Text::CSV_XS Use-After-Free Vulnerability in Perl

A use-after-free vulnerability has been identified in Text::CSV_XS versions prior to 1.62 for Perl. This issue arises when registered callbacks extend the Perl argument stack, potentially leading to type confusion or memory corruption. The vulnerability is triggered in the Parse, print, getline, and getline_all methods, which invoke registered callbacks and cache the Perl argument stack pointer. If a callback extends the argument stack enough to cause a reallocation, the return value is written through a stale pointer into a freed buffer. As a result, the caller reads the original $self argument as the return value, causing logic errors or crashes. This vulnerability does not affect Text::CSV_XS objects used without any registered callbacks.

Impact

Exploitation of this vulnerability can lead to logic errors or crashes in the application.

Reproduction

The vulnerability can be reproduced by using a Text::CSV_XS object and registering a callback that extends the argument stack, such as one that returns a reference to a scalar or an undefined value. This can be done by using the 'after_parse' or 'before_print' callbacks, for example. When the affected method is called, the use-after-free condition will be triggered, allowing the exploitation of the vulnerability.

Remediation

Users are advised to update to Text::CSV_XS version 1.62 or later, where this vulnerability has been fixed.