix=true, d_sigaction=define
useithreads=define, usemultiplicity=define
useperlio=define, d_sfio=undef, uselargefiles=define, usesocks=undef
use64bitint=define, use64bitall=define, uselongdouble=undef
usemymalloc=n, bincompat5005=undef
Compiler​:
cc='cc', ccflags ='-D_REENTRANT -D_GNU_SOURCE -DDEBIAN
-fstack-protector -fno-strict-aliasing -pipe -I/usr/local/include
-D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64',
optimize='-O2 -g',
cppflags='-D_REENTRANT -D_GNU_SOURCE -DDEBIAN -fstack-protector
-fno-strict-aliasing -pipe -I/usr/local/include'
ccversion='', gccversion='4.8.2', gccosandvers=''
intsize=4, longsize=8, ptrsize=8, doublesize=8, byteorder=12345678
d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=16
ivtype='long', ivsize=8, nvtype='double', nvsize=8, Off_t='off_t',
lseeksize=8
alignbytes=8, prototype=define
Linker and Libraries​:
ld='cc', ldflags =' -fstack-protector -L/usr/local/lib'
libpth=/usr/local/lib /lib/x86_64-linux-gnu /lib/../lib
/usr/lib/x86_64-linux-gnu /usr/lib/../lib /lib /usr/lib
libs=-lgdbm -lgdbm_compat -ldb -ldl -lm -lpthread -lc -lcrypt
perllibs=-ldl -lm -lpthread -lc -lcrypt
libc=, so=so, useshrplib=true, libperl=libperl.so.5.18.2
gnulibc_version='2.19'
Dynamic Linking​:
dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,-E'
cccdlflags='-fPIC', lddlflags='-shared -L/usr/local/lib
-fstack-protector'

Locally applied patches​:
DEBPKG​:debian/cpan_definstalldirs - Provide a sensible INSTALLDIRS
default for modules installed from CPAN.
DEBPKG​:debian/db_file_ver - http​://bugs.debian.org/340047 Remove
overly restrictive DB_File version check.
DEBPKG​:debian/doc_info - Replace generic man(1) instructions with
Debian-specific information.
DEBPKG​:debian/enc2xs_inc - http​://bugs.debian.org/290336 Tweak
enc2xs to follow symlinks and ignore missing @​INC directories.
DEBPKG​:debian/errno_ver - http​://bugs.debian.org/343351 Remove
Errno
version check due to upgrade problems with long-running processes.
DEBPKG​:debian/libperl_embed_doc - http​://bugs.debian.org/186778
Note
that libperl-dev package is required for embedded linking
DEBPKG​:fixes/respect_umask - Respect umask during installation
DEBPKG​:debian/writable_site_dirs - Set umask approproately for
site
install directories
DEBPKG​:debian/extutils_set_libperl_path - EU​:MM​: Set location of
libperl.a to /usr/lib
DEBPKG​:debian/no_packlist_perllocal - Don't install .packlist or
perllocal.pod for perl or vendor
DEBPKG​:debian/prefix_changes - Fiddle with *PREFIX and variables
written to the makefile
DEBPKG​:debian/fakeroot - Postpone LD_LIBRARY_PATH evaluation to
the
binary targets.
DEBPKG​:debian/instmodsh_doc - Debian policy doesn't install
.packlist files for core or vendor.
DEBPKG​:debian/ld_run_path - Remove standard libs from LD_RUN_PATH
as
per Debian policy.
DEBPKG​:debian/libnet_config_path - Set location of libnet.cfg to
/etc/perl/Net as /usr may not be writable.
DEBPKG​:debian/mod_paths - Tweak @​INC ordering for Debian
DEBPKG​:debian/module_build_man_extensions -
http​://bugs.debian.org/479460 Adjust Module​::Build manual page
extensions for the Debian Perl policy
DEBPKG​:debian/prune_libs - http​://bugs.debian.org/128355 Prune the
list of libraries wanted to what we actually need.
DEBPKG​:fixes/net_smtp_docs - [rt.cpan.org #36038]
http​://bugs.debian.org/100195 Document the Net​::SMTP 'Port' option
DEBPKG​:debian/perlivp - http​://bugs.debian.org/510895 Make perlivp
skip include directories in /usr/local
DEBPKG​:debian/cpanplus_definstalldirs -
http​://bugs.debian.org/533707 Configure CPANPLUS to use the site
directories by default.
DEBPKG​:debian/cpanplus_config_path - Save local versions of
CPANPLUS​::Config​::System into /etc/perl.
DEBPKG​:debian/deprecate-with-apt - http​://bugs.debian.org/702096
Point users to Debian packages of deprecated core modules
DEBPKG​:debian/squelch-locale-warnings -
http​://bugs.debian.org/508764 Squelch locale warnings in Debian
package
maintainer scripts
DEBPKG​:debian/skip-upstream-git-tests - Skip tests specific to the
upstream Git repository
DEBPKG​:debian/patchlevel - http​://bugs.debian.org/567489 List
packaged patches for 5.18.2-2ubuntu1 in patchlevel.h
DEBPKG​:debian/skip-kfreebsd-crash - http​://bugs.debian.org/628493
[perl #96272] Skip a crashing test case in t/op/threads.t on
GNU/kFreeBSD
DEBPKG​:fixes/document_makemaker_ccflags -
http​://bugs.debian.org/628522 [rt.cpan.org #68613] Document that
CCFLAGS
should include $Config{ccflags}
DEBPKG​:debian/find_html2text - http​://bugs.debian.org/640479
Configure CPAN​::Distribution with correct name of html2text
DEBPKG​:debian/hurd_test_skip_stack - http​://bugs.debian.org/650175
Disable failing GNU/Hurd tests dist/threads/t/stack.t
DEBPKG​:fixes/manpage_name_Test-Harness -
http​://bugs.debian.org/650451 [rt.cpan.org #73399] cpan/Test-Harness​:
add NAME headings in modules with POD
DEBPKG​:debian/makemaker-pasthru - http​://bugs.debian.org/660195
[rt.cpan.org #28632] Make EU​::MM pass LD through to recursive
Makefile.PL invocations
DEBPKG​:debian/perl5db-x-terminal-emulator.patch -
http​://bugs.debian.org/668490 Invoke x-terminal-emulator rather than
xterm in perl5db.pl
DEBPKG​:debian/cpan-missing-site-dirs -
http​://bugs.debian.org/688842
Fix CPAN​::FirstTime defaults with nonexisting site dirs if a parent is
writable
DEBPKG​:fixes/memoize_storable_nstore - [rt.cpan.org #77790]
http​://bugs.debian.org/587650 Memoize​::Storable​: respect 'nstore'
option
not respected
DEBPKG​:fixes/net_ftp_failed_command - [rt.cpan.org #37700]
http​://bugs.debian.org/491062 Net​::FTP​: cope gracefully with a failed
command
DEBPKG​:fixes/perlbug-patchlist - [3541c11]
http​://bugs.debian.org/710842 [perl #118433] Make perlbug look up the
list of local patches at run time
DEBPKG​:fixes/module_metadata_security_doc - [68cdd4b] CVE-2013-
1437
documentation fix
DEBPKG​:fixes/module_metadata_taint_fix - [bff978f]
http​://bugs.debian.org/722210 [rt.cpan.org #88576] untaint version, if
needed, in Module​::Metadata
DEBPKG​:fixes/IPC-SysV-spelling - http​://bugs.debian.org/730558
[rt.cpan.org #86736] Fix spelling of IPC_CREAT in IPC-SysV
documentation
DEBPKG​:fixes/fix-undef-source -

---
@​INC for perl 5.18.2​:
/etc/perl
/usr/local/lib/perl/5.18.2
/usr/local/share/perl/5.18.2
/usr/lib/perl5
/usr/share/perl5
/usr/lib/perl/5.18
/usr/share/perl/5.18
/usr/local/lib/site_perl
.

---
Environment for perl 5.18.2​:
HOME=/home/thusfeldt
LANG=de_DE.UTF-8
LANGUAGE=de_DE
LD_LIBRARY_PATH (unset)
LOGDIR (unset)

PATH=/usr/local/sbin​:/usr/local/bin​:/usr/sbin​:/usr/bin​:/sbin​:/bin​:/usr/games​:/usr/local/games
PERL_BADLANG (unset)
SHELL=/bin/bash

--
James E Keenan (jkeenan@​cpan.org)

[p5pRT]

The RT System itself - Status changed from 'new' to 'open'

[p5pRT]

From @jkeenan

On Wed Jan 07 16​:54​:45 2015, jkeenan wrote​:

On Wed Jan 07 07​:15​:24 2015, torge.husfeldt@​1und1.de wrote​:

This is a bug report for perl from torge.husfeldt@​1und1.de,
generated with the help of perlbug 1.39 running under perl 5.18.2.

Confirmed with blead (3147e83) on
Ubuntu Linux 14.04 LTS.

And found as far back as 5.8.9. (I tried 5.6.2, but that version did not have the '​:utf8' discipline.

--
James E Keenan (jkeenan@​cpan.org)

[p5pRT]

From torge.husfeldt@1und1.de

Hi,

the following does exactly what I expected and may be what I should have
used in the first place​:

echo -e "a\x80" | perl -e 'binmode STDIN, "​:encoding(utf8)"; while
(<>){/(\n\r|\r)$/ ; print "DONE\n"}'
utf8 "\x80" does not map to Unicode at -e line 1.
DONE

--
Torge Husfeldt

Senior Anti-Abuse Engineer
Abuse-Department 1&1 International

1&1 Internet Service GmbH | Brauerstraße 50 | 76135 Karlsruhe | Germany
Phone​: +49 721 91374-4795
E-Mail​: torge.husfeldt@​1und1.de | Web​: www.1und1.de

Hauptsitz Montabaur, Amtsgericht Montabaur, HRB 20141

Geschäftsführer​: Frank Einhellinger, Uwe Lamnek, Jan Oetjen

Member of United Internet

Diese E-Mail kann vertrauliche und/oder gesetzlich geschützte
Informationen enthalten. Wenn Sie nicht der bestimmungsgemäße Adressat
sind oder diese E-Mail irrtümlich erhalten haben, unterrichten Sie bitte
den Absender und vernichten Sie diese E-Mail. Anderen als dem
bestimmungsgemäßen Adressaten ist untersagt, diese E-Mail zu speichern,
weiterzuleiten oder ihren Inhalt auf welche Weise auch immer zu verwenden.

This e-mail may contain confidential and/or privileged information. If
you are not the intended recipient of this e-mail, you are hereby
notified that saving, distribution or use of the content of this e-mail
in any way is prohibited. If you have received this e-mail in error,
please notify the sender and delete the e-mail.

[p5pRT]

From @khwilliamson

The reason you didn't see warnings is because you didn't enable warnings. Several are raised. But the underlying issue remains​: It should not loop when confronted with malformed input. That is now fixed by commit 22b433e
in blead

Thanks for reporting this

--
Karl Williamson

[p5pRT]

@khwilliamson - Status changed from 'open' to 'pending release'

[p5pRT]

From @jmdh

This issue is being treated as a security issue by Debian; see

http​://www.openwall.com/lists/oss-security/2016/04/20/5

If p5p agrees that this is a correct assessment (it seems so to me) then it should be queued for 5.20.4, I presume?

The Debian bug reporter has rebased the patch for 5.20, but I haven't reviewed that​:

https://bugs.debian.org/821848

[p5pRT]

From @jmdh

On Wed Apr 20 05​:04​:56 2016, dom wrote​:

This issue is being treated as a security issue by Debian; see

http​://www.openwall.com/lists/oss-security/2016/04/20/5

If p5p agrees that this is a correct assessment (it seems so to me)
then it should be queued for 5.20.4, I presume?

The Debian bug reporter has rebased the patch for 5.20, but I haven't
reviewed that​:

https://bugs.debian.org/821848

This issue has been assigned CVE-2015-8853.

[p5pRT]

From @demerphq

On 22 April 2016 at 12​:19, Dominic Hargreaves via RT
<perlbug-followup@​perl.org> wrote​:

On Wed Apr 20 05​:04​:56 2016, dom wrote​:

This issue is being treated as a security issue by Debian; see

http​://www.openwall.com/lists/oss-security/2016/04/20/5

If p5p agrees that this is a correct assessment (it seems so to me)
then it should be queued for 5.20.4, I presume?

The Debian bug reporter has rebased the patch for 5.20, but I haven't
reviewed that​:

https://bugs.debian.org/821848

This issue has been assigned CVE-2015-8853.

FYI​: I pushed backport patches for Karls fix for 5.18.2 and 5.18.4

I can do other backports if needed.

Yves

--
perl -Mre=debug -e "/just|another|perl|hacker/"

[p5pRT]

From @jmdh

On Fri, Apr 22, 2016 at 11​:25​:36PM -0700, yves orton via RT wrote​:

On 22 April 2016 at 12​:19, Dominic Hargreaves via RT
<perlbug-followup@​perl.org> wrote​:

On Wed Apr 20 05​:04​:56 2016, dom wrote​:

This issue is being treated as a security issue by Debian; see

http​://www.openwall.com/lists/oss-security/2016/04/20/5

If p5p agrees that this is a correct assessment (it seems so to me)
then it should be queued for 5.20.4, I presume?

The Debian bug reporter has rebased the patch for 5.20, but I haven't
reviewed that​:

https://bugs.debian.org/821848

This issue has been assigned CVE-2015-8853.

FYI​: I pushed backport patches for Karls fix for 5.18.2 and 5.18.4

I can do other backports if needed.

Hi yves,

Do you mean 5.20.x for one of these? I couldn't see any pushes to either
maint-5.18 or maint-5.20, so wondering where these went.

Thanks for your work!

Dominic.

[p5pRT]

From @khwilliamson

On 04/23/2016 03​:50 AM, Dominic Hargreaves wrote​:

On Fri, Apr 22, 2016 at 11​:25​:36PM -0700, yves orton via RT wrote​:

On 22 April 2016 at 12​:19, Dominic Hargreaves via RT
<perlbug-followup@​perl.org> wrote​:

On Wed Apr 20 05​:04​:56 2016, dom wrote​:

This issue is being treated as a security issue by Debian; see

http​://www.openwall.com/lists/oss-security/2016/04/20/5

If p5p agrees that this is a correct assessment (it seems so to me)
then it should be queued for 5.20.4, I presume?

The Debian bug reporter has rebased the patch for 5.20, but I haven't
reviewed that​:

https://bugs.debian.org/821848

This issue has been assigned CVE-2015-8853.

FYI​: I pushed backport patches for Karls fix for 5.18.2 and 5.18.4

I can do other backports if needed.

Hi yves,

Do you mean 5.20.x for one of these? I couldn't see any pushes to either
maint-5.18 or maint-5.20, so wondering where these went.

Thanks for your work!

Dominic.

Dominic,

He prudently is smoking them first

http​://perl5.git.perl.org/perl.git/shortlog/refs/heads/smoke-me/rt_123562_5184

http​://perl5.git.perl.org/perl.git/shortlog/refs/heads/smoke-me/rt_123562_5182

[p5pRT]

From @jmdh

On Sat Apr 23 11​:40​:13 2016, public@​khwilliamson.com wrote​:

On 04/23/2016 03​:50 AM, Dominic Hargreaves wrote​:

On Fri, Apr 22, 2016 at 11​:25​:36PM -0700, yves orton via RT wrote​:

FYI​: I pushed backport patches for Karls fix for 5.18.2 and 5.18.4

I can do other backports if needed.

Hi yves,

Do you mean 5.20.x for one of these? I couldn't see any pushes to
either
maint-5.18 or maint-5.20, so wondering where these went.

He prudently is smoking them first

http​://perl5.git.perl.org/perl.git/shortlog/refs/heads/smoke-
me/rt_123562_5184

http​://perl5.git.perl.org/perl.git/shortlog/refs/heads/smoke-
me/rt_123562_5182

Ah, great. Thanks for pointing that out!

I had a closer look, and I noticed that in blead, 22b433e was followed by d820a0f which amends the change to use Perl_croak_nocontext(). That change did not make it into maint-5.22, nor is it in either of the above smoke branches. Is this important?

Anyway, I've pushed the same change to smoke-me/rt_123562_520 too.

Thanks,
Dominic.

[p5pRT]

From @khwilliamson

On 04/23/2016 03​:51 PM, Dominic Hargreaves via RT wrote​:

On Sat Apr 23 11​:40​:13 2016, public@​khwilliamson.com wrote​:

On 04/23/2016 03​:50 AM, Dominic Hargreaves wrote​:

On Fri, Apr 22, 2016 at 11​:25​:36PM -0700, yves orton via RT wrote​:

FYI​: I pushed backport patches for Karls fix for 5.18.2 and 5.18.4

I can do other backports if needed.

Hi yves,

Do you mean 5.20.x for one of these? I couldn't see any pushes to
either
maint-5.18 or maint-5.20, so wondering where these went.

He prudently is smoking them first

http​://perl5.git.perl.org/perl.git/shortlog/refs/heads/smoke-
me/rt_123562_5184

http​://perl5.git.perl.org/perl.git/shortlog/refs/heads/smoke-
me/rt_123562_5182

Ah, great. Thanks for pointing that out!

I had a closer look, and I noticed that in blead, 22b433e was followed by d820a0f which amends the change to use Perl_croak_nocontext(). That change did not make it into maint-5.22, nor is it in either of the above smoke branches. Is this important?

It would be slightly better to use change as amended, but I don't think
it is 'important'

Anyway, I've pushed the same change to smoke-me/rt_123562_520 too.

Thanks,
Dominic.

---
via perlbug​: queue​: perl5 status​: pending release
https://rt-archive.perl.org/perl5/Ticket/Display.html?id=123562

[p5pRT]

From @demerphq

On 24 April 2016 at 00​:28, Karl Williamson <public@​khwilliamson.com> wrote​:

On 04/23/2016 03​:51 PM, Dominic Hargreaves via RT wrote​:

On Sat Apr 23 11​:40​:13 2016, public@​khwilliamson.com wrote​:

On 04/23/2016 03​:50 AM, Dominic Hargreaves wrote​:

On Fri, Apr 22, 2016 at 11​:25​:36PM -0700, yves orton via RT wrote​:

FYI​: I pushed backport patches for Karls fix for 5.18.2 and 5.18.4

I can do other backports if needed.

Hi yves,

Do you mean 5.20.x for one of these? I couldn't see any pushes to
either
maint-5.18 or maint-5.20, so wondering where these went.

He prudently is smoking them first

http​://perl5.git.perl.org/perl.git/shortlog/refs/heads/smoke-
me/rt_123562_5184

http​://perl5.git.perl.org/perl.git/shortlog/refs/heads/smoke-
me/rt_123562_5182

Ah, great. Thanks for pointing that out!

I had a closer look, and I noticed that in blead,
22b433e was followed by
d820a0f which amends the change to use
Perl_croak_nocontext(). That change did not make it into maint-5.22, nor is
it in either of the above smoke branches. Is this important?

It would be slightly better to use change as amended, but I don't think it
is 'important'

If its just a performance thing then I agree.

Yves

--
perl -Mre=debug -e "/just|another|perl|hacker/"