CVE-2020-10878

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2020-10878
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-10878.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2020-10878
Downstream
Related
Published
2020-06-05T14:15:10Z
Modified
2025-10-15T11:24:39.689922Z
Severity
  • 8.6 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H CVSS Calculator
Summary
[none]
Details

Perl before 5.30.3 has an integer overflow related to mishandling of a "PL_regkind[OP(n)] == NOTHING" situation. A crafted regular expression could lead to malformed bytecode with a possibility of instruction injection.

References

Affected packages

Git / github.com/perl/perl5

Affected ranges

Type
GIT
Repo
https://github.com/perl/perl5
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
0a320d753fe7fca03df259a4dfd8e641e51edaa8
Fixed
3295b48defa0f8570114877b063fe546dd348b3c

Affected versions

Other

GitLive-blead
perl-5a2
perl-5a9

if-0.*

if-0.0602
if-0.0603
if-0.0604
if-0.0605

perl-1.*

perl-1.0

perl-2.*

perl-2.0

perl-3.*

perl-3.000
perl-3.044

perl-4.*

perl-4.0.00
perl-4.0.36

perl-5.*

perl-5.000
perl-5.000o
perl-5.001
perl-5.001n
perl-5.002
perl-5.002_01
perl-5.003
perl-5.003_01
perl-5.003_02
perl-5.003_03
perl-5.003_04
perl-5.003_05
perl-5.003_07
perl-5.003_08
perl-5.003_09
perl-5.003_10
perl-5.003_11
perl-5.003_12
perl-5.003_13
perl-5.003_14
perl-5.003_15
perl-5.003_16
perl-5.003_17
perl-5.003_18
perl-5.003_19
perl-5.003_20
perl-5.003_21
perl-5.003_22
perl-5.003_23
perl-5.003_24
perl-5.003_25
perl-5.003_26
perl-5.003_27
perl-5.003_28
perl-5.003_90
perl-5.003_91
perl-5.003_92
perl-5.003_93
perl-5.003_94
perl-5.003_95
perl-5.003_96
perl-5.003_97
perl-5.003_97a
perl-5.003_97b
perl-5.003_97c
perl-5.003_97d
perl-5.003_97e
perl-5.003_97f
perl-5.003_97g
perl-5.003_97h
perl-5.003_97i
perl-5.003_97j
perl-5.003_98
perl-5.003_99
perl-5.003_99a
perl-5.004
perl-5.004_01
perl-5.004_02
perl-5.004_03
perl-5.004_04
perl-5.005
perl-5.005_01
perl-5.005_02
perl-5.6.0
perl-5.7.0
perl-5.7.1
perl-5.7.2
perl-5.7.3
perl-5.8.0
perl-5.9.0
perl-5.9.1
perl-5.9.2
perl-5.9.3
perl-5.9.4
perl-5.9.5

v5.*

v5.10.0
v5.11.0
v5.11.1
v5.11.2
v5.11.3
v5.11.4
v5.11.5
v5.12.0
v5.12.0-RC0
v5.12.0-RC1
v5.12.0-RC2
v5.12.0-RC3
v5.12.0-RC4
v5.12.0-RC5
v5.13.0
v5.13.1
v5.13.10
v5.13.11
v5.13.2
v5.13.3
v5.13.4
v5.13.5
v5.13.6
v5.13.7
v5.13.8
v5.13.9
v5.14.0
v5.14.0-RC1
v5.14.0-RC2
v5.14.0-RC3
v5.15.0
v5.15.1
v5.15.2
v5.15.3
v5.15.4
v5.15.5
v5.15.6
v5.15.7
v5.15.8
v5.15.9
v5.16.0
v5.16.0-RC1
v5.16.0-RC2
v5.17.0
v5.17.1
v5.17.10
v5.17.11
v5.17.2
v5.17.3
v5.17.4
v5.17.5
v5.17.6
v5.17.7
v5.17.7.0
v5.17.8
v5.17.9
v5.18.0
v5.18.0-RC1
v5.18.0-RC2
v5.18.0-RC3
v5.18.0-RC4
v5.19.0
v5.19.1
v5.19.10
v5.19.11
v5.19.2
v5.19.3
v5.19.4
v5.19.5
v5.19.6
v5.19.7
v5.19.8
v5.19.9
v5.20.0
v5.20.0-RC1
v5.21.0
v5.21.1
v5.21.10
v5.21.11
v5.21.2
v5.21.3
v5.21.4
v5.21.5
v5.21.6
v5.21.7
v5.21.8
v5.21.9
v5.22.0
v5.22.0-RC1
v5.22.0-RC2
v5.23.0
v5.23.1
v5.23.2
v5.23.3
v5.23.4
v5.23.5
v5.23.6
v5.23.7
v5.23.8
v5.23.9
v5.24.0
v5.24.0-RC1
v5.24.0-RC2
v5.24.0-RC3
v5.24.0-RC4
v5.24.0-RC5
v5.25.0
v5.25.1
v5.25.10
v5.25.11
v5.25.12
v5.25.2
v5.25.3
v5.25.4
v5.25.5
v5.25.6
v5.25.7
v5.25.8
v5.25.9
v5.26.0
v5.26.0-RC1
v5.26.0-RC2
v5.27.0
v5.27.1
v5.27.10
v5.27.11
v5.27.2
v5.27.3
v5.27.4
v5.27.5
v5.27.6
v5.27.7
v5.27.8
v5.27.9
v5.28.0
v5.28.0-RC1
v5.28.0-RC2
v5.28.0-RC3
v5.28.0-RC4
v5.29.0
v5.29.1
v5.29.10
v5.29.2
v5.29.3
v5.29.4
v5.29.5
v5.29.6
v5.29.7
v5.29.8
v5.29.9
v5.30.0
v5.30.0-RC1
v5.30.0-RC2
v5.30.1
v5.30.1-RC1
v5.30.2
v5.30.2-RC1

Database specific

vanir_signatures

[
    {
        "signature_type": "Line",
        "target": {
            "file": "regcomp.c"
        },
        "deprecated": false,
        "source": "https://github.com/perl/perl5/commit/0a320d753fe7fca03df259a4dfd8e641e51edaa8",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "208104537241862015831634570263967234427",
                "109591170869883114777358144374189721285",
                "42157035885487481933578822453596385796",
                "237969083252350185014251097330798889379",
                "45097971996926810749490705492650370133",
                "230966189757621904955279591980719521506",
                "88705216833813009544652802488462210001",
                "56173345468256524049152942639616975726",
                "300773050691948700241669343172250730207",
                "121820201678158919733163831528671585272",
                "310588222029912181777022496131260583560",
                "281244469944256167855163107970183219175",
                "254830404964833400002945178185556661331",
                "223580085282543282527595686443513234487",
                "327152608380150713768016125315165903436",
                "139906220994111558633442498771552722674",
                "336094069936405312381050738761245432689",
                "127430501669018389257824546445626650970",
                "219367538197480082652513924286798074336",
                "298568298838796895977971181804043196548",
                "162798474371039859738863733184015458404",
                "147763636824437493179178872939034505123",
                "120366056670382842213562300168405503265",
                "98292714333485444554882717394695247440",
                "280476054667861016036867082192224374617",
                "270702158668501381413521551564839322307",
                "154834673169728590277918734626009749031",
                "282795605729960764972949036122775751497",
                "48736620628819294166149503231881451329",
                "219206564171465552255387231819258155000",
                "28891289692587006929580919957390536796"
            ]
        },
        "id": "CVE-2020-10878-46330eb7",
        "signature_version": "v1"
    },
    {
        "signature_type": "Function",
        "target": {
            "function": "S_study_chunk",
            "file": "regcomp.c"
        },
        "deprecated": false,
        "source": "https://github.com/perl/perl5/commit/0a320d753fe7fca03df259a4dfd8e641e51edaa8",
        "digest": {
            "function_hash": "8524261638944156246531292791513314139",
            "length": 39571.0
        },
        "id": "CVE-2020-10878-a23aab87",
        "signature_version": "v1"
    },
    {
        "signature_type": "Line",
        "target": {
            "file": "proto.h"
        },
        "deprecated": false,
        "source": "https://github.com/perl/perl5/commit/0a320d753fe7fca03df259a4dfd8e641e51edaa8",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "266707645065597100250598232329532688965",
                "318833503918020161080704189708195538048",
                "300315180498650684150983846777006318956",
                "94467647870240928604985091390006031359"
            ]
        },
        "id": "CVE-2020-10878-a3007ae4",
        "signature_version": "v1"
    },
    {
        "signature_type": "Line",
        "target": {
            "file": "regcomp.c"
        },
        "deprecated": false,
        "source": "https://github.com/perl/perl5/commit/3295b48defa0f8570114877b063fe546dd348b3c",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "3840977799240975092823894552098954302",
                "15398398186972486692698487670236188008",
                "317332006618180849538479490202505779090",
                "211605267963493101098760161537409340653"
            ]
        },
        "id": "CVE-2020-10878-a4469696",
        "signature_version": "v1"
    }
]