PERL-5.26.1 stack_overflow

[p5pRT]

Migrated from rt.perl.org#132609 (status was 'open')

Searchable as RT132609$

[p5pRT]

From sraums2498@gmail.com

=================================================================
==38398==ERROR​: AddressSanitizer​: stack-overflow on address 0x7ffd8858afe8
(pc 0x000002e77260 bp 0x7ffd8858b0c0 sp 0x7ffd8858afe8 T0)
  #0 0x2e7725f in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:531
  #1 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #2 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #3 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #4 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #5 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #6 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #7 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #8 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #9 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #10 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #11 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #12 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #13 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #14 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #15 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #16 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #17 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #18 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #19 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #20 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #21 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #22 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #23 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #24 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #25 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #26 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #27 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #28 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #29 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #30 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #31 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #32 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #33 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #34 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #35 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #36 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #37 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #38 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #39 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #40 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #41 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #42 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #43 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #44 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #45 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #46 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #47 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #48 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #49 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #50 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #51 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #52 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #53 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #54 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #55 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #56 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #57 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #58 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #59 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #60 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #61 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #62 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #63 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #64 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #65 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #66 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #67 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #68 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #69 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #70 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #71 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #72 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #73 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #74 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #75 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #76 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #77 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #78 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #79 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #80 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #81 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #82 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #83 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #84 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #85 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #86 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #87 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #88 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #89 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #90 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #91 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #92 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #93 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #94 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #95 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #96 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #97 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #98 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #99 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #100 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #101 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #102 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #103 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #104 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #105 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #106 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #107 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #108 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #109 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #110 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #111 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #112 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #113 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #114 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #115 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #116 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #117 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #118 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #119 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #120 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #121 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #122 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #123 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #124 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #125 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #126 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #127 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #128 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #129 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #130 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #131 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #132 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #133 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #134 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #135 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #136 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #137 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #138 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #139 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #140 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #141 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #142 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #143 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #144 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #145 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #146 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #147 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #148 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #149 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #150 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #151 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #152 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #153 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #154 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #155 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #156 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #157 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #158 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #159 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #160 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #161 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #162 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #163 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #164 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #165 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #166 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #167 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #168 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #169 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #170 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #171 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #172 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #173 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #174 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #175 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #176 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #177 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #178 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #179 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #180 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #181 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #182 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #183 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #184 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #185 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #186 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #187 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #188 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #189 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #190 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #191 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #192 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #193 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #194 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #195 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #196 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #197 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #198 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #199 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #200 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #201 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #202 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #203 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #204 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #205 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #206 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #207 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #208 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #209 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #210 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #211 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #212 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #213 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #214 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #215 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #216 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #217 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #218 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #219 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #220 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #221 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #222 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #223 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #224 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #225 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #226 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #227 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #228 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #229 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #230 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #231 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #232 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #233 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #234 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #235 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #236 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #237 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #238 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #239 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #240 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #241 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #242 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #243 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #244 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #245 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #246 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #247 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #248 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #249 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #250 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545
  #251 0x2e871f3 in S_group_end
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:545

SUMMARY​: AddressSanitizer​: stack-overflow
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:531 S_group_end
==38398==ABORTING

--
Regards,
SRAUMS

[p5pRT]

From sraums2498@gmail.com

254

[p5pRT]

From @hvds

This reduces to​:
  ./miniperl -e 'pack "[" x 20000'
.. which explodes the stack because we check for close parens recursively in pack.c​:S_group_end()​:
  else if (c == '[')
  patptr = group_end(patptr, patend, ']') + 1;

The same happens for "(", for the same reason.

I don't think we class such things as vulnerabilities, can anyone confirm or deny?

I'm also not sure what would be involved in avoiding this, or if there's value in doing so.

Hugo

[p5pRT]

The RT System itself - Status changed from 'new' to 'open'

[p5pRT]

From zefram@fysh.org

Hugo van der Sanden via RT wrote​:

I don't think we class such things as vulnerabilities, can anyone
confirm or deny?

Confirmed, we don't consider busting the C stack to be a security failure.

-zefram

[p5pRT]

From @tonycoz

On Wed, 10 Jan 2018 18​:01​:19 -0800, zefram@​fysh.org wrote​:

Hugo van der Sanden via RT wrote​:

I don't think we class such things as vulnerabilities, can anyone
confirm or deny?

Confirmed, we don't consider busting the C stack to be a security failure.

Moved to the public queue.

Tony

[p5pRT]

From @mudongliang

Dear admin of perlbug,

I write this email to confirm whether you have received my perl bug
report : "Stack Exhaustion in current perl stable - 3.26.1".

And we need confirmation about this is really a bug to prove the power
of fuzzing tool. If you could response back to me as soon as possible,
I will really appreciate it.

--
My best regards to you.

  No System Is Safe!
  Dongliang Mu

[p5pRT]

From @mudongliang

---------- Forwarded message ----------
From​: <cve-request@​mitre.org>
Date​: Tue, Mar 20, 2018 at 1​:18 AM
Subject​: Re​: [scr480305] Perl - 5.26.1
To​: mudongliangabcd@​gmail.com
Cc​: cve-request@​mitre.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash​: SHA256

The CVE ID is below. Please inform the software maintainer that the
CVE ID has been assigned.

[Suggested description]
An issue was discovered in Perl 5.26.1.
Stack Exhaustion occurs in checking regular expression for a "()" pair.
When Perl interprets one "(", it will allocate four stack
frames (S_reg, S_regbranch, S_regpiece, S_regatom) with a 0x9E0 length.
This mishandles the case of a length
longer than 3314.

------------------------------------------

[Vulnerability Type]
Buffer Overflow

------------------------------------------

[Vendor of Product]
Perl

------------------------------------------

[Affected Product Code Base]
Perl - 5.26.1

------------------------------------------

[Affected Component]
regcomp.c​:10569, S_reg, perl, miniperl

------------------------------------------

[Attack Type]
Local

------------------------------------------

[Impact Denial of Service]
true

------------------------------------------

[Attack Vectors]
To exploit this vulnerability, someone must use perl to execute one crafted file

------------------------------------------

[Discoverer]
Dongliang Mu

Use CVE-2018-8816.

- --
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http​://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version​: GnuPG v1

iQIcBAEBCAAGBQJasJlZAAoJEHb/MwWLVhi2LaQP/i4qxjxKiEAcCHt66++qqbtP
412METcnIQAFf34V+G3/y0R/O2QftuXe2Jqrdks51RY32UvMYiFeOo96YXAa44kv
iPDAbB/xi05CFnCC8c4chgXp47wSYvVRmhSN1FCK2WW1QFa1gCXtPLihp77D3y8w
1BW3DfZfpGSm2v8hMpclqB5g0nHKPpeuG0Yen6z0xoRddfNio7e0OhcH405ig1LK
apgt3mMshWPQAtZn1F55T54FGptQzm92H5XkBpGyVzFzcCLja4nlR/td6t4jmf/S
QHwCFcVBgQ/NRLJzzUZvYKfjoYZd2ob3niGlID/ZqfwsEMPxl21DJCfW7RwSrG1y
JatzcbaLelJTeFTQ0bv9R21Ew3jGVldSLQgIV39Vp+Rx0zWg4MNkzUlTwHsjAoGd
EZ6c5nPT/AbnsbuvMLgOLYQPjdtIHm8ojtvcTwWfFQrGzERjnmglunR95Q/Narmz
10VwN3T0eTN4pQvhDQEet5MM7E0lLJG6qrjKi7nSUC3PobWwmN9viAWhsHafoK7t
lYDzpnmVe1Jh4HFrEyrReuyqZ5SlGJHeBOzGKDkxNdx51sIm2K6NiNqB5OLawQzy
jIuUdQN/+k3tb24R94iNgFqxkCGh7WqwJtMOySq4UPh+o2Iw6FNT3Bjdtwi5rN4p
ORkdgL61gZU06DUPfHyF
=KXgN
-----END PGP SIGNATURE-----

[p5pRT]

From @tonycoz

On Mon, 19 Mar 2018 18​:43​:35 -0700, mudongliangabcd@​gmail.com wrote​:

Dear admin of perlbug,

I write this email to confirm whether you have received my perl bug
report : "Stack Exhaustion in current perl stable - 3.26.1".

And we need confirmation about this is really a bug to prove the power
of fuzzing tool. If you could response back to me as soon as possible,
I will really appreciate it.

I don't see any tickets with a subject matching "Stack Exhaustion in current perl stable - 3.26.1".

I do see ticket 133002, which has subject "Fwd​: [scr480305] Perl - 5.26.1" and is from you.

From a quick look this doesn't appear to be a security issue.

Tony

[p5pRT]

The RT System itself - Status changed from 'new' to 'open'

[p5pRT]

From @mudongliang

On Mon, Mar 26, 2018 at 7​:13 PM, Tony Cook via RT <
perl5-security-report-followup@​perl.org> wrote​:

On Mon, 19 Mar 2018 18​:43​:35 -0700, mudongliangabcd@​gmail.com wrote​:

Dear admin of perlbug,

I write this email to confirm whether you have received my perl bug
report : "Stack Exhaustion in current perl stable - 3.26.1".

And we need confirmation about this is really a bug to prove the power
of fuzzing tool. If you could response back to me as soon as possible,
I will really appreciate it.

I don't see any tickets with a subject matching "Stack Exhaustion in
current perl stable - 3.26.1".

I do see ticket 133002, which has subject "Fwd​: [scr480305] Perl -
5.26.1" and is from you.

From a quick look this doesn't appear to be a security issue.

First, thanks for your response.

Second, *Stack Exhaustion* is one kind of memory error vulnerability. At
least it could be leveraged to cause DoS.

From the log of AddressSanitizer, it is also verified as "Stack Overflow".

ASAN​:SIGSEGV

==27852==ERROR​: AddressSanitizer​: stack-overflow on address 0x7ffc14cabff8
(pc 0x0000005fd2bd bp 0x7ffc14cac270 sp 0x7ffc14cabff0 T0)
  #0 0x5fd2bc (/home/mdl/revision/testsuites/perl-5.26.1/perl+0x5fd2bc)
  #1 0x5fdc41 (/home/mdl/revision/testsuites/perl-5.26.1/perl+0x5fdc41)
  #2 0x5d3475 (/home/mdl/revision/testsuites/perl-5.26.1/perl+0x5d3475)
  #3 0x61ebbf (/home/mdl/revision/testsuites/perl-5.26.1/perl+0x61ebbf)
  #4 0x5fde1f (/home/mdl/revision/testsuites/perl-5.26.1/perl+0x5fde1f)
  #5 0x5d3475 (/home/mdl/revision/testsuites/perl-5.26.1/perl+0x5d3475)
  #6 0x61ebbf (/home/mdl/revision/testsuites/perl-5.26.1/perl+0x61ebbf)
  #7 0x5fde1f (/home/mdl/revision/testsuites/perl-5.26.1/perl+0x5fde1f)
  #8 0x5d3475 (/home/mdl/revision/testsuites/perl-5.26.1/perl+0x5d3475)
  #9 0x61ebbf (/home/mdl/revision/testsuites/perl-5.26.1/perl+0x61ebbf)
  #10 0x5fde1f (/home/mdl/revision/testsuites/perl-5.26.1/perl+0x5fde1f)
  #11 0x5d3475 (/home/mdl/revision/testsuites/perl-5.26.1/perl+0x5d3475)
  #12 0x61ebbf (/home/mdl/revision/testsuites/perl-5.26.1/perl+0x61ebbf)
  ......

It should be one security issue. And I could find one CVE(
http​://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2008-5314) with Stack
Exhausting type in the CVE Database.

If you have any question about this issue, please let me know.

Tony

[p5pRT]

From @iabyn

On Mon, Mar 26, 2018 at 07​:46​:08PM -0400, æ��å�¬äº® wrote​:

Second, *Stack Exhaustion* is one kind of memory error vulnerability. At
least it could be leveraged to cause DoS.

If the attacker is able to feed an attacker-specified regex pattern into
the perl interpreter, there are many, many ways of writing a regex which
will exhaust CPU or possibly even memory, e.g.

  $_ = "x" x 100;
  /.*.*.*.*.*.*.*.*[AB]/;

--
Indomitable in retreat, invincible in advance, insufferable in victory
  -- Churchill on Montgomery

[p5pRT]

From sraums2498@gmail.com

Maybe you are correct.
But all I can see here is, by not closing a bracket in a statement, if I
am able to corrupt the stack, I think it is easiest way to exploit the
target, which in our case here is perl.
So referring to the CVSS here​:
ease of exploit​: High (as we just need to leave a bracket open)
attack complexity​: almost nothing
As here, the perl is failing to sanitze this condition where bracket is not
closed, which is then further leading to stack corruption.
So I believe this is a security issue.

On Wed, Jan 24, 2018 at 4​:09 AM, Tony Cook via RT <perlbug-followup@​perl.org

wrote​:

On Wed, 10 Jan 2018 18​:01​:19 -0800, zefram@​fysh.org wrote​:

Hugo van der Sanden via RT wrote​:

I don't think we class such things as vulnerabilities, can anyone
confirm or deny?

Confirmed, we don't consider busting the C stack to be a security
failure.

Moved to the public queue.

Tony

--
Regards,
SRAUMS

[p5pRT]

From @tonycoz

On Mon, 26 Mar 2018 22​:10​:44 -0700, mudongliangabcd@​gmail.com wrote​:

On Mon, Mar 26, 2018 at 7​:13 PM, Tony Cook via RT <
perl5-security-report-followup@​perl.org> wrote​:

On Mon, 19 Mar 2018 18​:43​:35 -0700, mudongliangabcd@​gmail.com wrote​:

Dear admin of perlbug,

I write this email to confirm whether you have received my perl bug
report : "Stack Exhaustion in current perl stable - 3.26.1".

And we need confirmation about this is really a bug to prove the power
of fuzzing tool. If you could response back to me as soon as possible,
I will really appreciate it.

I don't see any tickets with a subject matching "Stack Exhaustion in
current perl stable - 3.26.1".

I do see ticket 133002, which has subject "Fwd​: [scr480305] Perl -
5.26.1" and is from you.

From a quick look this doesn't appear to be a security issue.

First, thanks for your response.

Second, *Stack Exhaustion* is one kind of memory error vulnerability. At
least it could be leveraged to cause DoS.

From the log of AddressSanitizer, it is also verified as "Stack Overflow".

ASAN​:SIGSEGV

==27852==ERROR​: AddressSanitizer​: stack-overflow on address 0x7ffc14cabff8
(pc 0x0000005fd2bd bp 0x7ffc14cac270 sp 0x7ffc14cabff0 T0)
#0 0x5fd2bc (/home/mdl/revision/testsuites/perl-5.26.1/perl+0x5fd2bc)
#1 0x5fdc41 (/home/mdl/revision/testsuites/perl-5.26.1/perl+0x5fdc41)
#2 0x5d3475 (/home/mdl/revision/testsuites/perl-5.26.1/perl+0x5d3475)
#3 0x61ebbf (/home/mdl/revision/testsuites/perl-5.26.1/perl+0x61ebbf)
#4 0x5fde1f (/home/mdl/revision/testsuites/perl-5.26.1/perl+0x5fde1f)
#5 0x5d3475 (/home/mdl/revision/testsuites/perl-5.26.1/perl+0x5d3475)
#6 0x61ebbf (/home/mdl/revision/testsuites/perl-5.26.1/perl+0x61ebbf)
#7 0x5fde1f (/home/mdl/revision/testsuites/perl-5.26.1/perl+0x5fde1f)
#8 0x5d3475 (/home/mdl/revision/testsuites/perl-5.26.1/perl+0x5d3475)
#9 0x61ebbf (/home/mdl/revision/testsuites/perl-5.26.1/perl+0x61ebbf)
#10 0x5fde1f (/home/mdl/revision/testsuites/perl-5.26.1/perl+0x5fde1f)
#11 0x5d3475 (/home/mdl/revision/testsuites/perl-5.26.1/perl+0x5d3475)
#12 0x61ebbf (/home/mdl/revision/testsuites/perl-5.26.1/perl+0x61ebbf)
......

It should be one security issue. And I could find one CVE(
http​://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2008-5314) with Stack
Exhausting type in the CVE Database.

If you have any question about this issue, please let me know.

In the past we haven't treated the same issue as a security issue and we're unlikely to do so in the future.

I've (very briefly) discussed ways to mitigate this type of issue with Karl, but I haven't done anything specific on it, and Karl hasn't mentioned anything he's done on it.

Tony

[p5pRT]

The RT System itself - Status changed from 'new' to 'open'

[p5pRT]

From kshah@fortinet.com

Hello Perl Product Security Team,
Good Evening.
The password for the Zipped file shared earlier is "Perl_Vuln_@​12345!@​#$%"
without the double quotes.
Thanking You,
Yours Sincerely,
Aditya Raghavan.
Security Research Intern | Fortinet's FortiGuard Labs.

*** Please note that this message and any attachments may contain confidential and proprietary material and information and are intended only for the use of the intended recipient(s). If you are not the intended recipient, you are hereby notified that any review, use, disclosure, dissemination, distribution or copying of this message and any attachments is strictly prohibited. If you have received this email in error, please immediately notify the sender and destroy this e-mail and any attachments and all copies, whether electronic or printed. Please also note that any views, opinions, conclusions or commitments expressed in this message are those of the individual sender and do not necessarily reflect the views of Fortinet, Inc., its affiliates, and emails are not binding on Fortinet and only a writing manually signed by Fortinet's General Counsel can be a binding commitment of Fortinet to Fortinet's customers or partners. Thank you. ***

[p5pRT]

From secresearch@fortinet.com

Vulnerability Notification
May 30, 2018
Tracking Case #​: FG-VD-18-095

Dear Perl,

The following information pertains to information discovered by Fortinet's
FortiGuard Labs. It has been determined that a vulnerability exists in Perl.
To streamline the disclosure process, we have created a preliminary advisory
which you can find below. This upcoming advisory is purely intended as a
reference, and does not contain sensitive information such as proof of
concept code.

As a mature corporation involved in security research, we strive to
responsibly disclose vulnerability information. We will not post an advisory
until we determine it is appropriate to do so in co-ordination with the
vendor unless a resolution cannot be reached. We will not disclose full
proof of concept, only details relevant to the advisory.

We look forward to working closely with you to resolve this issue, and
kindly ask for your co-operation during this time. Please let us know if you
have any further questions, and we will promptly respond to address any
issues.

If this message is not encrypted, it is because we could not find your key
to do so. If you have one available for use, please notify us and we will
ensure that this is used in future correspondence. We ask you use our public
PGP key to encrypt and communicate any sensitive information with us. You
may find the key on our FortiGuard center at​:
http​://www.fortiguard.com/pgpkey.

Type of Vulnerability & Repercussions​:
Memory Corruption & potential Arbitrary Code Execution

Affected Product​:
  Perl 5, version 28, subversion 0 (v5.28.0-RC1-17-g94fc6237e5) built for
x86_64-linux

Upcoming Advisory Reference​:
http​://www.fortiguard.com/advisory/UpcomingAdvisories.html

Credits​:
This vulnerability was discovered by Aditya Raghavan of Fortinet's
FortiGuard Labs.

*** Please note that this message and any attachments may contain confidential and proprietary material and information and are intended only for the use of the intended recipient(s). If you are not the intended recipient, you are hereby notified that any review, use, disclosure, dissemination, distribution or copying of this message and any attachments is strictly prohibited. If you have received this email in error, please immediately notify the sender and destroy this e-mail and any attachments and all copies, whether electronic or printed. Please also note that any views, opinions, conclusions or commitments expressed in this message are those of the individual sender and do not necessarily reflect the views of Fortinet, Inc., its affiliates, and emails are not binding on Fortinet and only a writing manually signed by Fortinet's General Counsel can be a binding commitment of Fortinet to Fortinet's customers or partners. Thank you. ***

[p5pRT]

From secresearch@fortinet.com

FG-VD-18-095.zip

[p5pRT]

From @tonycoz

On Thu, May 31, 2018 at 02​:24​:18PM -0700, secresearch wrote​:

The following information pertains to information discovered by Fortinet's
FortiGuard Labs. It has been determined that a vulnerability exists in Perl.
To streamline the disclosure process, we have created a preliminary advisory
which you can find below. This upcoming advisory is purely intended as a
reference, and does not contain sensitive information such as proof of
concept code.

This is a stack overflow from parsing a regular expression with deeply
nested groups, ie​:

/<!--. ?-K\s((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((...

This is only exploitable as a denial of service (it crashes perl).

We've had this reported to the security list twice before and haven't
treated it as a security issue.

Tony

[p5pRT]

The RT System itself - Status changed from 'new' to 'open'

[p5pRT]

From @tonycoz

On Wed, 04 Apr 2018 17​:32​:21 -0700, tonyc wrote​:

In the past we haven't treated the same issue as a security issue and
we're unlikely to do so in the future.

I've (very briefly) discussed ways to mitigate this type of issue with
Karl, but I haven't done anything specific on it, and Karl hasn't
mentioned anything he's done on it.

Now public and merging into 132609.

Tony

[p5pRT]

From @tonycoz

On Thu, 31 May 2018 16​:22​:05 -0700, tonyc wrote​:

On Thu, May 31, 2018 at 02​:24​:18PM -0700, secresearch wrote​:

The following information pertains to information discovered by
Fortinet's
FortiGuard Labs. It has been determined that a vulnerability exists
in Perl.
To streamline the disclosure process, we have created a preliminary
advisory
which you can find below. This upcoming advisory is purely intended
as a
reference, and does not contain sensitive information such as proof
of
concept code.

This is a stack overflow from parsing a regular expression with deeply
nested groups, ie​:

/<!--. ?-
K\s((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((...

This is only exploitable as a denial of service (it crashes perl).

We've had this reported to the security list twice before and haven't
treated it as a security issue.

Also now public and merging into 132609.

Tony

[khwilliamson]

There are several different causes merged into this single ticket. The ones from pack remain unfixed. The ones in patterns were fixed by 6ef7fe5

[hvds]

There are several different causes merged into this single ticket. The ones from pack remain unfixed.

As far as I know, people don't tend to accept pack formats from untrusted sources, nor generate hyper-complex formats programmatically. So the value of fixing this is low but not zero: fixing things like this improve our chances of finding real problems by fuzzing, for example.

Interestingly, my current system gcc (7.5.0) appears to unroll some levels of the recursion by way of optimization, so I now get:

% ./miniperl -e 'pack "[" x 20000'
No group ending character ']' found in template at -e line 1.
% 

.. and have to go over 500000 to recreate the coredump unless I build with optimization disabled. (This unrolling appears to add about 1K to the size of the executable.)

I'm tempted to remove the recursion altogether with a simple counter of ([ versus ]), like this pseudocode:

  unsigned open = 0;
  while (patptr < patend) {
    const char c = *patptr++;

    skip comments;
    if (open == 0 && c == ender)
      return patptr - 1;
    else if (c == '(' || c == '[')
      ++open;
    else if (c == ')' || c == ']') {
      if (open == 0) croak "mismatched parens";
      --open;
    }
  }
  croak "no group ending character";

at the minor cost that with mismatched parens like [ ( ] ] we'll do a bit more parsing work before deciding there's an error.

[hvds]

I'm tempted to remove the recursion altogether

Now implemented in #19646.

I'd be tempted to leave this until after 5.38 5.36.

[jkeenan]

I'm tempted to remove the recursion altogether

Now implemented in #19646.

I'd be tempted to leave this until after 5.38 5.36.

@hvds, can you provide an update on the status of this ticket? What must be done to close it?

[hvds]

@hvds, can you provide an update on the status of this ticket? What must be done to close it?

I can close this now, @khwilliamson merged the fix in #19646 on 2022-05-28.