First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 228091
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Robert Buchholz <rbu@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
libpcre-7.7-r1.ebuild libpcre-7.7-r1.ebuild text/plain Peter Alfredsen 2008-06-18 15:24 0000 1.36 KB Details
libpcre-7.7-buffer-overflow.patch libpcre-7.7-buffer-overflow.patch patch Peter Alfredsen 2008-06-18 15:25 0000 636 bytes Details | Diff
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 228091 depends on: Show dependency tree
Bug 228091 blocks: 230039

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2008-06-18 14:17 0000 
** Please note that this issue is confidential and no information should be
disclosed until it is made public, see "Whiteboard" for a date **

Tavis Ormandy writes:

The problem is that when an option is specified at the start of a
pattern, to avoid compiling it unnecessarily into the bytecode it's
passed back up to the caller as if it was specified via pcre_compile()
options, i.e. /(?i)a|b/ == /a|b/i, and as the latter is somewhat easier
to handle, they're made equivalent. This usually works, but when a
pattern contains multiple branches, the new option is accidentally passed
back too far, so when there are multiple branches, only the first gets the
new flag, however on the second compile pass the new flag is always
set, resulting in a mismatch between the size-calculation pass and the
actual compilation pass. The result is pcre overflowing a heap buffer.

 --- pcre_compile.c~     2008-06-12 16:55:22.860930000 +0200
 +++ pcre_compile.c      2008-06-12 16:54:53.647168000 +0200
 @@ -4931,7 +4931,7 @@
                (lengthptr == NULL || *lengthptr == 2 + 2*LINK_SIZE))
             {
             cd->external_options = newoptions;
 +            options = *optionsptr = newoptions;
 -            options = newoptions;
             }
          else
             {

------- Comment #1 From Robert Buchholz 2008-06-18 14:21:28 0000 ------- 
Adding Peter as he is maintaining this package now, sorry for the spam.

Peter, please prepare an ebuild including the patch and attach it to this bug.
Do not commit anything to CVS. We will do prestable testing on this bug.

------- Comment #2 From Peter Alfredsen 2008-06-18 15:24:09 0000 ------- 
Created an attachment (id=157447) [edit]
libpcre-7.7-r1.ebuild

Ebuild for patch. Compiles, passes tests.

------- Comment #3 From Peter Alfredsen 2008-06-18 15:25:10 0000 ------- 
Created an attachment (id=157449) [edit]
libpcre-7.7-buffer-overflow.patch

Patch as used in ebuild.

------- Comment #4 From Robert Buchholz 2008-06-18 15:58:51 0000 ------- 
Do you want the 7.7 branch to go stable via this bug?

------- Comment #5 From Peter Alfredsen 2008-06-18 16:06:56 0000 ------- 
(In reply to comment #4)
> Do you want the 7.7 branch to go stable via this bug?
> 

Yes:
7.7 is mainly a bug-fix release.
No new bugs have been filed since bump.
A bug would have been filed in 8 days anyway.

------- Comment #6 From Robert Buchholz 2008-06-18 17:25:23 0000 ------- 
Arch Security Liaisons, please test the attached ebuild and report it stable on
this bug.
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 release s390 sh
sparc x86"

CC'ing current Liaisons:
   alpha : yoswink
   amd64 : welp
    hppa : jer
     ppc : dertobi123
   ppc64 : corsair
 release : pva
   sparc : fmccor
     x86 : opfer

------- Comment #7 From Jose Luis Rivero (yoswink) 2008-06-18 23:36:38 0000 ------- 
Report on alpha:
 - compiles fine
 - tests passed
 - grep built ok with prce support

Green light.

------- Comment #8 From Jeroen Roovers 2008-06-19 04:02:16 0000 ------- 
OK for HPPA.

------- Comment #9 From Markus Rothe 2008-06-19 05:39:20 0000 ------- 
looks good on ppc64

------- Comment #10 From Peter Weller 2008-06-19 12:24:53 0000 ------- 
Good to go on amd64.

------- Comment #11 From Raúl Porcel 2008-06-19 12:59:40 0000 ------- 
Looks fine on ia64/sparc/x86

------- Comment #12 From Christian Faulhammer 2008-06-19 13:04:41 0000 ------- 
(In reply to comment #11)
> Looks fine on ia64/sparc/x86

 And as I know that Raul is a complete failure, I checked x86, too.  Built
about 40 reverse deps and they seem to work all fine.  So Raul is right by
accident. :)

------- Comment #13 From Tobias Scherbaum 2008-06-26 20:44:53 0000 ------- 
looks good on ppc

------- Comment #14 From Robert Buchholz 2008-06-30 20:51:55 0000 ------- 
Lifting embargo, Peter please commit straight to stable for the arches that
tested.

------- Comment #15 From Peter Alfredsen 2008-06-30 21:19:07 0000 ------- 
Ebuild in tree.

------- Comment #16 From Robert Buchholz 2008-06-30 21:20:56 0000 ------- 
=dev-libs/libpcre-7.7-r1
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
Already stabled : "alpha amd64 hppa ia64 ppc ppc64 sparc x86"
Missing keywords: "arm m68k s390 sh"

------- Comment #17 From Robert Buchholz 2008-07-07 20:34:06 0000 ------- 
Rerating A1 due to possible remote exploitation vector.

------- Comment #18 From Robert Buchholz 2008-07-07 20:35:43 0000 ------- 
GLSA 200807-03

------- Comment #19 From Robert Buchholz 2008-07-18 03:02:04 0000 ------- 
Upstream committed a different patch, see
http://vcs.pcre.org/viewvc?view=rev&revision=360
First Last Prev Next    No search results available      Search page      Enter new bug