Hi Stig,
Thank you for handling this disclosure so well!
On Sun, Apr 13, 2025 at 03:23:25PM +0200, Stig Palmquist wrote:
> Perl 5.34, 5.36, 5.38 and 5.40 are vulnerable to a heap buffer overflow
> when transliterating non-ASCII bytes
>
> Description
> -----------
> A heap buffer overflow vulnerability was discovered in Perl.
>
> When there are non-ASCII bytes in the left-hand-side of the `tr`
> operator, `S_do_trans_invmap` can overflow the destination pointer `d`.
>
> $ perl -e '$_ = "\x{FF}" x 1000000; tr/\xFF/\x{100}/;'
> Segmentation fault (core dumped)
Running this command on distro packages based on 5.32.1 (like in EL9)
does not segfault (produces no output), which is as expected for a
version that didn't yet have the bug (and assuming no bug backport).
> https://github.com/Perl/perl5/commit/87f42aa0e0096e9a346c9672aa3a0bd3bef8c1dd.patch
As it was mentioned in the advance notification to distros, the issue
was introduced in:
https://github.com/Perl/perl5/commit/a311ee08b6781f83a7785f578a26bbc21a7ae457
which is part of tags v5.33.1 to v5.41.10, so I guess those versions are
also affected. The fix commit is effectively a revert of the bug commit.
Alexander
