CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
AI Score
Confidence
High
EPSS
Percentile
70.0%
Issue Overview:
Perl before 5.30.3 on 32-bit platforms allows a heap-based buffer overflow because nested regular expression quantifiers have an integer overflow. (CVE-2020-10543)
Perl before 5.30.3 has an integer overflow related to mishandling of a “PL_regkind[OP(n)] == NOTHING” situation. A crafted regular expression could lead to malformed bytecode with a possibility of instruction injection. (CVE-2020-10878)
regcomp.c in Perl before 5.30.3 allows a buffer overflow via a crafted regular expression because of recursive S_study_chunk calls. (CVE-2020-12723)
Affected Packages:
perl
Note:
This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.
Issue Correction:
Run yum update perl to update your system.
New Packages:
aarch64:
perl-5.16.3-299.amzn2.0.1.aarch64
perl-libs-5.16.3-299.amzn2.0.1.aarch64
perl-devel-5.16.3-299.amzn2.0.1.aarch64
perl-macros-5.16.3-299.amzn2.0.1.aarch64
perl-tests-5.16.3-299.amzn2.0.1.aarch64
perl-Time-Piece-1.20.1-299.amzn2.0.1.aarch64
perl-core-5.16.3-299.amzn2.0.1.aarch64
perl-debuginfo-5.16.3-299.amzn2.0.1.aarch64
i686:
perl-5.16.3-299.amzn2.0.1.i686
perl-libs-5.16.3-299.amzn2.0.1.i686
perl-devel-5.16.3-299.amzn2.0.1.i686
perl-macros-5.16.3-299.amzn2.0.1.i686
perl-tests-5.16.3-299.amzn2.0.1.i686
perl-Time-Piece-1.20.1-299.amzn2.0.1.i686
perl-core-5.16.3-299.amzn2.0.1.i686
perl-debuginfo-5.16.3-299.amzn2.0.1.i686
noarch:
perl-CPAN-1.9800-299.amzn2.0.1.noarch
perl-ExtUtils-CBuilder-0.28.2.6-299.amzn2.0.1.noarch
perl-ExtUtils-Embed-1.30-299.amzn2.0.1.noarch
perl-ExtUtils-Install-1.58-299.amzn2.0.1.noarch
perl-IO-Zlib-1.10-299.amzn2.0.1.noarch
perl-Locale-Maketext-Simple-0.21-299.amzn2.0.1.noarch
perl-Module-CoreList-2.76.02-299.amzn2.0.1.noarch
perl-Module-Loaded-0.08-299.amzn2.0.1.noarch
perl-Object-Accessor-0.42-299.amzn2.0.1.noarch
perl-Package-Constants-0.02-299.amzn2.0.1.noarch
perl-Pod-Escapes-1.04-299.amzn2.0.1.noarch
src:
perl-5.16.3-299.amzn2.0.1.src
x86_64:
perl-5.16.3-299.amzn2.0.1.x86_64
perl-libs-5.16.3-299.amzn2.0.1.x86_64
perl-devel-5.16.3-299.amzn2.0.1.x86_64
perl-macros-5.16.3-299.amzn2.0.1.x86_64
perl-tests-5.16.3-299.amzn2.0.1.x86_64
perl-Time-Piece-1.20.1-299.amzn2.0.1.x86_64
perl-core-5.16.3-299.amzn2.0.1.x86_64
perl-debuginfo-5.16.3-299.amzn2.0.1.x86_64
Red Hat: CVE-2020-10543, CVE-2020-10878, CVE-2020-12723
Mitre: CVE-2020-10543, CVE-2020-10878, CVE-2020-12723
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Amazon Linux | 2 | aarch64 | perl | < 5.16.3-299.amzn2.0.1 | perl-5.16.3-299.amzn2.0.1.aarch64.rpm |
Amazon Linux | 2 | aarch64 | perl-libs | < 5.16.3-299.amzn2.0.1 | perl-libs-5.16.3-299.amzn2.0.1.aarch64.rpm |
Amazon Linux | 2 | aarch64 | perl-devel | < 5.16.3-299.amzn2.0.1 | perl-devel-5.16.3-299.amzn2.0.1.aarch64.rpm |
Amazon Linux | 2 | aarch64 | perl-macros | < 5.16.3-299.amzn2.0.1 | perl-macros-5.16.3-299.amzn2.0.1.aarch64.rpm |
Amazon Linux | 2 | aarch64 | perl-tests | < 5.16.3-299.amzn2.0.1 | perl-tests-5.16.3-299.amzn2.0.1.aarch64.rpm |
Amazon Linux | 2 | aarch64 | perl-time-piece | < 1.20.1-299.amzn2.0.1 | perl-Time-Piece-1.20.1-299.amzn2.0.1.aarch64.rpm |
Amazon Linux | 2 | aarch64 | perl-core | < 5.16.3-299.amzn2.0.1 | perl-core-5.16.3-299.amzn2.0.1.aarch64.rpm |
Amazon Linux | 2 | aarch64 | perl-debuginfo | < 5.16.3-299.amzn2.0.1 | perl-debuginfo-5.16.3-299.amzn2.0.1.aarch64.rpm |
Amazon Linux | 2 | i686 | perl | < 5.16.3-299.amzn2.0.1 | perl-5.16.3-299.amzn2.0.1.i686.rpm |
Amazon Linux | 2 | i686 | perl-libs | < 5.16.3-299.amzn2.0.1 | perl-libs-5.16.3-299.amzn2.0.1.i686.rpm |
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
AI Score
Confidence
High
EPSS
Percentile
70.0%