CVE-2008-1927 - Double free vulnerability in Perl 5.8.8 allows context-dependent attackers to cause a denial of serv

CVE-2008-1927

Summary

Double free vulnerability in Perl 5.8.8 allows context-dependent attackers to cause a denial of service (memory corruption and crash) via a crafted regular expression containing UTF8 characters. NOTE: this issue might only be present on certain operating systems.

References

Vulnerable Configurations

cpe:2.3:a:perl:perl:5.8.8:*:*:*:*:*:*:*
cpe:2.3:a:perl:perl:5.8.8:*:*:*:*:*:*:*

CVSS

Base:	5.0 (as of 11-10-2018 - 20:37)
Impact:
Exploitability:

CWE

CWE-399

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	LOW	NONE

Impact

Confidentiality	Integrity	Availability
NONE	NONE	PARTIAL

cvss-vector via4

AV:N/AC:L/Au:N/C:N/I:N/A:P

oval via4

accepted

2013-04-29T04:06:50.584-04:00

class

vulnerability

contributors

name Aharon Chernin
organization SCAP.com, LLC
name Dragos Prisaca
organization G2, Inc.

definition_extensions

comment The operating system installed on the system is Red Hat Enterprise Linux 3
oval oval:org.mitre.oval:def:11782
comment CentOS Linux 3.x
oval oval:org.mitre.oval:def:16651
comment The operating system installed on the system is Red Hat Enterprise Linux 4
oval oval:org.mitre.oval:def:11831
comment CentOS Linux 4.x
oval oval:org.mitre.oval:def:16636
comment Oracle Linux 4.x
oval oval:org.mitre.oval:def:15990
comment The operating system installed on the system is Red Hat Enterprise Linux 5
oval oval:org.mitre.oval:def:11414
comment The operating system installed on the system is CentOS Linux 5.x
oval oval:org.mitre.oval:def:15802
comment Oracle Linux 5.x
oval oval:org.mitre.oval:def:15459

description

family

unix

oval:org.mitre.oval:def:10579

status

accepted

submitted

2010-07-09T03:56:16-04:00

title

version

redhat via4

advisories

bugzilla

id	443928
title	CVE-2008-1927 perl: heap corruption by regular expressions with utf8 characters

oval

comment Red Hat Enterprise Linux must be installed
oval oval:com.redhat.rhba:tst:20070304026

AND

comment Red Hat Enterprise Linux 4 is installed
oval oval:com.redhat.rhba:tst:20070304025

AND
comment perl is earlier than 3:5.8.5-36.el4_6.3
oval oval:com.redhat.rhsa:tst:20080522001
comment perl is signed with Red Hat master key
oval oval:com.redhat.rhsa:tst:20060605002
AND
comment perl-suidperl is earlier than 3:5.8.5-36.el4_6.3
oval oval:com.redhat.rhsa:tst:20080522003
comment perl-suidperl is signed with Red Hat master key
oval oval:com.redhat.rhsa:tst:20060605004

AND

comment Red Hat Enterprise Linux 5 is installed
oval oval:com.redhat.rhba:tst:20070331005

AND
comment perl is earlier than 4:5.8.8-10.el5_2.3
oval oval:com.redhat.rhsa:tst:20080522006
comment perl is signed with Red Hat redhatrelease key
oval oval:com.redhat.rhsa:tst:20070966007

AND

comment perl-suidperl is earlier than 4:5.8.8-10.el5_2.3
oval oval:com.redhat.rhsa:tst:20080522008
comment perl-suidperl is signed with Red Hat redhatrelease key
oval oval:com.redhat.rhsa:tst:20070966009

rhsa

id	RHSA-2008:0522
released	2008-06-11
severity	Important
title	RHSA-2008:0522: perl security update (Important)

rhsa
id RHSA-2008:0532

rpms

perl-2:5.8.0-98.EL3
perl-3:5.8.5-36.el4_6.3
perl-4:5.8.8-10.el5_2.3
perl-CGI-2:2.89-98.EL3
perl-CPAN-2:1.61-98.EL3
perl-DB_File-2:1.806-98.EL3
perl-debuginfo-2:5.8.0-98.EL3
perl-debuginfo-3:5.8.5-36.el4_6.3
perl-debuginfo-4:5.8.8-10.el5_2.3
perl-suidperl-2:5.8.0-98.EL3
perl-suidperl-3:5.8.5-36.el4_6.3
perl-suidperl-4:5.8.8-10.el5_2.3
perl-4:5.8.8-6.el4s1_3
perl-debuginfo-4:5.8.8-6.el4s1_3
perl-suidperl-4:5.8.8-6.el4s1_3
ant-0:1.6.5-1jpp_1rh
avalon-logkit-0:1.2-2jpp_4rh
axis-0:1.2.1-1jpp_3rh
classpathx-jaf-0:1.0-2jpp_6rh
classpathx-mail-0:1.1.1-2jpp_8rh
geronimo-ejb-2.1-api-0:1.0-0.M4.1jpp_10rh
geronimo-j2ee-1.4-apis-0:1.0-0.M4.1jpp_10rh
geronimo-j2ee-connector-1.5-api-0:1.0-0.M4.1jpp_10rh
geronimo-j2ee-deployment-1.1-api-0:1.0-0.M4.1jpp_10rh
geronimo-j2ee-management-1.0-api-0:1.0-0.M4.1jpp_10rh
geronimo-jms-1.1-api-0:1.0-0.M4.1jpp_10rh
geronimo-jsp-2.0-api-0:1.0-0.M4.1jpp_10rh
geronimo-jta-1.0.1B-api-0:1.0-0.M4.1jpp_10rh
geronimo-servlet-2.4-api-0:1.0-0.M4.1jpp_10rh
geronimo-specs-0:1.0-0.M4.1jpp_10rh
geronimo-specs-javadoc-0:1.0-0.M4.1jpp_10rh
jakarta-commons-modeler-0:2.0-3jpp_2rh
log4j-0:1.2.12-1jpp_1rh
mx4j-1:3.0.1-1jpp_4rh
pcsc-lite-0:1.3.3-3.el4
pcsc-lite-debuginfo-0:1.3.3-3.el4
pcsc-lite-doc-0:1.3.3-3.el4
pcsc-lite-libs-0:1.3.3-3.el4
rhpki-ca-0:7.3.0-20.el4
rhpki-java-tools-0:7.3.0-10.el4
rhpki-kra-0:7.3.0-14.el4
rhpki-manage-0:7.3.0-19.el4
rhpki-native-tools-0:7.3.0-6.el4
rhpki-ocsp-0:7.3.0-13.el4
rhpki-tks-0:7.3.0-13.el4
tomcat5-0:5.5.23-0jpp_4rh.16
tomcat5-common-lib-0:5.5.23-0jpp_4rh.16
tomcat5-jasper-0:5.5.23-0jpp_4rh.16
tomcat5-jsp-2.0-api-0:5.5.23-0jpp_4rh.16
tomcat5-server-lib-0:5.5.23-0jpp_4rh.16
tomcat5-servlet-2.4-api-0:5.5.23-0jpp_4rh.16
xerces-j2-0:2.7.1-1jpp_1rh
xml-commons-0:1.3.02-2jpp_1rh
xml-commons-apis-0:1.3.02-2jpp_1rh

refmap via4

apple	APPLE-SA-2009-02-12
bid	28928
bugtraq	20090120 rPSA-2009-0011-1 perl
confirm	http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=454792 http://support.apple.com/kb/HT3438 http://support.avaya.com/elmodocs2/security/ASA-2008-317.htm http://support.avaya.com/elmodocs2/security/ASA-2008-361.htm http://wiki.rpath.com/Advisories:rPSA-2009-0011 http://www.ipcop.org/index.php?name=News&file=article&sid=41 http://www.vmware.com/security/advisories/VMSA-2008-0013.html
debian	DSA-1556
fedora	FEDORA-2008-3392 FEDORA-2008-3399
gentoo	GLSA-200805-17
mandriva	MDVSA-2008:100
misc	http://rt.perl.org/rt3/Public/Bug/Display.html?id=48156
osvdb	44588
sectrack	1020253
secunia	29948 30025 30326 30624 31208 31328 31467 31604 31687 33314 33937
suse	SUSE-SR:2008:017
ubuntu	USN-700-1 USN-700-2
vupen	ADV-2008-2265 ADV-2008-2361 ADV-2008-2424 ADV-2009-0422
xf	perl-utf8-dos(41996)

Last major update

11-10-2018 - 20:37

Published

24-04-2008 - 05:05

Last modified

11-10-2018 - 20:37