Bug#825378: perl: freeze on parsing (broken) code

Thu, 26 May 2016 06:28:02 -0700 

Package: perl
Version: 5.20.2-3+deb8u4
Severity: normal
Tags: jessie

Dear Maintainer,

I've made typo in code, and found that it freezes perl on attempt to parse:
            perl -ce 's{foo}{$h->X({->aaa=>"b"},$d)}ge'
( it was meant to be 's{foo}{$h->X({-aaa=>"b"},$d)}ge' )

gdb backtrace (manually interrupted with ^C):
Program received signal SIGINT, Interrupt.
0x0806c60a in Perl_rpeep (my_perl=0x8215008, o=0x8238074) at op.c:11333
11333   op.c: No such file or directory.
(gdb) bt
#0  0x0806c60a in Perl_rpeep (my_perl=0x8215008, o=0x8238074) at op.c:11333
#1 0x08073509 in Perl_pmruntime (my_perl=0x8215008, o=0x82380f4, expr=0x8238474, isreg=true, floor=0) at op.c:4903 
#2  0x080a3ae8 in Perl_yyparse (my_perl=0x8215008, gramtype=1536)
    at perly.y:1385
#3 0x0807e836 in S_parse_body (xsinit=<optimized out>, env=<optimized out>, my_perl=<optimized out>) at perl.c:2298 #4 perl_parse (my_perl=0x8215008, xsinit=0x805ef80 <xs_init>, argc=136400904, argv=0x8215008, env=0x0) at perl.c:1607 
#5  0x0805ede8 in main (argc=3, argv=0xffffd674, env=0xffffd684)
    at perlmain.c:112
(Theoretically, this can be called "potential DoS on parsing untrusted code", but I'm pretty sure parsing untrusted perl code is not safe anyway).
It seems only jessie version affected, perl binaries extracted from perl-base packages from wheezy and squeeze seems correctly report error: 
$ ./perl5.22.2 -ce 's{foo}{$h->X({->aaa=>"b"},$d)}ge'
syntax error at -e line 1, near "{->aaa"
syntax error at -e line 1, near ")}"
-e had compilation errors.
It seems no changes in 5.20.2-3+deb8u5 (from jessie-proposed-updates) (also freezes). 

-- System Information:
Debian Release: 8.4
  APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable'), (100, 'proposed-updates') 
Architecture: i386 (x86_64)
Foreign Architectures: amd64

Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=ru_RU.KOI8-R, LC_CTYPE=ru_RU.KOI8-R (charmap=KOI8-R)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages perl depends on:
ii  dpkg          1.17.26
ii  libbz2-1.0    1.0.6-7+b3
ii  libc6         2.19-18+deb8u4
ii  libdb5.3      5.3.28-9
ii  libgdbm3      1.8.3-13.1
ii  perl-base     5.20.2-3+deb8u4
ii  perl-modules  5.20.2-3+deb8u4
ii  zlib1g        1:1.2.8.dfsg-2+b1

Versions of packages perl recommends:
ii  netbase  5.3
ii  rename   0.20-3

Versions of packages perl suggests:
ii  libterm-readline-gnu-perl   1.24-2+b1
ii  libterm-readline-perl-perl  1.0303-1
ii  make                        4.0-8.1
ii  perl-doc                    5.20.2-3+deb8u4

-- no debconf information

Reply via email to