CVE in Perl

Friday, Apr 11, 2025| Tags: perl

DISCLAIMER: Image is generated using FREE version of ChatGPT.


1. What’s CVE?

2. Key Features

3. How CVE works?

4. Why CVE matters?

5. How to audit?

6. Why recreate CVEs?

7. Known CVEs

8. Recreate CVEs

9. Further Sources


What’s CVE?


CVE stands for Common Vulnerabilities and Exposures.

It is a publicly available dictionary of known cybersecurity vulnerabilities and exposures.

It provides a standardised way to identify and track security issues in software and hardware systems.


Key Features


1. Unique Identifier  : Each vulnerability is assigned a unique CVE ID.
2. Standardised Naming: Helps security professionals share information consistently.
3. Publicly Accessible: Managed by MITRE.

How CVE works?


The Common Vulnerabilities and Exposures (CVE) Program is responsible for assigning CVE IDs to vulnerabilities.

A researcher reports a vulnerability to the appropriate CNA (e.g. Microsoft for Windows flaws, Google for Android issues).

The CNA assigns a CVE ID (e.g. CVE-2025-12345) and publishes the details in the CVE List (managed by MITRE).

The National Vulnerability Database (NVD, run by NIST) then enriches these entries with severity scores (CVSS) and additional metadata.

Here is the List of Partners (CNA).


Why CVE matters?


1. Helps organisations track and patch vulnerabilities.
2. Enables automated security tools to check for known issues.
3. Provides a common language for discussing security risks.

Perl has had several CVEs over the years, affecting different versions and modules.


How to audit?


You can use CPAN module CPAN::Audit to scan installed modules for known CVEs.


$ cpanm -vS CPAN::Audit
$ cpan-audit --version
/usr/local/bin/cpan-audit version 1.503 using:
        CPAN::Audit      20250115.001
        CPAN::Audit::DB  <not installed>
        CPANSA::DB       20250407.003

Commonly used commands:


To audit all installed modules   : cpan-audit installed
To audit a particular module     : cpan-audit module Data::Dumper
To get the result in JSON format : cpan-audit module Data::Dumper --json

There is another CPAN module App::cpanoutdated that can help with outdated modules.


$ cpanm -vS App::cpanoutdated
$ cpan-outdated -h
Usage:
        # print a list of distributions that contain outdated modules
        % cpan-outdated

        # print a list of outdated modules in packages
        % cpan-outdated -p

        # verbose
        % cpan-outdated --verbose

        # ignore core modules (do not update dual life modules)
        % cpan-outdated --exclude-core

        # alternate mirrors
        % cpan-outdated --mirror file:///home/user/minicpan/

        # additional module path(same as cpanminus)
        % cpan-outdated -l extlib/
        % cpan-outdated -L extlib/

        # install with cpan
        % cpan-outdated | xargs cpan -i

        # install with cpanm
        % cpan-outdated    | cpanm
        % cpan-outdated -p | cpanm

Why recreate CVEs?


- Understand how vulnerabilities work.
- Test if your systems are patched.
- Learn secure coding practices.

Known CVEs


CVE-2018-18311

Vulnerability     : Integer overflow in Perl_my_setenv() leading to heap corruption.
Affected Versions : Perl 5.26.2 and earlier.
Impact            : Possible denial-of-service (DoS) or arbitrary code execution.
Patch             : Fixed in Perl 5.26.3+.

CVE-2023-31486

Vulnerability     : Heap-based buffer overflow in Perl_pp_reverse function.
Affected Versions : Perl 5.32.1 and earlier.
Impact            : Could lead to crashes or potential RCE (Remote Code Execution).
Patch             : Fixed in Perl 5.32.2+.

CVE-2023-47038

Vulnerability     : Buffer overflow in Perl’s unpack function.
Affected Versions : Perl 5.34.0 and earlier.
Impact            : Could allow arbitrary code execution.
Patch             : Fixed in Perl 5.34.1+.

Recreate CVEs


Let’s create configuration file for docker-compose:


$ cat docker-compose.yml
version: '3.8'

services:
  cve-2018-18311:
    container_name: cve-2018-18311
    image: perl:5.26.2
    command:
      - perl
      - -e
      - |
        $$ENV{PERL_POC} = "A" x (2**31 - 1);
        print "If you see this, Perl didn't crash!!\n";
    deploy:
      resources:
        limits:
          memory: 2G

  cve-2023-31486:
    container_name: cve-2023-31486
    image: perl:5.32.1
    command:
      - perl
      - -e
      - |
        my @arr = (1..1_000_000_000);
        @arr = reverse @arr;
        print "If you see this, Perl didn't crash!!\n";
    deploy:
      resources:
        limits:
          memory: 2G

  cve-2023-47038:
    container_name: cve-2023-47038
    image: perl:5.34.0
    command:
      - perl
      - -e
      - |
        my $$data = "A" x (2**31);
        my @unpacked = unpack("Z*", $$data);
        print "If you see this, Perl didn't crash!!\n";
    deploy:
      resources:
        limits:
          memory: 2G

Time to build the containers and re-create the known CVEs:


$ docker-compose run --rm cve-2018-18311
Creating perl-cve_cve-2018-18311_run ... done
ERROR: 137
$ docker-compose run --rm cve-2023-31486
Creating perl-cve_cve-2023-31486_run ... done
ERROR: 137
$ docker-compose run --rm cve-2023-47038
Creating perl-cve_cve-2023-47038_run ... done
ERROR: 137

In Linux, when a process is terminated by a signal, its exit code is computed as:


Exit Code = Signal Number + 128

We all know SIGKILL corresponds to signal number 9.

Therefore:


137 = 9 (SIGKILL) + 128

Further Sources


The perldoc on security is available for public.

Issues with Label: Security.

Issues with Label: Segfault.

The National Vulnerability Database search gave this result for Perl.

Open Source Vulnerability has this list for Perl.



Happy Hacking !!!

SO WHAT DO YOU THINK ?

If you have any suggestions or ideas then please do share with us.

Contact with me