Bug 218946

Summary: lang/perl5.24 - remote DoS via CPU exhaustion by exercising glob expansion
Product: Ports & Packages Reporter: Sevan Janiyan <sevan>
Component: Individual Port(s)Assignee: Mathieu Arnold <mat>
Status: Closed Not Accepted    
Severity: Affects Only Me Flags: bugzilla: maintainer-feedback? (perl)
Priority: ---    
Version: Latest   
Hardware: Any   
OS: Any   
URL: https://github.com/Perl/perl5/commit/33252c318625f3c6c89b816ee88481940e3e6f95

Description Sevan Janiyan freebsd_committer freebsd_triage 2017-04-28 23:12:43 UTC 
A blog post by Russ Cox, titled "Glob Matching Can Be Simple And Fast Too" highlighted the issue.
https://research.swtch.com/glob

Patches landed in Perl repo to address the issue
https://perl5.git.perl.org/perl.git/commit/33252c318625f3c6c89b816ee88481940e3e6f95

I don't believe a CVE has been assigned yet but the range of affected software may be quite wide, not sure how that fits in with vuxml.
Comment 1 Mathieu Arnold freebsd_committer freebsd_triage 2017-04-28 23:25:34 UTC 
I doubt very much the range of software using regexps in the form of a*a*a*a*a*b is very wide :-)
Comment 2 Mathieu Arnold freebsd_committer freebsd_triage 2017-06-07 11:58:11 UTC 
As a side note, it may seems like this is stalling, but the commit in question has only landed in the blead (devel) version of Perl around 2017-05-31, and not even in 5.26.0.
So, I'm going to wait for something to happen upstream before I commit to any releases.
Comment 3 Mathieu Arnold freebsd_committer freebsd_triage 2017-07-19 14:41:38 UTC 
The Perl maintainers do not feel this is a real problem.
They have not added the fix in 5.26.0, and since then, 5.24.2 and 5.22.4 have been released, and they have not added it their either.