CVE-2018-6797

Impact:
Moderate
Public Date:
2018-04-14
CWE:
CWE-787
Bugzilla:
1547783: CVE-2018-6797 perl: heap write overflow in regcomp.c
A heap buffer write overflow, with control over the bytes written, was found in the way regular expressions employing Unicode rules are compiled. An attacker, with the ability to provide a specially crafted regular expression, could crash the perl interpreter, or possibly execute arbitrary code.

Find out more about CVE-2018-6797 from the MITRE CVE dictionary dictionary and NIST NVD.

Statement

Versions of the perl interpreter older than 5.18 are not vulnerable. As a result, the versions of perl as shipped in Red Hat Enterprise Linux version 7, 6 and 5 are not affected by this vulnerability.

CVSS v3 metrics

CVSS3 Base Score 8.1
CVSS3 Base Metrics CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector Network
Attack Complexity High
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality High
Integrity Impact High
Availability Impact High

Red Hat Security Errata

Platform Errata Release Date
Red Hat Software Collections for Red Hat Enterprise Linux 7 (rh-perl524-perl) RHSA-2018:1192 2018-04-23
Red Hat Software Collections for Red Hat Enterprise Linux 6 (rh-perl524-perl) RHSA-2018:1192 2018-04-23

Affected Packages State

Platform Package State
Red Hat Software Collections for Red Hat Enterprise Linux rh-perl526-perl Affected
Red Hat Software Collections for Red Hat Enterprise Linux rh-perl520-perl Will not fix
Red Hat Enterprise Linux 7 perl Not affected
Red Hat Enterprise Linux 6 perl Not affected
Red Hat Enterprise Linux 5 perl Not affected

Acknowledgements

Red Hat would like to thank Perl 5 Porters for reporting this issue. Upstream acknowledges Brian Carpenter as the original reporter.

External References

Last Modified