Opened 7 years ago

Closed 7 years ago

#3681 closed defect (fixed)

Perl 5.20.1 Deep Recursion Stack Overflow Vulnerability

Reported by: aeon Owned by: bdubbs@…
Priority: high Milestone: 7.7
Component: Book Version: SVN
Severity: normal Keywords:
Cc:

Description

CVE-2014-4330

A stack overflow was discovered when serializing data via the Data::Dumper extension which is part of Perl-Core. By using the "Dumper" method on a large Array-Reference which recursively contains other Array-References, it is possible to cause many recursive calls to the DD_dump native function and ultimately exhaust all available stack memory.

Attachments (1)

data_dump_infinite_recurse.diff (11.0 KB ) - added by ken@… 7 years ago.
debian backport of hte upstream fix.

Download all attachments as: .zip

Change History (14)

comment:1 by bdubbs@…, 7 years ago

I googled this and found a thread: http://code.activestate.com/lists/perl5-porters/212167/

I then did 'cpan -i Data::Dumper' and it says: Data::Dumper is up to date (2.145).

The above link says https://metacpan.org/release/Data-Dumper is now 2.154, including this fix. The message is dated September 18.

I don't know how to address this. I can't find a patch.

comment:2 by aeon, 7 years ago

I don't think there is something we can do for now http://packetstormsecurity.com/files/128422/LSE-2014-06-10.txt

comment:3 by bdubbs@…, 7 years ago

I did get it figured out. I was updating on an older system and needed to do:

cpan install CPAN

Then running 'cpan -i Data::Dumper' updated to version 2.154.

On a current system, it just updated OK. The file is http://cpan.metacpan.org/authors/id/S/SM/SMUELLER/Data-Dumper-2.154.tar.gz.

Install would be:

perl Makefile.PL &&
make &&
make test

as_root make install

I'm still not sure how to integrate this into the book.

comment:4 by bdubbs@…, 7 years ago

According to RedHat, this vulnerability has a rating of low.

"This rating is given to all other issues that have a security impact. These are the types of vulnerabilities that are believed to require unlikely circumstances to be able to be exploited, or where a successful exploit would give minimal consequences."

https://access.redhat.com/security/cve/CVE-2014-4330

Even though there is a fix, we could just wait for the next version of Perl.

I'm thinking about marking this wontfix. Comments?

comment:5 by ken@…, 7 years ago

The commit which fixed it, from a link at http://www.nntp.perl.org/group/perl.perl5.porters/2014/09/msg220118.html which is the beginning of the thread you linked to, is at http://perl5.git.perl.org/perl.git/commitdiff/19be3be6968e2337bcdfe480693fff795ecd1304

I'm still on 5.20.0, the patch does not all apply. Mitre is no help (that CVE does not have any details at the moment, so no idea what is affected). /me looks at a debian link:https://security-tracker.debian.org/tracker/CVE-2014-4330 suggests that all semi-recent versions are affected (i.e. it applies back to 5.10.1 which we abandoned years ago).

Their fix for 5.20.1 is within perl_5.20.1-1.debian.tar.xz. Within their patches, they have fixes/data_dump_infinite_recurse.diff which on first glance looks like the upstream commit, but does appear to apply, with messages about R/O files, to 5.20.0.

I'll attach it (I spelled out how I got it so that people can verify, since this is security).

After looking, I guess that the main distros will fix it, but it might take them a few days (clearly, less urgent than e.g. bash). So, if it passes testing, I suggest patching perl.

Some interesting comments in that thread.

comment:6 by bdubbs@…, 7 years ago

OK, if you come up with a patch, I have no problem adding it to the book.

by ken@…, 7 years ago

debian backport of hte upstream fix.

comment:7 by ken@…, 7 years ago

Untested, taken straight from debian, so not adhering to our naming standards. I see that it is a backport to 5.20, which is why it applies cleanly.

comment:8 by bdubbs@…, 7 years ago

The patch applies without warnings, but some files are read only for the owner. Before applying the patch, we need to do 'chmod u+w -R *' in the source directory.

in reply to:  8 ; comment:9 by ken@…, 7 years ago

Replying to bdubbs@…:

The patch applies without warnings, but some files are read only for the owner. Before applying the patch, we need to do 'chmod u+w -R *' in the source directory.

Bruce, I do not see that : before applying the patch, all files in the dist/Data-Dumper tree are 444, the directories are both 755. After applying it, the modified files become 644 - I do not think we need to chmod anything.

I was thinking about upgrading my 5.20.0 systems to 5.20.1, partly because they had all had 3 test failures in other parts of perl. But when I test with (patched) 5.20.0 I no longer get any failures. I have to assume that something in glibc-2.20 made those tests work for me. Guess I _will_ just upgrade to patched 5.20.1 because of the other fixes in that release.

Meanwhile, for older systems I guess it is just simpler to install current Data-Dumper.

comment:10 by bdubbs@…, 7 years ago

What I get is:

File MANIFEST is read-only; trying to patch anyway
patching file MANIFEST
File dist/Data-Dumper/Dumper.pm is read-only; trying to patch anyway
patching file dist/Data-Dumper/Dumper.pm
File dist/Data-Dumper/Dumper.xs is read-only; trying to patch anyway
patching file dist/Data-Dumper/Dumper.xs
patching file dist/Data-Dumper/t/recurse.t

Admittedly the permissions are changed by patch, but we still get the warning.

in reply to:  9 comment:11 by ken@…, 7 years ago

Replying to ken@…:

I was thinking about upgrading my 5.20.0 systems to 5.20.1, partly because they had all had 3 test failures in other parts of perl. But when I test with (patched) 5.20.0 I no longer get any failures. I have to assume that something in glibc-2.20 made those tests work for me. Guess I _will_ just upgrade to patched 5.20.1 because of the other fixes in that release.

Don't try that at home. I was thinking that perl installed as 5.20 instead of 5.20.{0,1}.

comment:12 by bdubbs@…, 7 years ago

Owner: changed from lfs-book@… to bdubbs@…
Status: newassigned

Fixed at revision 10769.

comment:13 by bdubbs@…, 7 years ago

Resolution: fixed
Status: assignedclosed
Note: See TracTickets for help on using tickets.