FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

Perl -- heap buffer overflow when transliterating non-ASCII bytes

Affected packages
perl5.36 < 5.36.3
perl5.38 < 5.38.4
perl5.40 < 5.40.2
perl5-devel < 5.41.10

Details

VuXML ID a380f43e-19e5-11f0-9568-b42e991fc52e
Discovery 2025-04-13
Entry 2025-04-15

9b29abf9-4ab0-4765-b253-1875cd9b441e reports:

A heap buffer overflow vulnerability was discovered in Perl. When there are non-ASCII bytes in the left-hand-side of the `tr` operator, `S_do_trans_invmap` can overflow the destination pointer `d`. $ perl -e '$_ = "\x{FF}" x 1000000; tr/\xFF/\x{100}/;' Segmentation fault (core dumped) It is believed that this vulnerability can enable Denial of Service and possibly Code Execution attacks on platforms that lack sufficient defenses.

[source]

References

CVE Name CVE-2024-56406
URL https://nvd.nist.gov/vuln/detail/CVE-2024-56406

Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright information.