Perl 2017 CVE's: CVE-2017-12883, CVE-2017-12837, CVE-2017-12814

Posted by Arkadiusz.Bednarzak@pl.ibm.com on 2018-03-14 07:28
Forums: ActivePerl discussion | OS: Windows

Hello,

We were asked by customers to upgrade Perl to version with fix for following vulnerabilities.

1 CVE-2017-12883 Buffer overflow in the S_grok_bslash_N function in regcomp.c in Perl 5 before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1 allows remote attackers to disclose sensitive information or cause a denial of service (application crash) via a crafted regular expression with an invalid '\N{U+...}' escape.
2 CVE-2017-12837 Heap-based buffer overflow in the S_regatom function in regcomp.c in Perl 5 before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1 allows remote attackers to cause a denial of service (out-of-bounds write) via a regular expression with a '\N{}' escape and the case-insensitive modifier.
3 CVE-2017-12814 Stack-based buffer overflow in the CPerlHost::Add method in win32/perlhost.h in Perl before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1 on Windows allows attackers to execute arbitrary code via a long environment variable.

From change log it is not addressed in current release of ActivePerl v5.24.

Are there plans to provide fix, if yes: what is current publication target date?

grahams
ActiveState Staff
Wed, 2018-03-14 08:39

Perl.org released these patches in 5.26.1 and 5.24.3 Perl cores:
https://perldoc.perl.org/perldelta.html

ActivePerl Enterprise 5.24.3 has been available since December 2017.
Community Edition/Business Edition ActivePerl 5.24 is also available.
https://www.activestate.com/activeperl/downloads