228091 CVE-2008-2371 2008-06-18 14:17 0000 dev-libs/libpcre <7.7-r1 pcre_compile.c Heap-based buffer overflow (CVE-2008-2371) 2008-07-18 03:02:04 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED A1 [glsa] P2 critical --- 230039 1 rbu@gentoo.org security@gentoo.org arm@gentoo.org loki_val@gentoo.org m68k@gentoo.org s390@gentoo.org sh@gentoo.org rbu@gentoo.org 2008-06-18 14:17:24 0000 ** Please note that this issue is confidential and no information should be disclosed until it is made public, see "Whiteboard" for a date ** Tavis Ormandy writes: The problem is that when an option is specified at the start of a pattern, to avoid compiling it unnecessarily into the bytecode it's passed back up to the caller as if it was specified via pcre_compile() options, i.e. /(?i)a|b/ == /a|b/i, and as the latter is somewhat easier to handle, they're made equivalent. This usually works, but when a pattern contains multiple branches, the new option is accidentally passed back too far, so when there are multiple branches, only the first gets the new flag, however on the second compile pass the new flag is always set, resulting in a mismatch between the size-calculation pass and the actual compilation pass. The result is pcre overflowing a heap buffer. --- pcre_compile.c~ 2008-06-12 16:55:22.860930000 +0200 +++ pcre_compile.c 2008-06-12 16:54:53.647168000 +0200 @@ -4931,7 +4931,7 @@ (lengthptr == NULL || *lengthptr == 2 + 2*LINK_SIZE)) { cd->external_options = newoptions; + options = *optionsptr = newoptions; - options = newoptions; } else { rbu@gentoo.org 2008-06-18 14:21:28 0000 Adding Peter as he is maintaining this package now, sorry for the spam. Peter, please prepare an ebuild including the patch and attach it to this bug. Do not commit anything to CVS. We will do prestable testing on this bug. loki_val@gentoo.org 2008-06-18 15:24:09 0000 Created an attachment (id=157447) libpcre-7.7-r1.ebuild Ebuild for patch. Compiles, passes tests. loki_val@gentoo.org 2008-06-18 15:25:10 0000 Created an attachment (id=157449) libpcre-7.7-buffer-overflow.patch Patch as used in ebuild. rbu@gentoo.org 2008-06-18 15:58:51 0000 Do you want the 7.7 branch to go stable via this bug? loki_val@gentoo.org 2008-06-18 16:06:56 0000 (In reply to comment #4) > Do you want the 7.7 branch to go stable via this bug? > Yes: 7.7 is mainly a bug-fix release. No new bugs have been filed since bump. A bug would have been filed in 8 days anyway. rbu@gentoo.org 2008-06-18 17:25:23 0000 Arch Security Liaisons, please test the attached ebuild and report it stable on this bug. Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 release s390 sh sparc x86" CC'ing current Liaisons: alpha : yoswink amd64 : welp hppa : jer ppc : dertobi123 ppc64 : corsair release : pva sparc : fmccor x86 : opfer yoswink@gentoo.org 2008-06-18 23:36:38 0000 Report on alpha: - compiles fine - tests passed - grep built ok with prce support Green light. jer@gentoo.org 2008-06-19 04:02:16 0000 OK for HPPA. corsair@gentoo.org 2008-06-19 05:39:20 0000 looks good on ppc64 welp@gentoo.org 2008-06-19 12:24:53 0000 Good to go on amd64. armin76@gentoo.org 2008-06-19 12:59:40 0000 Looks fine on ia64/sparc/x86 fauli@gentoo.org 2008-06-19 13:04:41 0000 (In reply to comment #11) > Looks fine on ia64/sparc/x86 And as I know that Raul is a complete failure, I checked x86, too. Built about 40 reverse deps and they seem to work all fine. So Raul is right by accident. :) dertobi123@gentoo.org 2008-06-26 20:44:53 0000 looks good on ppc rbu@gentoo.org 2008-06-30 20:51:55 0000 Lifting embargo, Peter please commit straight to stable for the arches that tested. loki_val@gentoo.org 2008-06-30 21:19:07 0000 Ebuild in tree. rbu@gentoo.org 2008-06-30 21:20:56 0000 =dev-libs/libpcre-7.7-r1 Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86" Already stabled : "alpha amd64 hppa ia64 ppc ppc64 sparc x86" Missing keywords: "arm m68k s390 sh" rbu@gentoo.org 2008-07-07 20:34:06 0000 Rerating A1 due to possible remote exploitation vector. rbu@gentoo.org 2008-07-07 20:35:43 0000 GLSA 200807-03 rbu@gentoo.org 2008-07-18 03:02:04 0000 Upstream committed a different patch, see http://vcs.pcre.org/viewvc?view=rev&revision=360 157447 2008-06-18 15:24 0000 libpcre-7.7-r1.ebuild libpcre-7.7-r1.ebuild text/plain IyBDb3B5cmlnaHQgMTk5OS0yMDA4IEdlbnRvbyBGb3VuZGF0aW9uCiMgRGlzdHJpYnV0ZWQgdW5k ZXIgdGhlIHRlcm1zIG9mIHRoZSBHTlUgR2VuZXJhbCBQdWJsaWMgTGljZW5zZSB2MgojICRIZWFk ZXI6IC92YXIvY3Zzcm9vdC9nZW50b28teDg2L2Rldi1saWJzL2xpYnBjcmUvbGlicGNyZS03Ljcu ZWJ1aWxkLHYgMS4xIDIwMDgvMDUvMjYgMTQ6MTY6MjQgbG9raV92YWwgRXhwICQKCkVBUEk9MQoK aW5oZXJpdCBsaWJ0b29sIGV1dGlscwoKTVlfUD0icGNyZS0ke1BWfSIKCkRFU0NSSVBUSU9OPSJQ ZXJsLWNvbXBhdGlibGUgcmVndWxhciBleHByZXNzaW9uIGxpYnJhcnkiCkhPTUVQQUdFPSJodHRw Oi8vd3d3LnBjcmUub3JnLyIKU1JDX1VSST0iZnRwOi8vZnRwLmNzeC5jYW0uYWMudWsvcHViL3Nv ZnR3YXJlL3Byb2dyYW1taW5nL3BjcmUvJHtNWV9QfS50YXIuYnoyIgoKTElDRU5TRT0iQlNEIgpT TE9UPSIzIgpLRVlXT1JEUz0ifmFscGhhIH5hbWQ2NCB+YXJtIH5ocHBhIH5pYTY0IH5tNjhrIH5t aXBzIH5wcGMgfnBwYzY0IH5zMzkwIH5zaCB+c3BhcmMgfnNwYXJjLWZic2Qgfng4NiB+eDg2LWZi c2QiCklVU0U9ImJ6aXAyICtjeHggZG9jIHVuaWNvZGUgemxpYiIKCkRFUEVORD0iZGV2LXV0aWwv cGtnY29uZmlnIgpSREVQRU5EPSIiCgpTPSR7V09SS0RJUn0vJHtNWV9QfQoKc3JjX3VucGFjaygp IHsKCXVucGFjayAke0F9CgljZCAiJHtTfSIKCWVwYXRjaCAiJHtGSUxFU0RJUn0iLyR7UH0tYnVm ZmVyLW92ZXJmbG93LnBhdGNoCgllbGlidG9vbGl6ZQp9CgpzcmNfY29tcGlsZSgpIHsKCSMgRW5h YmxlIGJ1aWxkaW5nIG9mIHN0YXRpYyBsaWJzIHRvbyAtIGdyZXAgYW5kIG90aGVycwoJIyBkZXBl bmQgb24gdGhlbSBiZWluZyBidWlsdDogYnVnIDE2NDA5OQoJZWNvbmYgLS13aXRoLW1hdGNoLWxp bWl0LXJlY3Vyc2lvbj04MTkyIFwKCQkkKHVzZV9lbmFibGUgdW5pY29kZSB1dGY4KSAkKHVzZV9l bmFibGUgdW5pY29kZSB1bmljb2RlLXByb3BlcnRpZXMpIFwKCQkkKHVzZV9lbmFibGUgY3h4IGNw cCkgXAoJCSQodXNlX2VuYWJsZSB6bGliIHBjcmVncmVwLWxpYnopIFwKCQkkKHVzZV9lbmFibGUg YnppcDIgcGNyZWdyZXAtbGliYnoyKSBcCgkJLS1lbmFibGUtc3RhdGljIFwKCQktLWh0bWxkaXI9 L3Vzci9zaGFyZS9kb2MvJHtQRn0vaHRtbCBcCgkJLS1kb2NkaXI9L3Vzci9zaGFyZS9kb2MvJHtQ Rn0gXAoJCXx8IGRpZSAiZWNvbmYgZmFpbGVkIgoJZW1ha2UgYWxsIHx8IGRpZSAiZW1ha2UgZmFp bGVkIgp9CgpzcmNfaW5zdGFsbCgpIHsKCWVtYWtlIERFU1RESVI9IiR7RH0iIGluc3RhbGwgfHwg ZGllICJtYWtlIGluc3RhbGwgZmFpbGVkIgoKCWRvZG9jIGRvYy8qLnR4dCBBVVRIT1JTCgl1c2Ug ZG9jICYmIGRvaHRtbCBkb2MvaHRtbC8qCn0K 157449 2008-06-18 15:25 0000 libpcre-7.7-buffer-overflow.patch libpcre-7.7-buffer-overflow.patch text/plain ZGlmZiAtTnJVNSBwY3JlLTcuNy5vcmlnL3BjcmVfY29tcGlsZS5jIHBjcmUtNy43L3BjcmVfY29t cGlsZS5jCi0tLSBwY3JlLTcuNy5vcmlnL3BjcmVfY29tcGlsZS5jCTIwMDgtMDYtMTggMTc6MDg6 NDkuMDAwMDAwMDAwICswMjAwCisrKyBwY3JlLTcuNy9wY3JlX2NvbXBpbGUuYwkyMDA4LTA2LTE4 IDE3OjExOjA0LjAwMDAwMDAwMCArMDIwMApAQCAtNDkyOSwxMSArNDkyOSwxMSBAQAogICAgICAg ICAgIHsKICAgICAgICAgICBpZiAoY29kZSA9PSBjZC0+c3RhcnRfY29kZSArIDEgKyBMSU5LX1NJ WkUgJiYKICAgICAgICAgICAgICAgIChsZW5ndGhwdHIgPT0gTlVMTCB8fCAqbGVuZ3RocHRyID09 IDIgKyAyKkxJTktfU0laRSkpCiAgICAgICAgICAgICB7CiAgICAgICAgICAgICBjZC0+ZXh0ZXJu YWxfb3B0aW9ucyA9IG5ld29wdGlvbnM7Ci0gICAgICAgICAgICBvcHRpb25zID0gbmV3b3B0aW9u czsKKyAgICAgICAgICAgIG9wdGlvbnMgPSAqb3B0aW9uc3B0ciA9IG5ld29wdGlvbnM7CiAgICAg ICAgICAgICB9CiAgICAgICAgICBlbHNlCiAgICAgICAgICAgICB7CiAgICAgICAgICAgICBpZiAo KG9wdGlvbnMgJiBQQ1JFX0lNUykgIT0gKG5ld29wdGlvbnMgJiBQQ1JFX0lNUykpCiAgICAgICAg ICAgICAgIHsK