PT-2020-3690 · Perl+8 · Perl+8

Published

2020-06-01

·

Updated

2024-06-15

·

CVE-2020-10543

CVSS v2.0

8.5

High

VectorAV:N/AC:L/Au:N/C:N/I:P/A:C
Name of the Vulnerable Software and Affected Versions Perl versions prior to 5.30.3
Description The issue is related to a heap-based buffer overflow in Perl due to an integer overflow caused by nested regular expression quantifiers. This can be exploited if an application written in Perl evaluates regular expressions supplied by an attacker, which is a known dangerous practice as the regular expression engine does not protect against denial of service attacks in this scenario. The target system needs sufficient memory to allocate partial expansions of the nested quantifiers before the overflow occurs, a condition unlikely to be met on 64-bit systems.
Recommendations For versions prior to 5.30.3, update to version 5.30.3 or later to resolve the issue. As a temporary workaround, consider avoiding the evaluation of regular expressions supplied by attackers to minimize the risk of exploitation. Restricting the amount of memory available for partial expansions of nested quantifiers can also help mitigate the risk, although this may not be feasible in all scenarios.

Fix

Memory Corruption

Integer Overflow

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-787CWE-190

Related Identifiers

ALT-PU-2020-2905
ALT-PU-2020-3343
ALT-PU-2020-3414
BDU:2020-04039
CESA-2021_0343
CESA-2021_1678
CVE-2020-10543
MGASA-2020-0255
OPENSUSE-SU-2020:0850-1
OPENSUSE-SU-2020_0850-1
OPENSUSE-SU-2024:11158-1
RHSA-2021:0343
RHSA-2021:0883
RHSA-2021:1032
RHSA-2021:1266
RHSA-2021:1678
RHSA-2021:2792
RHSA-2021_0343
RHSA-2021_1678
RHSA-2026:6206
RLSA-2021:1678
SUSE-SU-2020:1662-1
SUSE-SU-2020:1682-1
SUSE-SU-2020:1682-2
SUSE-SU-2020_1662-1
SUSE-SU-2020_1682-1
SUSE-SU-2020_1682-2
USN-4602-1
USN-4602-2

Affected Products

Alt Linux
Centos
Ibm Aix
Linuxmint
Perl
Red Hat
Rocky Linux
Suse
Ubuntu