Heap-based buffer overflow in perl (Alpine package)

1) Heap-based buffer overflow

EUVDB-ID: #VU32721

Risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2012-5195

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in the Perl_repeatcpy function in util.c in Perl 5.12.x before 5.12.5, 5.14.x before 5.14.3, and 5.15.x before 15.15.5. A remote attacker can use the to trigger heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

perl (Alpine package): 5.12.2-r0 - 5.12.4-r0

CPE2.3

• cpe:2.3:o:alpine:perl_alpine_package:5.12.2-r0:*:*:*:*:alpine_linux:*:2.1
• cpe:2.3:o:alpine:perl_alpine_package:5.12.3-r0:*:*:*:*:alpine_linux:*:2.1
• cpe:2.3:o:alpine:perl_alpine_package:5.12.4-r0:*:*:*:*:alpine_linux:*:2.1

External links

https://git.alpinelinux.org/aports/commit/?id=bccddbca35ceb6c4efdeddf20c7dfac0db3e0895
https://git.alpinelinux.org/aports/commit/?id=95aad47301ea8b47b657b1b19f391ba58a07bf91
https://git.alpinelinux.org/aports/commit/?id=29aaa3b1df0480eca7eb2edd7e8394c765b061f0
https://git.alpinelinux.org/aports/commit/?id=35e0f3007d2d9dfccce1e2bcd5867272e3c23347

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.