Bug#628817: perl NULL pointer dereference

Niko Tyni ntyni at debian.org
Mon Jun 13 18:09:43 UTC 2011 

severity 628817 important
thanks

Security team: please let us know if you disagree. See below.

On Mon, Jun 13, 2011 at 06:48:46PM +0100, Dominic Hargreaves wrote:
> On Thu, Jun 02, 2011 at 02:39:35PM +0300, Niko Tyni wrote:
> > On Wed, Jun 01, 2011 at 05:52:17PM +0200, Thijs Kinkhorst wrote:
> > > Package: perl
> > > Severity: serious
> > > Tags: security
> > 
> > > CVE-2011-0761[0]:
> > > | Perl 5.10.x allows context-dependent attackers to cause a denial of
> > > | service (NULL pointer dereference and application crash) by leveraging
> > > | an ability to inject arguments into a (1) getpeername, (2) readdir,
> > > | (3) closedir, (4) getsockname, (5) rewinddir, (6) tell, or (7) telldir
> > > | function call.
> > 
> > Some observations:
> > 
> > - the crash can be reproduced with just 
> >    perl -e 'getsockname(1,1)'
> > 
> > - the functions (at least getsockname) don't seem to check their argument
> >   count, they only use the last one. This is still the case in 5.12.
> >   I haven't found any indication of the Perl stack corrupting on 5.12
> >   though so this seems harmless.
> > 
> > - the crash is at gv.c:89 (as of 5.10.1):
> >     if (!gv || SvTYPE((const SV *)gv) != SVt_PVGV) {
> > 
> > - compiler optimization of gv.c affects the behaviour:
> >   + a regular perl built with -O0 gives the intended
> >       Bad symbol for filehandle at -e line 1
> > 
> >   + a debugging version (-DDEBUGGING) with -O0 gives an expected
> >     assertion failure:
> >       Assertion gv failed: file "gv.c", line 87 at -e line 1.
> > 
> >   + -DDEBUGGING at -O2 (i.e. what's in the perl-debug package)
> >     crashes the same way as the regular perl so the assertion check
> >     is bypassed.
> > 
> > I don't quite understand yet what happens in the optimized version of
> > Perl_gv_IOadd(); the gv is NULL so the !gv check above should prevent
> > referencing it AIUI.
> 
> Niko,
> 
> In your opinion, based on the above and the (only) upstream response
> on
> <http://www.xray.mpe.mpg.de/mailing-lists/perl5-porters/2011-06/msg00027.html>
> do you think that this bug should be downgraded from serious, since
> apps should not (according to upstream, and I'm inclined to agree) be
> passing unsanitised untrusted input into those functions?

I haven't had the time to look at this any further, but I agree that
the severity should be downgraded. Doing that but Cc'ing the
security team (with extensive quoting) in case they think otherwise.
-- 
Niko Tyni   ntyni at debian.org

More information about the Perl-maintainers mailing list