CyberSecurity news
FlagThis
@Open Source Security
//
A heap buffer overflow vulnerability, identified as CVE-2024-56406, has been discovered in Perl versions 5.34, 5.36, 5.38, and 5.40. This flaw occurs when the "tr" operator transliterates non-ASCII bytes, potentially leading to denial-of-service (DoS) conditions or, in some cases, arbitrary code execution. The vulnerability was introduced in a commit affecting versions 5.33.1 to 5.41.10. The issue can be triggered by a specially crafted Perl command, potentially causing a segmentation fault and system crash.
The vulnerability, discovered by Nathan Mills, resides in the `S_do_trans_invmap()` function, which can overflow the destination pointer "d" when non-ASCII characters are present on the left-hand side of the "tr" operator. Exploitation of this flaw could allow attackers to crash Perl-based applications or systems, making it a potent denial of service vector. This is especially concerning for shared hosting environments, server-side Perl scripts handling untrusted input, and legacy systems with weak memory protection models.
To mitigate this vulnerability, users are strongly advised to update their Perl installations to versions 5.40.2 or 5.38.4, which contain the necessary patches. Ubuntu users can update their systems to the following package versions: perl-5.38.2-5ubuntu0.1 for Ubuntu 24.10, perl-5.38.2-3.2ubuntu0.1 for Ubuntu 24.04, and perl-5.34.0-3ubuntu1.4 for Ubuntu 22.04. The fix is essentially a revert of the commit that introduced the bug. A standard system update should address the issue for most users.
ImgSrc: seclists.org
References :
The vulnerability, discovered by Nathan Mills, resides in the `S_do_trans_invmap()` function, which can overflow the destination pointer "d" when non-ASCII characters are present on the left-hand side of the "tr" operator. Exploitation of this flaw could allow attackers to crash Perl-based applications or systems, making it a potent denial of service vector. This is especially concerning for shared hosting environments, server-side Perl scripts handling untrusted input, and legacy systems with weak memory protection models.
To mitigate this vulnerability, users are strongly advised to update their Perl installations to versions 5.40.2 or 5.38.4, which contain the necessary patches. Ubuntu users can update their systems to the following package versions: perl-5.38.2-5ubuntu0.1 for Ubuntu 24.10, perl-5.38.2-3.2ubuntu0.1 for Ubuntu 24.04, and perl-5.34.0-3ubuntu1.4 for Ubuntu 22.04. The fix is essentially a revert of the commit that introduced the bug. A standard system update should address the issue for most users.
ImgSrc: seclists.org
Share:
References :
- Open Source Security: CVE-2024-56406: Perl 5.34, 5.36, 5.38 and 5.40 are vulnerable to a heap buffer overflow when transliterating non-ASCII bytes
- securityonline.info: CVE-2024-56406: Heap Overflow Vulnerability in Perl Threatens Denial of Service and Potential Code Execution
- securityonline.info: CVE-2024-56406: Heap Overflow Vulnerability in Perl Threatens Denial of Service and Potential Code Execution
- Ubuntu security notices: USN-7434-1: Perl vulnerability
Classification:
- HashTags: #Perl #HeapOverflow #Vulnerability
- Company: Perl
- Target: Perl Users
- Product: Perl
- Feature: Transliteration
- Malware: CVE-2024-56406
- Type: Vulnerability
- Severity: Medium