CVE-2020-10878

CVE-2020-10878

Name

CVE-2020-10878

Description

Perl before 5.30.3 has an integer overflow related to mishandling of a "PL_regkind[OP(n)] == NOTHING" situation. A crafted regular expression could lead to malformed bytecode with a possibility of instruction injection.

NVD Severity

high

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
Patch	https://github.com/Perl/perl5/compare/v5.30.2...v5.30.3
Patch	https://github.com/perl/perl5/commit/3295b48defa0f8570114877b063fe546dd348b3c
Patch	https://github.com/perl/perl5/commit/0a320d753fe7fca03df259a4dfd8e641e51edaa8
Third Party Advisory	https://github.com/Perl/perl5/blob/blead/pod/perl5303delta.pod
Third Party Advisory	https://security.netapp.com/advisory/ntap-20200611-0001/
Third Party Advisory	https://security.gentoo.org/glsa/202006-03
Mailing List	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IN3TTBO5KSGWE5IRIKDJ5JSQRH7ANNXE/
Mailing List	http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00044.html
Third Party Advisory	https://www.oracle.com/security-alerts/cpuoct2020.html
Third Party Advisory	https://www.oracle.com/security-alerts/cpujan2021.html
MISC	https://www.oracle.com/security-alerts/cpuApr2021.html
N/A	https://www.oracle.com//security-alerts/cpujul2021.html
MISC	https://www.oracle.com/security-alerts/cpuoct2021.html
Patch	https://www.oracle.com/security-alerts/cpujan2022.html
MISC	https://www.oracle.com/security-alerts/cpuapr2022.html

Type

URI

Patch

https://github.com/Perl/perl5/compare/v5.30.2...v5.30.3

Patch

https://github.com/perl/perl5/commit/3295b48defa0f8570114877b063fe546dd348b3c

Patch

https://github.com/perl/perl5/commit/0a320d753fe7fca03df259a4dfd8e641e51edaa8

Third Party Advisory

https://github.com/Perl/perl5/blob/blead/pod/perl5303delta.pod

Third Party Advisory

https://security.netapp.com/advisory/ntap-20200611-0001/

Third Party Advisory

https://security.gentoo.org/glsa/202006-03

Mailing List

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IN3TTBO5KSGWE5IRIKDJ5JSQRH7ANNXE/

Mailing List

http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00044.html

Third Party Advisory

https://www.oracle.com/security-alerts/cpuoct2020.html

Third Party Advisory

https://www.oracle.com/security-alerts/cpujan2021.html

MISC

https://www.oracle.com/security-alerts/cpuApr2021.html

N/A

https://www.oracle.com//security-alerts/cpujul2021.html

MISC

https://www.oracle.com/security-alerts/cpuoct2021.html

Patch

https://www.oracle.com/security-alerts/cpujan2022.html

MISC

https://www.oracle.com/security-alerts/cpuapr2022.html

CPE URI	Source package	Min version	Max version
`cpe:2.3:a:perl:perl::::::::`	perl	>= None	< 5.30.3

CPE URI

Source package

Min version

Max version

cpe:2.3:a:perl:perl:*:*:*:*:*:*:*:*

perl

>= None

< 5.30.3

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
perl	3.12-main	5.30.3-r0	Natanael Copa <ncopa@alpinelinux.org>	fixed
perl	3.11-main	5.30.3-r0	Natanael Copa <ncopa@alpinelinux.org>	fixed
perl	3.10-main	5.28.3-r0	Natanael Copa <ncopa@alpinelinux.org>	fixed

Source package

Branch

Version

Maintainer

Status

perl

3.12-main

5.30.3-r0

Natanael Copa <ncopa@alpinelinux.org>

fixed

perl

3.11-main