CVE-2017-12883: Buffer Overflow
First published: Fri Sep 15 2017(Updated: )
Buffer overflow in the S_grok_bslash_N function in regcomp.c in Perl 5 before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1 allows remote attackers to disclose sensitive information or cause a denial of service (application crash) via a crafted regular expression with an invalid '\N{U+...}' escape.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/perl | <5.24.3 | 5.24.3 |
| redhat/perl | <5.26.1 | 5.26.1 |
| redhat/perl | <5.27.4 | 5.27.4 |
| Perl 5.30.0 | <=5.24.2 | |
| Perl 5.30.0 | =5.26.0 |
Remedy
https://perl5.git.perl.org/perl.git/commitdiff/2be4edede4ae226e2eebd4eff28cedd2041f300f#patch1
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://perl5.git.perl.org/perl.git/commitdiff/2be4edede4ae226e2eebd4eff28cedd2041f300f
- https://rt.perl.org/Public/Bug/Display.html?id=131598
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1492094
- https://bugzilla.redhat.com/show_bug.cgi?id=1492093
- http://mirror.cucumberlinux.com/cucumber/cucumber-1.0/source/lang-base/perl/patches/CVE-2017-12883.patch
- http://www.debian.org/security/2017/dsa-3982
- http://www.securityfocus.com/bid/100852
- https://perl5.git.perl.org/perl.git/commitdiff/2be4edede4ae226e2eebd4eff28cedd2041f300f#patch1
- https://perl5.git.perl.org/perl.git/log/refs/tags/v5.24.3-RC1
- https://perl5.git.perl.org/perl.git/log/refs/tags/v5.26.1-RC1
- https://security.netapp.com/advisory/ntap-20180426-0001/
- https://www.oracle.com/security-alerts/cpujul2020.html
Frequently Asked Questions
What is the severity of CVE-2017-12883?
CVE-2017-12883 has a critical severity rating due to its ability to cause denial of service and potential information disclosure.
How do I fix CVE-2017-12883?
To fix CVE-2017-12883, upgrade Perl to version 5.24.3 or later, or to version 5.26.1 or later.
Which versions of Perl are affected by CVE-2017-12883?
Perl versions prior to 5.24.3-RC1 and 5.26.1-RC1 are affected by CVE-2017-12883.
Can CVE-2017-12883 be exploited remotely?
Yes, CVE-2017-12883 can be exploited remotely through crafted regular expressions containing invalid '\N{U+...}' escapes.
What types of issues can CVE-2017-12883 cause?
CVE-2017-12883 can lead to application crashes or disclosure of sensitive information.
- agent/references
- agent/type
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- agent/author
- agent/severity
- agent/last-modified-date
- agent/remedy
- agent/event
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2017-12883
- agent/software-canonical-lookup
- agent/trending
- agent/source
- agent/weakness
- agent/tags
- agent/softwarecombine
- collector/nvd-index
- agent/software-canonical-lookup-request
- package-manager/redhat
- vendor/perl
- canonical/perl 5.30.0
- version/perl 5.30.0/5.24.2
- version/perl 5.30.0/5.26.0