These Forums Have Moved
The Komodo forums have moved to a new home at community.komodoide.com, please head over there to post your topics!
Note that the new forums are a fresh start - you will have to register a new account.
- Community |
- Code |
- Docs |
- Downloads ▼ |
- more ▼
Perl 2017 CVE's: CVE-2017-12883, CVE-2017-12837, CVE-2017-12814
Posted by Arkadiusz.Bednarzak@pl.ibm.com
on 2018-03-14 07:28
Hello,
We were asked by customers to upgrade Perl to version with fix for following vulnerabilities.
1 CVE-2017-12883 Buffer overflow in the S_grok_bslash_N function in regcomp.c in Perl 5 before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1 allows remote attackers to disclose sensitive information or cause a denial of service (application crash) via a crafted regular expression with an invalid '\N{U+...}' escape.
2 CVE-2017-12837 Heap-based buffer overflow in the S_regatom function in regcomp.c in Perl 5 before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1 allows remote attackers to cause a denial of service (out-of-bounds write) via a regular expression with a '\N{}' escape and the case-insensitive modifier.
3 CVE-2017-12814 Stack-based buffer overflow in the CPerlHost::Add method in win32/perlhost.h in Perl before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1 on Windows allows attackers to execute arbitrary code via a long environment variable.
From change log it is not addressed in current release of ActivePerl v5.24.
Are there plans to provide fix, if yes: what is current publication target date?
- Login to post comments
Perl.org released these patches in 5.26.1 and 5.24.3 Perl cores:
https://perldoc.perl.org/perldelta.html
ActivePerl Enterprise 5.24.3 has been available since December 2017.
Community Edition/Business Edition ActivePerl 5.24 is also available.
https://www.activestate.com/activeperl/downloads