PublicDateAtUSN: 2020-06-01 00:00:00 UTC
Candidate: CVE-2020-10878
CRD: 2020-06-01 00:00:00 UTC
PublicDate: 2020-06-05 14:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10878
 https://metacpan.org/pod/release/XSAWYERX/perl-5.28.3/pod/perldelta.pod
 https://metacpan.org/pod/release/XSAWYERX/perl-5.30.3/pod/perldelta.pod
 https://ubuntu.com/security/notices/USN-4602-1
 https://ubuntu.com/security/notices/USN-4602-2
Description:
 Perl before 5.30.3 has an integer overflow related to mishandling of a
 "PL_regkind[OP(n)] == NOTHING" situation. A crafted regular expression
 could lead to malformed bytecode with a possibility of instruction
 injection.

  An application written in Perl would only be vulnerable to this flaw if
  it evaluates regular expressions supplied by the attacker. Evaluating
  regular expressions in this fashion is known to be dangerous since the
  regular expression engine does not protect against denial of service
  attacks in this usage scenario.]
Ubuntu-Description:
Notes:
 amurray| Affects 5.005 to 5.30.2
Mitigation:
Bugs:
 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=962005
Priority: low
Discovered-by: Hugo van der Sanden and Slaven Rezic
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H [8.6 HIGH]


Patches_perl:
 upstream: https://github.com/perl/perl5/commit/0a320d753fe7fca03df259a4dfd8e641e51edaa8
 upstream: https://github.com/perl/perl5/commit/3295b48defa0f8570114877b063fe546dd348b3c
upstream_perl: released (5.28.3,5.30.3)
precise/esm_perl: released (5.14.2-6ubuntu2.11)
trusty_perl: ignored (out of standard support)
trusty/esm_perl: released (5.18.2-2ubuntu1.7+esm3)
xenial_perl: released (5.22.1-9ubuntu0.9)
esm-infra/xenial_perl: released (5.22.1-9ubuntu0.9)
bionic_perl: released (5.26.1-6ubuntu0.5)
eoan_perl: ignored (reached end-of-life)
focal_perl: released (5.30.0-9ubuntu0.2)
groovy_perl: not-affected (5.30.3-4)
devel_perl: not-affected (5.30.3-4)