REDHAT-BUG-323571

First published: Mon Oct 08 2007(Updated: )

Tavis Ormandy and Will Drewry have discovered a flaw in the way perl calculates the space needed to process a regular expression. It is possible to cause the two passes to mismatch. To quote their mail: The compile phase uses multiple passes (similar to older pcre releases), once to determine space requirements and another to actually compile the expression, however it's very simple to cause the two passes to mismatch. From the perl documentation: > The regular expression compiler produces polymorphic opcodes.That is, > the pattern adapts to the data and automatically switches to the Unicode > character scheme when presented with Unicode data--or instead uses a > traditional byte scheme when presented with byte data. This unfortunately means that you can cause the mode to switch at an arbitrary point, and then subsequent passes of any of the expression prior to this point switch will be passed differently, and thus potentially have their space requirements miscalculated. Acknowledgements: Red Hat would like to thank Tavis Ormandy and Will Drewry for properly disclosing this issue.

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

• collector/redhat-bugzilla
• alias/CVE-2007-5116
• agent/references
• agent/first-publish-date
• agent/last-modified-date
• agent/type
• agent/event
• agent/severity
• agent/description
• agent/softwarecombine
• agent/tags
• agent/guess-ai
• agent/software-canonical-lookup
• agent/software-canonical-lookup-request
• vendor/perl
• canonical/perl