Bug 22913 - perl new security issues CVE-2018-6797, CVE-2018-6798, CVE-2018-6913
Summary: perl new security issues CVE-2018-6797, CVE-2018-6798, CVE-2018-6913
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks: 22992
  Show dependency treegraph
 
Reported: 2018-04-15 22:01 CEST by David Walser
Modified: 2018-05-16 10:26 CEST (History)
4 users (show)

See Also:
Source RPM: perl-5.22.3-3.1.mga6.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2018-04-15 22:01:12 CEST
Debian has issued an advisory on April 14:
https://www.debian.org/security/2018/dsa-4172

I'd guess these were fixed in perl 5.26.2 recently uploaded to Cauldron, but that should be verified.  Debian has commit links for the fixes:
https://security-tracker.debian.org/tracker/CVE-2018-6797
https://security-tracker.debian.org/tracker/CVE-2018-6798
https://security-tracker.debian.org/tracker/CVE-2018-6913

As Debian notes, Mageia 5 not vulnerable to CVE-2018-6798, it was deemed to difficult to fix CVE-2018-6797 there, but we can borrow their patch for CVE-2018-6913.
Comment 1 David Walser 2018-04-21 23:07:22 CEST
Ubuntu has issued an advisory for this on April 16:
https://usn.ubuntu.com/3625-1/
Comment 3 David Walser 2018-04-27 17:25:19 CEST
openSUSE has issued an advisory for this on April 26:
https://lists.opensuse.org/opensuse-updates/2018-04/msg00075.html
Comment 4 Shlomi Fish 2018-04-27 19:03:47 CEST
http://pkgsubmit.mageia.org/ - perl-5.22.3-3.2 submitted there.
Comment 5 David Walser 2018-04-27 19:10:44 CEST
(In reply to David Walser from comment #2)
> Fedora has issued advisories for this on April 21:
> https://lists.fedoraproject.org/archives/list/package-announce@lists.
> fedoraproject.org/thread/2YHV7AMX7Y5TBFZ2AJSYOXKOY24LXMHI/
> https://lists.fedoraproject.org/archives/list/package-announce@lists.
> fedoraproject.org/thread/OCXHRWSBTCW72IS7QJZ6DVME7KY3SM6O/
> 
> So, perl-Module-CoreList may also be affected.

perl-Module-CoreList update is only needed to support perl 5.24.4 or 5.26.2.
Comment 6 David Walser 2018-04-27 21:13:07 CEST
Build system is stuck.

perl-5.22.3-3.2.mga6
perl-base-5.22.3-3.2.mga6
perl-devel-5.22.3-3.2.mga6
perl-doc-5.22.3-3.2.mga6

from perl-5.22.3-3.2.mga6.src.rpm
Comment 7 David Walser 2018-05-04 07:21:27 CEST
Advisory:
========================

Updated perl packages fix security vulnerabilities:

Brian Carpenter reported that a crafted regular expression could cause a heap
buffer write overflow, with control over the bytes written (CVE-2018-6797).

Nguyen Duc Manh reported that matching a crafted locale dependent regular
expression can cause a heap-based buffer over-read and potentially information
disclosure (CVE-2018-6798).

GwanYeong Kim reported that 'pack()' could cause a heap buffer write overflow
with a large item count (CVE-2018-6913).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6797
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6798
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6913
https://www.debian.org/security/2018/dsa-4172
========================

Updated packages in core/updates_testing:
========================
perl-5.22.3-3.2.mga6
perl-base-5.22.3-3.2.mga6
perl-devel-5.22.3-3.2.mga6
perl-doc-5.22.3-3.2.mga6

from perl-5.22.3-3.2.mga6.src.rpm

CC: (none) => shlomif
Assignee: shlomif => qa-bugs

David Walser 2018-05-04 07:33:37 CEST

Blocks: (none) => 22992

Comment 8 Len Lawrence 2018-05-10 01:13:27 CEST
Mageia 6, x86_64

Started PoC hunting.  To late to carry on tonight.

CC: (none) => tarazed25

Comment 9 Len Lawrence 2018-05-14 16:13:45 CEST
Belatedly.  :-((

Mageia 6, x86_64

Downloaded PoCs.

Before the update:
==================

CVE-2018-6797
https://rt.perl.org/Public/Bug/Display.html?id=132227
$ perl 132227b.pl 
panic: reg_node overrun trying to emit 0, 10c642c>=10c642c at 132227b.pl line 1.

CVE-2018-6798
https://rt.perl.org/Public/Bug/Display.html?id=132063
$ perl -e '$x="(?il)\x{100}|\x{100}"; "\xff" =~ /$x/;'
Operation "pattern match (m//)" returns its argument for non-Unicode code point 0xD040000000000000 at -e line 1.
Does not look like the output upstream but in that case perl had been compiled with asan support.  Their test aborted after delivering this message:
==11464==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000001b3a at pc 0x000000c66a61 bp 0x7ffd2e7fafb0 sp 0x7ffd2e7fafa8
READ of size 1 at 0x602000001b3a thread T0

However...

the modified test at https://bugzilla.redhat.com/show_bug.cgi?id=1547779
reproduces the valgrind output.
$ valgrind -- perl -e '"\xff" =~ /(?il)\x{100}|\x{100}/;'

CVE-2018-6913
https://rt.perl.org/Public/Bug/Display.html?id=131844
$ perl S_pack_rec_heap_PoC
Invalid type 'K' in pack at S_pack_rec_heap_PoC line 1.
The upstream test uses asan and produces an abort.
There is also a note that this reproduces only on 32-bit systems so it is probaby not relevant.  Not too keen on switching to virtualbox on this one.

Updated the packages.

After the update:
=================

$ perl 132227b.pl
panic: reg_node overrun trying to emit 0, 16c842c>=16c842c at 132227b.pl line 1.

$ perl -e '$x="(?il)\x{100}|\x{100}"; "\xff" =~ /$x/;'
$

$ perl S_pack_rec_heap_PoC
Invalid type 'K' in pack at S_pack_rec_heap_PoC line 1.

We have not learnt very much from that exercise.

Tried out some perl scripts lying around.  nemux.pl generated newmux.aiff.
Lewis's onecheck.pl retrieved information on current isos from bcd.mageia.org.
Followed Herman's lead and put MCC through its paces.  No problems.
Len Lawrence 2018-05-14 16:14:12 CEST

Whiteboard: (none) => MGA6-64-OK

Comment 10 Lewis Smith 2018-05-14 17:17:08 CEST
@ David
Asking for feedback because Len's specific PoC tests for CVE-2018-6797 and CVE-2018-6913 showed no change (that for CVE-2018-6798 *did*). We had a case recently where one patch of several got left out. Can we confirm that the relevant patches *are* in the code? And if so, please validate. Advisory done.

Keywords: (none) => advisory, feedback
CC: (none) => lewyssmith

Comment 11 David Walser 2018-05-15 14:13:22 CEST
Yep, it's good.  Thanks.

Keywords: feedback => validated_update
CC: (none) => sysadmin-bugs

Comment 12 Mageia Robot 2018-05-16 10:26:26 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0241.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.