Package: perl
Severity: serious
Version: 5.8.8-7etch1
Tags: security
A trivial program containing a regex with UTF8 characters causes a
double free error and segfault:
#!/usr/bin/perl -w -CSDA
use strict;
use utf8;
use encoding 'utf8';
use locale;
my $ans='Ostrów';
$_="whatever...";
if (/^$ans| $ans/) { print "I was wrong, sorry...\n"}
[Attached as well for convenience, along with output.]
I've set the severity to serious and tagged with security as there is
(apparently) a possibility that this could result in execution of
arbitrary code. [I don't have any proof of concept for this or a CVE
though, so feel free to detag and lower severity.]
This is also filed upstream as #48156 [will mark it forwarded after I
receive the ack.]
[We're seeing this quite a bit in the anti-spam bits of the BTS, so a
patch which fixes this would be nice. ;-)]
Don Armstrong
--
Clothes make the man. Naked people have little or no influence on
society.
-- Mark Twain
http://www.donarmstrong.com http://rzlab.ucr.edu
*** glibc detected *** debugperl: double free or corruption (!prev): 0x081e20e0
***
======= Backtrace: =========
/lib/i686/cmov/libc.so.6[0xb7dfa735]
/lib/i686/cmov/libc.so.6(cfree+0x90)[0xb7dfe1a0]
debugperl(Perl_safesysfree+0xb5)[0x80d1ac5]
debugperl(Perl_pregfree+0x1c5)[0x80c9eda]
debugperl(Perl_op_clear+0x34a)[0x80a137f]
debugperl(Perl_op_free+0x1ad)[0x80a1028]
debugperl(Perl_op_free+0x149)[0x80a0fc4]
debugperl(Perl_op_free+0x149)[0x80a0fc4]
debugperl(Perl_op_free+0x149)[0x80a0fc4]
debugperl(perl_destruct+0x2ca)[0x8065b4d]
debugperl(main+0x108)[0x80638dc]
/lib/i686/cmov/libc.so.6(__libc_start_main+0xe0)[0xb7da5450]
debugperl[0x8063771]
======= Memory map: ========
08048000-081b0000 r-xp 00000000 fd:01 1179944 /usr/bin/debugperl
081b0000-081ba000 rw-p 00167000 fd:01 1179944 /usr/bin/debugperl
081ba000-08282000 rw-p 081ba000 00:00 0 [heap]
b7a00000-b7a21000 rw-p b7a00000 00:00 0
b7a21000-b7b00000 ---p b7a21000 00:00 0
b7bdc000-b7be6000 r-xp 00000000 fd:00 147509 /lib/libgcc_s.so.1
b7be6000-b7be7000 rw-p 00009000 fd:00 147509 /lib/libgcc_s.so.1
b7bf8000-b7c00000 r-xp 00000000 fd:01 510515
/usr/lib/perl/5.8.8/auto/Encode/Encode.so
b7c00000-b7c01000 rw-p 00007000 fd:01 510515
/usr/lib/perl/5.8.8/auto/Encode/Encode.so
b7c01000-b7c22000 rw-p b7c01000 00:00 0
b7c22000-b7d5c000 r--p 00000000 fd:01 508672 /usr/lib/locale/locale-archive
b7d5c000-b7d5d000 rw-p b7d5c000 00:00 0
b7d5d000-b7d66000 r-xp 00000000 fd:00 163946 /lib/i686/cmov/libcrypt-2.7.so
b7d66000-b7d68000 rw-p 00008000 fd:00 163946 /lib/i686/cmov/libcrypt-2.7.so
b7d68000-b7d8f000 rw-p b7d68000 00:00 0
b7d8f000-b7ed6000 r-xp 00000000 fd:00 163942 /lib/i686/cmov/libc-2.7.so
b7ed6000-b7ed7000 r--p 00147000 fd:00 163942 /lib/i686/cmov/libc-2.7.so
b7ed7000-b7ed9000 rw-p 00148000 fd:00 163942 /lib/i686/cmov/libc-2.7.so
b7ed9000-b7edc000 rw-p b7ed9000 00:00 0
b7edc000-b7ef0000 r-xp 00000000 fd:00 163970
/lib/i686/cmov/libpthread-2.7.so
b7ef0000-b7ef2000 rw-p 00013000 fd:00 163970
/lib/i686/cmov/libpthread-2.7.so
b7ef2000-b7ef5000 rw-p b7ef2000 00:00 0
b7ef5000-b7f18000 r-xp 00000000 fd:00 163950 /lib/i686/cmov/libm-2.7.so
b7f18000-b7f1a000 rw-p 00023000 fd:00 163950 /lib/i686/cmov/libm-2.7.so
b7f1a000-b7f1c000 r-xp 00000000 fd:00 163948 /lib/i686/cmov/libdl-2.7.so
b7f1c000-b7f1e000 rw-p 00001000 fd:00 163948 /lib/i686/cmov/libdl-2.7.so
b7f29000-b7f2e000 r-xp 00000000 fd:01 511378
/usr/lib/perl/5.8.8/auto/PerlIO/encoding/encoding.so
b7f2e000-b7f2f000 rw-p 00005000 fd:01 511378
/usr/lib/perl/5.8.8/auto/PerlIO/encoding/encoding.so
b7f2f000-b7f31000 rw-p b7f2f000 00:00 0
b7f31000-b7f4d000 r-xp 00000000 fd:00 147922 /lib/ld-2.7.so
b7f4d000-b7f4f000 rw-p 0001b000 fd:00 147922 /lib/ld-2.7.so
bf80d000-bf823000 rw-p bf80d000 00:00 0 [stack]
ffffe000-fffff000 r-xp 00000000 00:00 0 [vdso]
Aborted (core dumped)
#!/usr/bin/perl -w -CSDA
use strict;
use utf8;
use encoding 'utf8';
use locale;
my $ans='Ostrów';
$_="whatever...";
if (/^$ans| $ans/) { print "I was wrong, sorry...\n"}
