CVE-2015-8853: Input Validation
First published: Thu Apr 21 2016(Updated: )
A vulnerability was found in perl. The regex engine got into an infinite loop because of the malformation. It is trying to back-up over a sequence of UTF-8 continuation bytes. The character just before the sequence should be a start byte. If it's not, there is a malformation which results in "hang" of regexp matching and CPU exhaustion. External references: <a href="https://rt.perl.org/Public/Bug/Display.html?id=123562">https://rt.perl.org/Public/Bug/Display.html?id=123562</a> Upstream fix: <a href="http://perl5.git.perl.org/perl.git/commitdiff/22b433eff9a1ffa2454e18405a56650f07b385b5">http://perl5.git.perl.org/perl.git/commitdiff/22b433eff9a1ffa2454e18405a56650f07b385b5</a>
Credit: security@debian.org security@debian.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Fedoraproject Fedora | =22 | |
| Perl Perl | <=5.23.9 | |
| redhat/perl | <5.22.1 | 5.22.1 |
| debian/perl | 5.32.1-4+deb11u3 5.32.1-4+deb11u1 5.36.0-7+deb12u1 5.38.2-5 5.40.0-6 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://lists.fedoraproject.org/pipermail/package-announce/2016-May/183592.html
- http://perl5.git.perl.org/perl.git/commitdiff/22b433eff9a1ffa2454e18405a56650f07b385b5
- http://www.openwall.com/lists/oss-security/2016/04/20/5
- http://www.openwall.com/lists/oss-security/2016/04/20/7
- http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html
- http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html
- http://www.securityfocus.com/bid/86707
- https://bugzilla.redhat.com/show_bug.cgi?id=1329106
- https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05240731
- https://rt.perl.org/Public/Bug/Display.html?id=123562
- https://security.gentoo.org/glsa/201701-75
- https://usn.ubuntu.com/3625-1/
- https://usn.ubuntu.com/3625-2/
- https://launchpad.net/bugs/cve/CVE-2015-8853
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1329107
- https://access.redhat.com/security/updates/classification/
- https://www.openwall.com/lists/oss-security/2016/04/20/5
- https://security-tracker.debian.org/tracker/CVE-2015-8853
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8853
- https://nvd.nist.gov/vuln/detail/CVE-2015-8853
- https://ubuntu.com/security/CVE-2015-8853
Frequently Asked Questions
What is CVE-2015-8853?
CVE-2015-8853 is a vulnerability in Perl before version 5.24.0 that allows context-dependent attackers to cause a denial of service by triggering an infinite loop with crafted UTF-8 data.
Who is affected by CVE-2015-8853?
The vulnerability affects Perl versions before 5.24.0.
What is the severity of CVE-2015-8853?
CVE-2015-8853 has a severity rating of 7.5 (High).
How do I fix CVE-2015-8853 on Ubuntu?
To fix CVE-2015-8853 on Ubuntu, upgrade the 'perl' package to version 5.18.2-2ubuntu1.4 or later.
Where can I find more information about CVE-2015-8853?
You can find more information about CVE-2015-8853 at the following references: 1. CVE-2015-8853 on MITRE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8853 2. OSS Security mailing list post: http://www.openwall.com/lists/oss-security/2016/04/20/5 3. Ubuntu Security Notice: https://ubuntu.com/security/notices/USN-3625-1
- collector/nvd-index
- agent/type
- agent/first-publish-date
- agent/remedy
- collector/launchpad-cve
- source/Launchpad
- agent/author
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup
- agent/severity
- agent/weakness
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2015-8853
- agent/references
- collector/security-tracker-debian
- source/Debian
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/tags
- agent/event
- collector/usn-cve
- source/Ubuntu
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/22
- vendor/perl
- canonical/perl perl
- version/perl perl/5.23.9
- package-manager/redhat
- package-manager/debian