GLSA-200711-28 : Perl: Buffer overflow

High Nessus Plugin ID 28267


The remote Gentoo host is missing one or more security-related patches.


The remote host is affected by the vulnerability described in GLSA-200711-28 (Perl: Buffer overflow)

Tavis Ormandy and Will Drewry (Google Security Team) discovered a heap-based buffer overflow in the Regular Expression engine (regcomp.c) that occurs when switching from byte to Unicode (UTF-8) characters in a regular expression.
Impact :

A remote attacker could either entice a user to compile a specially crafted regular expression or actively compile it in case the script accepts remote input of regular expressions, possibly leading to the execution of arbitrary code with the privileges of the user running Perl.
Workaround :

There is no known workaround at this time.


All Perl users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose '>=dev-lang/perl-5.8.8-r4'

See Also

Plugin Details

Severity: High

ID: 28267

File Name: gentoo_GLSA-200711-28.nasl

Version: $Revision: 1.13 $

Type: local

Published: 2007/11/20

Modified: 2016/04/28

Dependencies: 12634

Risk Information

Risk Factor: High


Base Score: 7.5

Temporal Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Temporal Vector: CVSS2#E:ND/RL:ND/RC:C

Vulnerability Information

CPE: p-cpe:/a:gentoo:linux:perl, cpe:/o:gentoo:linux

Required KB Items: Host/local_checks_enabled, Host/Gentoo/release, Host/Gentoo/qpkg-list

Exploit Available: false

Exploit Ease: No known exploits are available

Patch Publication Date: 2007/11/19

Reference Information

CVE: CVE-2007-5116

OSVDB: 40409

GLSA: 200711-28

CWE: 119