Opened 10 years ago
Closed 10 years ago
#3681 closed defect (fixed)
Perl 5.20.1 Deep Recursion Stack Overflow Vulnerability
| Reported by: | aeon | Owned by: | |
|---|---|---|---|
| Priority: | high | Milestone: | 7.7 |
| Component: | Book | Version: | SVN |
| Severity: | normal | Keywords: | |
| Cc: |
Description
CVE-2014-4330
A stack overflow was discovered when serializing data via the Data::Dumper extension which is part of Perl-Core. By using the "Dumper" method on a large Array-Reference which recursively contains other Array-References, it is possible to cause many recursive calls to the DD_dump native function and ultimately exhaust all available stack memory.
Attachments (1)
Change History (14)
comment:1 by , 10 years ago
comment:2 by , 10 years ago
I don't think there is something we can do for now http://packetstormsecurity.com/files/128422/LSE-2014-06-10.txt
comment:3 by , 10 years ago
I did get it figured out. I was updating on an older system and needed to do:
cpan install CPAN
Then running 'cpan -i Data::Dumper' updated to version 2.154.
On a current system, it just updated OK. The file is http://cpan.metacpan.org/authors/id/S/SM/SMUELLER/Data-Dumper-2.154.tar.gz.
Install would be:
perl Makefile.PL && make && make test as_root make install
I'm still not sure how to integrate this into the book.
comment:4 by , 10 years ago
According to RedHat, this vulnerability has a rating of low.
"This rating is given to all other issues that have a security impact. These are the types of vulnerabilities that are believed to require unlikely circumstances to be able to be exploited, or where a successful exploit would give minimal consequences."
https://access.redhat.com/security/cve/CVE-2014-4330
Even though there is a fix, we could just wait for the next version of Perl.
I'm thinking about marking this wontfix. Comments?
comment:5 by , 10 years ago
The commit which fixed it, from a link at http://www.nntp.perl.org/group/perl.perl5.porters/2014/09/msg220118.html which is the beginning of the thread you linked to, is at http://perl5.git.perl.org/perl.git/commitdiff/19be3be6968e2337bcdfe480693fff795ecd1304
I'm still on 5.20.0, the patch does not all apply. Mitre is no help (that CVE does not have any details at the moment, so no idea what is affected). /me looks at a debian link:https://security-tracker.debian.org/tracker/CVE-2014-4330 suggests that all semi-recent versions are affected (i.e. it applies back to 5.10.1 which we abandoned years ago).
Their fix for 5.20.1 is within perl_5.20.1-1.debian.tar.xz. Within their patches, they have fixes/data_dump_infinite_recurse.diff which on first glance looks like the upstream commit, but does appear to apply, with messages about R/O files, to 5.20.0.
I'll attach it (I spelled out how I got it so that people can verify, since this is security).
After looking, I guess that the main distros will fix it, but it might take them a few days (clearly, less urgent than e.g. bash). So, if it passes testing, I suggest patching perl.
Some interesting comments in that thread.
comment:6 by , 10 years ago
OK, if you come up with a patch, I have no problem adding it to the book.
by , 10 years ago
| Attachment: | data_dump_infinite_recurse.diff added |
|---|
debian backport of hte upstream fix.
comment:7 by , 10 years ago
Untested, taken straight from debian, so not adhering to our naming standards. I see that it is a backport to 5.20, which is why it applies cleanly.
follow-up: 9 comment:8 by , 10 years ago
The patch applies without warnings, but some files are read only for the owner. Before applying the patch, we need to do 'chmod u+w -R *' in the source directory.
follow-up: 11 comment:9 by , 10 years ago
Replying to bdubbs@…:
The patch applies without warnings, but some files are read only for the owner. Before applying the patch, we need to do 'chmod u+w -R *' in the source directory.
Bruce, I do not see that : before applying the patch, all files in the dist/Data-Dumper tree are 444, the directories are both 755. After applying it, the modified files become 644 - I do not think we need to chmod anything.
I was thinking about upgrading my 5.20.0 systems to 5.20.1, partly because they had all had 3 test failures in other parts of perl. But when I test with (patched) 5.20.0 I no longer get any failures. I have to assume that something in glibc-2.20 made those tests work for me. Guess I _will_ just upgrade to patched 5.20.1 because of the other fixes in that release.
Meanwhile, for older systems I guess it is just simpler to install current Data-Dumper.
comment:10 by , 10 years ago
What I get is:
File MANIFEST is read-only; trying to patch anyway patching file MANIFEST File dist/Data-Dumper/Dumper.pm is read-only; trying to patch anyway patching file dist/Data-Dumper/Dumper.pm File dist/Data-Dumper/Dumper.xs is read-only; trying to patch anyway patching file dist/Data-Dumper/Dumper.xs patching file dist/Data-Dumper/t/recurse.t
Admittedly the permissions are changed by patch, but we still get the warning.
comment:11 by , 10 years ago
Replying to ken@…:
I was thinking about upgrading my 5.20.0 systems to 5.20.1, partly because they had all had 3 test failures in other parts of perl. But when I test with (patched) 5.20.0 I no longer get any failures. I have to assume that something in glibc-2.20 made those tests work for me. Guess I _will_ just upgrade to patched 5.20.1 because of the other fixes in that release.
Don't try that at home. I was thinking that perl installed as 5.20 instead of 5.20.{0,1}.
comment:13 by , 10 years ago
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
I googled this and found a thread: http://code.activestate.com/lists/perl5-porters/212167/
I then did 'cpan -i Data::Dumper' and it says: Data::Dumper is up to date (2.145).
The above link says https://metacpan.org/release/Data-Dumper is now 2.154, including this fix. The message is dated September 18.
I don't know how to address this. I can't find a patch.