CVE-2017-12837: Buffer Overflow

Published Sep 15, 2017
·
Updated

Compiling certain regular expression patterns with the case-insensitive modifier could cause a heap buffer overflow and crash perl.

Upstream patch:

https://perl5.git.perl.org/perl.git/commitdiff/96c83ed78aeea1a0496dd2b2d935869a822dc8a5

Bug report :

https://rt.perl.org/Public/Bug/Display.html?id=131582

Other sources

Heap-based buffer overflow in the Sregatom function in regcomp.c in Perl 5 before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1 allows remote attackers to cause a denial of service (out-of-bounds write) via a regular expression with a '\N{}' escape and the case-insensitive modifier.

MITRE

Perl. Public CVE-2017-12837 was addressed by updating the function in Perl 5.18

Credit

Jakub Wilk

Affected Software

5 affected componentsFixes available
apple macOS High Sierra<10.13.2
10.13.2
Apple Sierra
apple El Capitan
Perl Perl<=5.24.2
Perl Perl=5.26.0

Remediation

Patch Available

https://bugzilla.redhat.com/show_bug.cgi?id=1492091

Patch Available

https://perl5.git.perl.org/perl.git/commitdiff/96c83ed78aeea1a0496dd2b2d935869a822dc8a5

Event History

Sep 15, 2017
Data Sourced
12:44 PM
DescriptionSeverityAffected Software
Sep 19, 2017
CVE Published
via MITRE·06:00 PM
Data Sourced
via MITRE·06:00 PM
Description

Parent advisories

This vulnerability appears in the following advisories.

Peer vulnerabilities

Found alongside the following vulnerabilities.

Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is CVE-2017-12837?

CVE-2017-12837 is a heap-based buffer overflow vulnerability in the S_regatom function in Perl 5 before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1.

2

How does CVE-2017-12837 impact Perl?

CVE-2017-12837 allows remote attackers to cause a denial of service (out-of-bounds write) in Perl by using a regular expression with a '\N{}' escape and the case-insensitive modifier.

3

What versions of Perl are affected by CVE-2017-12837?

Perl versions up to and including 5.24.2 and 5.26.0 are affected by CVE-2017-12837.

4

What is the severity of CVE-2017-12837?

CVE-2017-12837 has a severity rating of 7.5 (high).

5

How can I mitigate CVE-2017-12837?

To mitigate CVE-2017-12837, update Perl to version 5.24.3-RC1 or later for Perl 5.24.x, or version 5.26.1-RC1 or later for Perl 5.26.x.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203