Severity Rating: Medium
Software Affected
· Perl versions prior to 5.30.3
Overview
Multiple vulnerabilities have been reported in Perl which could allow an
attacker to cause denial of service conditions on targeted system.
Description
1. Heap-Based Buffer Overflow Vulnerability (CVE-2020-10543)
This vulnerability exists in Perl on 32-bit platforms due to an
out-of-bound write error. An attacker could exploit this vulnerability via
a signed size_t integer overflow in the storage space calculations for
nested regular expression quantifiers resulting in a heap buffer overflow
in Perl's regular expression compiler.
Successful exploitation of this vulnerability could allow the attacker to
cause denial of service conditions.
2. Integer Overflow Vulnerability (CVE-2020-10878)
This vulnerability exists in Perl due to an error while handling of a
"PL_regkind[OP(n)] == NOTHING" situation. An attacker could exploit this
vulnerability via a crafted regular expression leading to malformed
bytecode which could result in integer overflow.
Successful exploitation of this vulnerability could allow the attacker to
cause denial of service conditions.
3. Buffer Overflow Vulnerability (CVE-2020-12723)
This vulnerability exists in regcomp.c file in Perl due to a buffer
overflow error. An attacker could exploit this vulnerability via a crafted
expression which calls S_study_chunk() in a recursive way.
Successful exploitation of this vulnerability could allow the attacker to
cause denial of service conditions.
Solution
Upgrade to the latest Perl version 5.30.3
Vendor Information
Perl
References
Perl
Gentoo
Github
Redhat
CVE Name
CVE-2020-10543
CVE-2020-10878
CVE-2020-12723
About Cert Advisory
We have created this blog to provide latest security advisory from the india cert for the security vulnerability, threats, attacks and patching required to mitigate any kind of cyber attacks.