Vulnerabilities in Perl and Regular Expressions library
The Perl Regular Expression Engine contains a vulnerability that can cause an application written in Perl to crash and possibly even allow code to be injected. The problem is reportedly the result of a memory allocation error during the handling of an expression. Any code thus injected into a Web server would run with the privileges of the Web server. No further details concerning the flaw have been revealed. The current version 5.8.8 and previous are affected. Linux distributors are already releasing patched packages, but no official Perl update has been released yet.
But there is more bad news. Tavis Ormandy of Google Security has discovered several vulnerabilities in the Perl-Compatible Regular Expressions library (PCRE) that allow attackers to crash an application written in Perl. Debian says that it is possible to execute malicious code on vulnerable systems because some of the problems are due to heap overflows. Many open source projects – Apache, PHP, Postfix, KDE and Exim, among others – use the library. Versions 6.x and 7.x are affected, though the flaws have been remedied in the official version 7.4. Debian has published new packages.
- perl security update, Red Hat security advisory
- Updated perl packages fix vulnerability, Mandrake security advisory
- pcre3 -- several vulnerabilities, Debian security advisory