Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 553300 (CVE-2015-5073) - <dev-libs/libpcre-8.38: Heap Overflow Vulnerability in find_fixedlength() (CVE-2015-{5073,8380,8381,8383,8384,8385,8386,8387,8388,8389,8390,8391,8392,8393,8394,8395})
Summary: <dev-libs/libpcre-8.38: Heap Overflow Vulnerability in find_fixedlength() (CV...
Status: RESOLVED FIXED
Alias: CVE-2015-5073
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: A2 [glsa cve]
Keywords:
Depends on:
Blocks: CVE-2015-3210
  Show dependency tree
 
Reported: 2015-06-26 09:22 UTC by Agostino Sarubbo
Modified: 2016-07-09 02:11 UTC (History)
5 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2015-06-26 09:22:37 UTC
From ${URL} :


PCRE library is prone to a vulnerability which leads to Heap Overflow.
During subpattern calculation of a malformed regular expression, an offset
that is used as an array index is fully controlled and can be large enough
so that unexpected heap memory regions are accessed.
One could at least exploit this issue to read objects nearby of the
affected application's memory.
Such information discloure may also be used to bypass memory protection
method such as ASLR.

Reference:
https://bugs.exim.org/show_bug.cgi?id=1651



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 2 Yury German Gentoo Infrastructure gentoo-dev 2015-11-22 15:05:59 UTC
Maintainer(s), please advise if you when you are ready for stabilization or call for stabilization yourself.
Comment 3 Agostino Sarubbo gentoo-dev 2015-11-25 11:04:33 UTC
Can we stabilize 8.38 ?
Comment 4 Agostino Sarubbo gentoo-dev 2015-11-25 13:53:28 UTC
Arches, please test and mark stable:
=dev-libs/libpcre-8.38
Target keywords : "alpha amd64 arm arm64 hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
Comment 5 Agostino Sarubbo gentoo-dev 2015-11-26 09:58:54 UTC
amd64 stable
Comment 6 Jeroen Roovers (RETIRED) gentoo-dev 2015-11-29 07:01:07 UTC
Stable for PPC64.
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2015-11-30 06:06:32 UTC
Stable for HPPA.
Comment 8 Markus Meier gentoo-dev 2015-12-05 12:45:44 UTC
arm stable
Comment 9 Matt Turner gentoo-dev 2015-12-06 22:08:23 UTC
alpha stable
Comment 10 Agostino Sarubbo gentoo-dev 2015-12-07 11:40:36 UTC
ppc stable
Comment 11 Myckel Habets 2015-12-08 17:03:49 UTC
Builds fine on x86. Rdeps also build fine on x86. Please mark stable for x86.
Comment 12 Agostino Sarubbo gentoo-dev 2015-12-25 18:20:44 UTC
x86 stable
Comment 13 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2015-12-27 09:35:47 UTC
sparc stable
Comment 14 Agostino Sarubbo gentoo-dev 2016-01-11 09:08:01 UTC
ia64 stable
Comment 15 Yury German Gentoo Infrastructure gentoo-dev 2016-02-25 07:00:25 UTC
All supported arches are stable.
Arches, Thank you for your work.

New GLSA Request filed.
Maintainer(s), please drop the vulnerable version(s).
Comment 17 GLSAMaker/CVETool Bot gentoo-dev 2016-06-21 05:44:55 UTC
CVE-2015-8395 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8395):
  PCRE before 8.38 mishandles certain references, which allows remote
  attackers to cause a denial of service or possibly have unspecified other
  impact via a crafted regular expression, as demonstrated by a JavaScript
  RegExp object encountered by Konqueror, a related issue to CVE-2015-8384 and
  CVE-2015-8392.

CVE-2015-8394 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8394):
  PCRE before 8.38 mishandles the (?(<digits>) and (?(R<digits>) conditions,
  which allows remote attackers to cause a denial of service (integer
  overflow) or possibly have unspecified other impact via a crafted regular
  expression, as demonstrated by a JavaScript RegExp object encountered by
  Konqueror.

CVE-2015-8393 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8393):
  pcregrep in PCRE before 8.38 mishandles the -q option for binary files,
  which might allow remote attackers to obtain sensitive information via a
  crafted file, as demonstrated by a CGI script that sends stdout data to a
  client.
Comment 18 GLSAMaker/CVETool Bot gentoo-dev 2016-06-21 05:47:01 UTC
CVE-2015-8392 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8392):
  PCRE before 8.38 mishandles certain instances of the (?| substring, which
  allows remote attackers to cause a denial of service (unintended recursion
  and buffer overflow) or possibly have unspecified other impact via a crafted
  regular expression, as demonstrated by a JavaScript RegExp object
  encountered by Konqueror, a related issue to CVE-2015-8384 and
  CVE-2015-8395.

CVE-2015-8391 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8391):
  The pcre_compile function in pcre_compile.c in PCRE before 8.38 mishandles
  certain [: nesting, which allows remote attackers to cause a denial of
  service (CPU consumption) or possibly have unspecified other impact via a
  crafted regular expression, as demonstrated by a JavaScript RegExp object
  encountered by Konqueror.

CVE-2015-8390 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8390):
  PCRE before 8.38 mishandles the [: and \\ substrings in character classes,
  which allows remote attackers to cause a denial of service (uninitialized
  memory read) or possibly have unspecified other impact via a crafted regular
  expression, as demonstrated by a JavaScript RegExp object encountered by
  Konqueror.

CVE-2015-8389 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8389):
  PCRE before 8.38 mishandles the /(?:|a|){100}x/ pattern and related
  patterns, which allows remote attackers to cause a denial of service
  (infinite recursion) or possibly have unspecified other impact via a crafted
  regular expression, as demonstrated by a JavaScript RegExp object
  encountered by Konqueror.

CVE-2015-8388 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8388):
  PCRE before 8.38 mishandles the /(?=di(?<=(?1))|(?=(.))))/ pattern and
  related patterns with an unmatched closing parenthesis, which allows remote
  attackers to cause a denial of service (buffer overflow) or possibly have
  unspecified other impact via a crafted regular expression, as demonstrated
  by a JavaScript RegExp object encountered by Konqueror.

CVE-2015-8387 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8387):
  PCRE before 8.38 mishandles (?123) subroutine calls and related subroutine
  calls, which allows remote attackers to cause a denial of service (integer
  overflow) or possibly have unspecified other impact via a crafted regular
  expression, as demonstrated by a JavaScript RegExp object encountered by
  Konqueror.

CVE-2015-8386 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8386):
  PCRE before 8.38 mishandles the interaction of lookbehind assertions and
  mutually recursive subpatterns, which allows remote attackers to cause a
  denial of service (buffer overflow) or possibly have unspecified other
  impact via a crafted regular expression, as demonstrated by a JavaScript
  RegExp object encountered by Konqueror.

CVE-2015-8385 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8385):
  PCRE before 8.38 mishandles the /(?|(\k'Pm')|(?'Pm'))/ pattern and related
  patterns with certain forward references, which allows remote attackers to
  cause a denial of service (buffer overflow) or possibly have unspecified
  other impact via a crafted regular expression, as demonstrated by a
  JavaScript RegExp object encountered by Konqueror.

CVE-2015-8384 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8384):
  PCRE before 8.38 mishandles the /(?J)(?'d'(?'d'\g{d}))/ pattern and related
  patterns with certain recursive back references, which allows remote
  attackers to cause a denial of service (buffer overflow) or possibly have
  unspecified other impact via a crafted regular expression, as demonstrated
  by a JavaScript RegExp object encountered by Konqueror, a related issue to
  CVE-2015-8392 and CVE-2015-8395.

CVE-2015-8383 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8383):
  PCRE before 8.38 mishandles certain repeated conditional groups, which
  allows remote attackers to cause a denial of service (buffer overflow) or
  possibly have unspecified other impact via a crafted regular expression, as
  demonstrated by a JavaScript RegExp object encountered by Konqueror.

CVE-2015-8381 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8381):
  The compile_regex function in pcre_compile.c in PCRE before 8.38 and
  pcre2_compile.c in PCRE2 before 10.2x mishandles the
  /(?J:(?|(:(?|(?'R')(\k'R')|((?'R')))H'Rk'Rf)|s(?'R'))))/ and
  /(?J:(?|(:(?|(?'R')(\z(?|(?'R')(\k'R')|((?'R')))k'R')|((?'R')))H'Ak'Rf)|s(?'R')))/
  patterns, and related patterns with certain group references, which allows
  remote attackers to cause a denial of service (heap-based buffer overflow)
  or possibly have unspecified other impact via a crafted regular expression,
  as demonstrated by a JavaScript RegExp object encountered by Konqueror.

CVE-2015-8380 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8380):
  The pcre_exec function in pcre_exec.c in PCRE before 8.38 mishandles a //
  pattern with a \01 string, which allows remote attackers to cause a denial
  of service (heap-based buffer overflow) or possibly have unspecified other
  impact via a crafted regular expression, as demonstrated by a JavaScript
  RegExp object encountered by Konqueror.
Comment 19 GLSAMaker/CVETool Bot gentoo-dev 2016-07-09 02:10:23 UTC
This issue was resolved and addressed in
 GLSA 201607-02 at https://security.gentoo.org/glsa/201607-02
by GLSA coordinator Aaron Bauman (b-man).
Comment 20 GLSAMaker/CVETool Bot gentoo-dev 2016-07-09 02:11:58 UTC
This issue was resolved and addressed in
 GLSA 201607-02 at https://security.gentoo.org/glsa/201607-02
by GLSA coordinator Aaron Bauman (b-man).