Bug 6240 - Perl crashing on extracting URIs from a mail body
Summary: Perl crashing on extracting URIs from a mail body
Alias: None
Product: Spamassassin
Classification: Unclassified
Component: Libraries (show other bugs)
Version: 3.3.0
Hardware: All All
: P5 normal
Target Milestone: Undefined
Assignee: SpamAssassin Developer Mailing List
Depends on:
Reported: 2009-11-23 07:23 UTC by Mark Martinec
Modified: 2019-07-31 11:56 UTC (History)
1 user (show)

Attachment Type Modified Status Actions Submitter/CLA Status

Note You need to log in before you can comment on or make changes to this bug.
Description Mark Martinec 2009-11-23 07:23:05 UTC
Bug 6238 Comment c19:
> Justin Mason 2009-11-19 12:14:20 UTC 
> if it's a separate issue, we should fork off a separate ticket for it,
> to avoid confusion/conflation.

Splitting out the perl crash vulnerability out of the Bug 6238:
  "DOS vulnerability: perl segfault or CPU pegging"
leaving only the timing issues there.

Warren Togami reported that a sample message attached to Bug 6238
causes perl 5.10.0 to crash, with SA 3.2.5 or 3.3.0.

Seems the perl 5.10.1 is not affected, and neither are 5.8.8 and 5.8.9.

The crash happens while evaluating a regexp $uriRe in 3.2.5,
or its equivalent $tbirdurire in 3.3.0:

Mail::SpamAssassin::PerMsgStatus::_get_parsed_uri_list {

     for (@$textary) {
      # NOTE: do not modify $_ in this loop
      while (/($uriRe)/igo) {

From Bug 6238 Comment 9:

3. A perl crash, as was reported by Warren Togami. It just happens that
it is triggered by the same sample message as #1. The crash point is
in a completely different part of SpamAssassin code, and it is my belief
the #1 and #3 are completely unrelated. The crash happens with Perl 5.10.0
only, it does not happen with 5.10.1 or 5.8.*. As regexp processing was
thoroughly rehashed with perl 5.10, it is my belief the bug was introduced
there with 5.10.0, but is already fixed with 5.10.1. Crawling through
5.10.1 release notes would probably reveal further crash-causing bugs.

As it happens, the crash point in SpamAssassin is the same line as is
also triggering a SA Bug 6225, [perl #69973] bug, although it could be a
coincidence: the [perl #69973] is triggered by applying a non-utf8 regexp
onto a tainted utf8 string, while the #2 issue here happens without any
utf8 or taint flags.
Comment 1 Mark Martinec 2009-11-23 07:43:43 UTC
In view of this bug (crashing perl 5.10.0) and Bug 6225 (crashing 5.10.1),
perhaps it would be worthwhile to rewrite this code section to avoid using
the overly complex regular expression on large chunks of text.
Comment 2 Warren Togami 2009-11-23 08:41:46 UTC
> Seems the perl 5.10.1 is not affected, and neither are 5.8.8 and 5.8.9.

This is not fully confirmed yet.  It is possible that this is 5.10.x AND perl debugging enabled.  Switching it off is non-trivial to test because all perl modules must be rebuilt along with perl core, but we are doing so.
Comment 3 Justin Mason 2010-01-27 03:16:39 UTC
reassigning, too
Comment 4 Henrik Krohns 2019-07-31 11:56:58 UTC
Closing old stale bug. Seems fixed and not really relevant for current Perl versions.