SA Bugzilla – Bug 6240
Perl crashing on extracting URIs from a mail body
Last modified: 2019-07-31 11:56:58 UTC
Bug 6238 Comment c19: > Justin Mason 2009-11-19 12:14:20 UTC > if it's a separate issue, we should fork off a separate ticket for it, > to avoid confusion/conflation. Splitting out the perl crash vulnerability out of the Bug 6238: "DOS vulnerability: perl segfault or CPU pegging" leaving only the timing issues there. Warren Togami reported that a sample message attached to Bug 6238 causes perl 5.10.0 to crash, with SA 3.2.5 or 3.3.0. Seems the perl 5.10.1 is not affected, and neither are 5.8.8 and 5.8.9. The crash happens while evaluating a regexp $uriRe in 3.2.5, or its equivalent $tbirdurire in 3.3.0: Mail::SpamAssassin::PerMsgStatus::_get_parsed_uri_list { for (@$textary) { # NOTE: do not modify $_ in this loop while (/($uriRe)/igo) { From Bug 6238 Comment 9: 3. A perl crash, as was reported by Warren Togami. It just happens that it is triggered by the same sample message as #1. The crash point is in a completely different part of SpamAssassin code, and it is my belief the #1 and #3 are completely unrelated. The crash happens with Perl 5.10.0 only, it does not happen with 5.10.1 or 5.8.*. As regexp processing was thoroughly rehashed with perl 5.10, it is my belief the bug was introduced there with 5.10.0, but is already fixed with 5.10.1. Crawling through 5.10.1 release notes would probably reveal further crash-causing bugs. As it happens, the crash point in SpamAssassin is the same line as is also triggering a SA Bug 6225, [perl #69973] bug, although it could be a coincidence: the [perl #69973] is triggered by applying a non-utf8 regexp onto a tainted utf8 string, while the #2 issue here happens without any utf8 or taint flags.
In view of this bug (crashing perl 5.10.0) and Bug 6225 (crashing 5.10.1), perhaps it would be worthwhile to rewrite this code section to avoid using the overly complex regular expression on large chunks of text.
> Seems the perl 5.10.1 is not affected, and neither are 5.8.8 and 5.8.9. This is not fully confirmed yet. It is possible that this is 5.10.x AND perl debugging enabled. Switching it off is non-trivial to test because all perl modules must be rebuilt along with perl core, but we are doing so.
reassigning, too
Closing old stale bug. Seems fixed and not really relevant for current Perl versions.