Bugzilla – Bug 1114674
VUL-0: CVE-2018-18311: perl: environment overflow
Last modified: 2024-07-25 15:16:45 UTC
Created attachment 788434 [details] 0001-Perl_my_setenv-handle-integer-wrap.patch 0001-Perl_my_setenv-handle-integer-wrap.patch
QA REPRODUCER: perl -e '$inp = "A" x 0x7fffffff; $ENV{$inp} = $inp;'
CRD: 2018-11-29
perl-5.18 seems to be affected. This is VUL-1, so we wait for the next security fix for SLE-12 and older?
is public https://rt.perl.org/Public/Bug/Display.html?id=133204 Bug #133204 for perl5: [CVE-2018-18311] Integer overflow leading to buffer overflow Hi, As a part of an academic project, we have discovered an integer overflow in Perl which subsequently leads to a heap overflow. The vulnerability is present in Perl_my_setenv @ util.c : 2070 2070: void Perl_my_setenv(pTHX_ const char *nam, const char *val) { ... 2166: const int nlen = strlen(nam); ... 2171: vlen = strlen(val); 2172: new_env = (char*)safesysmalloc((nlen + vlen + 2) * sizeof(char)); Here, since the arguments nam and val are user controlled, the 32 bit integers nlen and vlen are also under the control of the attacker. Therefore, if nam and val are two very long strings, the addition at 2172 would result in an integer overflow. The new_env would therefore be a chunk of a size which is smaller than the sum of the lengths of the two input strings. This new_env is subsequently used in a call to memcpy to copy nlen bytes from nam and vlen bytes from val. This results in a buffer overflow on the heap with attacker controlled input. We have attached a perl script that demonstrates this vulnerability. Regards Jayakrishna Menon and Christophe Hauser Information Sciences Institute University of Southern California
SUSE-SU-2018:4187-1: An update that fixes four vulnerabilities is now available. Category: security (moderate) Bug References: 1114674,1114675,1114681,1114686 CVE References: CVE-2018-18311,CVE-2018-18312,CVE-2018-18313,CVE-2018-18314 Sources used: SUSE Linux Enterprise Module for Development Tools 15 (src): perl-5.26.1-7.6.1 SUSE Linux Enterprise Module for Basesystem 15 (src): perl-5.26.1-7.6.1
openSUSE-SU-2018:4258-1: An update that fixes four vulnerabilities is now available. Category: security (moderate) Bug References: 1114674,1114675,1114681,1114686 CVE References: CVE-2018-18311,CVE-2018-18312,CVE-2018-18313,CVE-2018-18314 Sources used: openSUSE Leap 15.0 (src): perl-5.26.1-lp150.6.6.1
I would now like to see a SLE12 perl update for this. It should probably have been VUL-0 from the beginning.
SUSE-SU-2019:2264-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1114674 CVE References: CVE-2018-18311 Sources used: SUSE OpenStack Cloud Crowbar 8 (src): perl-5.18.2-12.20.1 SUSE OpenStack Cloud 8 (src): perl-5.18.2-12.20.1 SUSE OpenStack Cloud 7 (src): perl-5.18.2-12.20.1 SUSE Linux Enterprise Server for SAP 12-SP3 (src): perl-5.18.2-12.20.1 SUSE Linux Enterprise Server for SAP 12-SP2 (src): perl-5.18.2-12.20.1 SUSE Linux Enterprise Server for SAP 12-SP1 (src): perl-5.18.2-12.20.1 SUSE Linux Enterprise Server 12-SP5 (src): perl-5.18.2-12.20.1 SUSE Linux Enterprise Server 12-SP4 (src): perl-5.18.2-12.20.1 SUSE Linux Enterprise Server 12-SP3-LTSS (src): perl-5.18.2-12.20.1 SUSE Linux Enterprise Server 12-SP3-BCL (src): perl-5.18.2-12.20.1 SUSE Linux Enterprise Server 12-SP2-LTSS (src): perl-5.18.2-12.20.1 SUSE Linux Enterprise Server 12-SP2-BCL (src): perl-5.18.2-12.20.1 SUSE Linux Enterprise Server 12-SP1-LTSS (src): perl-5.18.2-12.20.1 SUSE Linux Enterprise Desktop 12-SP5 (src): perl-5.18.2-12.20.1 SUSE Linux Enterprise Desktop 12-SP4 (src): perl-5.18.2-12.20.1 SUSE Enterprise Storage 5 (src): perl-5.18.2-12.20.1 SUSE Enterprise Storage 4 (src): perl-5.18.2-12.20.1 SUSE CaaS Platform 3.0 (src): perl-5.18.2-12.20.1 HPE Helion Openstack 8 (src): perl-5.18.2-12.20.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.