Vigil@nce - Perl: denial of service via Data-Dumper
September 2014 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
When an attacker can provide a complex data structure to Perl
Data::Dumper(), he can thus trigger a denial of service.
Impacted products: Unix (platform)
Severity: 1/4
Creation date: 25/09/2014
DESCRIPTION OF THE VULNERABILITY
The Perl Data::Dumper() function is used to serialize data.
A Perl array, can contain a reference to a sub-array, containing a
sub-sub-array reference, etc. However, the DD_dump() function uses
a recursive call to handle this case, which leads to a stack
overflow, and stops the application.
When an attacker can provide a complex data structure to Perl
Data::Dumper(), he can thus trigger a denial of service.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Perl-denial-of-service-via-Data-Dumper-15412