Opened 4 years ago

Closed 4 years ago

#4384 closed task (fixed)


Reported by: Bruce Dubbs Owned by: lfs-book
Priority: high Milestone: 8.4
Component: Book Version: SVN
Severity: normal Keywords:


New point version.

Change History (2)

comment:1 by ken@…, 4 years ago

Priority: normalhigh

Two security fixes, and a regression fix.

[CVE-2018-18311] Integer overflow leading to buffer overflow and segmentation fault

[CVE-2018-18312] Heap-buffer-overflow write in S_regatom (regcomp.c)

A remote user user can create a specially crafted regular expression to cause a heap overflow in S_regatom in 'regcomp.c' during compilation and potentially execute arbitrary code.

RT #133368

when(X) is normally compiled as when($_ X) *except* when X appears to be a boolean expression, in which case it's used directly.

5.28.0 introduced an optimisation whereby comparisons involving index like

index(...) != -1

eliminated the comparison, and pp_index() returned a boolean value directly. This defeated the 'look for a boolean op' mechanism, and so

when(index(...) != -1)

and similar were being incorrectly compiled as

when($_ (index(...) != -1))

NB - for anybody maintaining an older system, 5.26.3 was also released with its own set of CVEs. Versions before that are out of upstream support. Do not forget that upgrading the installed *version* will require you to reinstall ALL extra modules which you have installed.

I'm currently testing a patch to apply the relevant changes from 5.28.1 to 5.28.0 so that I can avoid reinstalling hundreds of modules across my current systems.

comment:2 by Bruce Dubbs, 4 years ago

Resolution: fixed
Status: newclosed

Fixed at revision 11491.

Note: See TracTickets for help on using tickets.