Re: CVE-2024-56406: Perl 5.34, 5.36, 5.38 and 5.40 are vulnerable to a heap buffer overflow when transliterating non-ASCII bytes

[Solar Designer <solar () openwall com>]

Hi Stig,

Thank you for handling this disclosure so well!

On Sun, Apr 13, 2025 at 03:23:25PM +0200, Stig Palmquist wrote:
> Perl 5.34, 5.36, 5.38 and 5.40 are vulnerable to a heap buffer overflow
> when transliterating non-ASCII bytes
>
> Description
> -----------
> A heap buffer overflow vulnerability was discovered in Perl. 
>
> When there are non-ASCII bytes in the left-hand-side of the `tr`
> operator, `S_do_trans_invmap` can overflow the destination pointer `d`.
>
>    $ perl -e '$_ = "\x{FF}" x 1000000; tr/\xFF/\x{100}/;' 
>    Segmentation fault (core dumped)

Running this command on distro packages based on 5.32.1 (like in EL9)
does not segfault (produces no output), which is as expected for a
version that didn't yet have the bug (and assuming no bug backport).

> https://github.com/Perl/perl5/commit/87f42aa0e0096e9a346c9672aa3a0bd3bef8c1dd.patch

As it was mentioned in the advance notification to distros, the issue
was introduced in:

https://github.com/Perl/perl5/commit/a311ee08b6781f83a7785f578a26bbc21a7ae457

which is part of tags v5.33.1 to v5.41.10, so I guess those versions are
also affected.  The fix commit is effectively a revert of the bug commit.

Alexander