Bug 18423

Summary: perl new security issue CVE-2015-8853
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: davidwhodgins, lewyssmith, makowski.mageia, marja11, sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/686754/
Whiteboard: has_procedure MGA5-32-OK MGA5-64-OK advisory
Source RPM: perl-5.20.1-8.2.mga5.src.rpm CVE:
Status comment:

Description David Walser 2016-05-10 00:39:13 CEST 
Fedora has issued an advisory on May 6:
https://lists.fedoraproject.org/pipermail/package-announce/2016-May/183592.html

The patch to fix it is already checked into Mageia 5 SVN.
Comment 1 Marja Van Waes 2016-05-10 12:38:08 CEST 
(In reply to David Walser from comment #0)

> 
> The patch to fix it is already checked into Mageia 5 SVN.

Assigning to you, since you already committed the fix, which makes me assume you'll do the rest, too.

CC: (none) => makowski.mageia, marja11
Assignee: bugsquad => luigiwalser

Comment 2 David Walser 2016-05-19 00:50:58 CEST 
Patched package uploaded for Mageia 5.

Advisory:
========================

Updated perl packages fix security vulnerability:

The regex engine got into an infinite loop because of the malformation. It is
trying to back-up over a sequence of UTF-8 continuation bytes. The character
just before the sequence should be a start byte. If it's not, there is a
malformation which results in "hang" of regexp matching and CPU exhaustion
(CVE-2015-8853).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8853
https://lists.fedoraproject.org/pipermail/package-announce/2016-May/183592.html
========================

Updated packages in core/updates_testing:
========================
perl-5.20.1-8.3.mga5
perl-base-5.20.1-8.3.mga5
perl-devel-5.20.1-8.3.mga5
perl-doc-5.20.1-8.3.mga5

from perl-5.20.1-8.3.mga5.src.rpm

Assignee: luigiwalser => qa-bugs

Comment 3 David Walser 2016-05-19 05:21:45 CEST 
Reproducer on the upstream bug:
https://rt.perl.org/Public/Bug/Display.html?id=123562

echo -e "a\x80" | perl -e 'binmode STDIN, ":utf8"; while (<>){/(\n\r|\r)$/ ; print "DONE\n"}'

seems to go into an infinite loop or something with high CPU usage before the update, but after the update exits immediately with:
Malformed UTF-8 character (fatal) at -e line 1, <> line 1.

Tested Mageia 5 i586.

Whiteboard: (none) => has_procedure MGA5-32-OK

Comment 4 Lewis Smith 2016-05-19 11:32:00 CEST 
Testing M5 x64

BEFORE the update, from:
 https://rt.perl.org/Public/Bug/Display.html?id=123562
$ echo -e "a\x80" | perl -e 'binmode STDIN, ":utf8"; while
(<>){/(\n\r|\r)$/ ; print "DONE\n"}'
did not exit, showed high CPU usage - about 50% for the process in question.

AFTER the update:
 perl-5.20.1-8.3.mga5
 perl-base-5.20.1-8.3.mga5
 perl-doc-5.20.1-8.3.mga5
the test exited, as prescribed, with an error message "Malformed UTF-8 character (fatal) at -e line 2, <> line 1."

Update OK, validating.

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA5-32-OK => has_procedure MGA5-32-OK MGA5-64-OK
CC: (none) => lewyssmith, sysadmin-bugs

Dave Hodgins 2016-05-20 11:15:47 CEST

CC: (none) => davidwhodgins
Whiteboard: has_procedure MGA5-32-OK MGA5-64-OK => has_procedure MGA5-32-OK MGA5-64-OK advisory

Comment 5 Mageia Robot 2016-05-20 13:39:30 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0191.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED