Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 551240 (CVE-2015-3210)

Summary: <dev-libs/libpcre-8.37-r2: Multiple Vulnerabilities (CVE-2015-3210)
Product: Gentoo Security Reporter: Thomas Deutschmann (RETIRED) <whissi>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: base-system
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://bugs.exim.org/show_bug.cgi?id=1636
https://bugzilla.redhat.com/show_bug.cgi?id=1236659
Whiteboard: A2 [glsa cve]
Package list:
Runtime testing required: ---
Bug Depends on: 553300    
Bug Blocks:    

Description Thomas Deutschmann (RETIRED) gentoo-dev 2015-06-04 21:24:56 UTC
Hi,

the following vulnerabilities were published for pcre:


1) heap buffer overflow in pcre_compile2() / compile_regex()

Latest version of PCRE is prone to a Heap Overflow vulnerability which could caused by the following regular expression.

/^(?P=B)((?P=B)(?J:(?P<B>c)(?P<B>a(?P=B)))>WGXCREDITS)/

To reproduce the problem, we could use pcretest provide by PCRE library or applications which is wrapped with PCRE such as PHP.

Information: https://bugs.exim.org/show_bug.cgi?id=1636

CVE: CVE-2015-3210


2) PCRE Library Call Stack Overflow Vulnerability in match()

Latest version of PCRE is prone to a Stack Overflow vulnerability which could caused by the following regular expression.

/^(?:(?(1)\\.|([^\\\\W_])?)+)+$/

To reproduce the problem, we could use pcretest provide by PCRE library or applications which is wrapped with PCRE such as PHP.

Information: https://bugs.exim.org/show_bug.cgi?id=1638

CVE: CVE-2015-3217


3) PCRE Library Stack Overflow Vulnerability (1)

PCRE library is prone to a vulnerability which leads to Stack Overflow. Without enough bound checking inside compile_regex(), the stack memory could be overflowed via a crafted regular expression. Since PCRE library is widely used, this vulnerability should affect many applications. An attacker may exploit this issue to execute arbitrary code in the context of the user running the affected application.

Information: https://bugs.exim.org/show_bug.cgi?id=1503

CVE-Request: http://www.openwall.com/lists/oss-security/2015/05/31/5


4) PCRE Library Stack Overflow Vulnerability (2)

PCRE library is prone to a vulnerability which leads to Stack Overflow. Without enough bound checking inside compile_regex(), the stack memory could be overflowed via a crafted regular expression. Since PCRE library is widely used, this vulnerability should affect many applications. An attacker may exploit this issue to DOS the user running the affected application.

Information: https://bugs.exim.org/show_bug.cgi?id=1515

CVE-Request: http://www.openwall.com/lists/oss-security/2015/05/31/4



Reproducible: Always
Comment 1 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-06-05 09:23:20 UTC
Thanks for the report, as far as I can see there has been no single release fixing all issues yet, but there are some possible patches referenced in the various bug reports in the initial report that can possibly backported so setting an upstream/ebuild status
Comment 2 Agostino Sarubbo gentoo-dev 2015-06-05 09:33:41 UTC
Summary for maintainer(s):

Upstream bug 1636 (CVE-2015-3210) is fixed in the source repo.
Upstream bug 1638 (CVE-2015-3217) is fixed in 10.10
Upstream bug 1503 (CVE N/A) is fixed in 8.35
Upstream bug 1515 (CVE N/A) is fixed in 8.35
Comment 3 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2015-06-05 12:12:04 UTC
FYI, I have a test ebuild of libpcre2-10.10 in poly-c overlay. I can add it to the tree if necessary.
Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev 2015-06-17 10:58:58 UTC
Looks like 8.38 won't be released in the next days. Can somebody please release dev-libs/libpcre-8.37-r2 with https://svnweb.freebsd.org/ports?view=revision&revision=388777 ? FreeBSD took this road already, see https://svnweb.freebsd.org/ports/head/devel/pcre/Makefile?view=log
Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev 2015-06-26 20:10:55 UTC
Another one:

Title: PCRE Library Heap Overflow Vulnerability in find_fixedlength()

PCRE library is prone to a vulnerability which leads to Heap Overflow. 
During subpattern calculation of a malformed regular expression, an offset that is used as an array index is fully controlled and can be large enough so that unexpected heap memory regions are accessed. 
One could at least exploit this issue to read objects nearby of the affected application's memory. 
Such information disclosure may also be used to bypass memory protection method such as ASLR.

Upstream bug: https://bugs.exim.org/show_bug.cgi?id=1651

Fix: http://vcs.pcre.org/pcre?diff_format=l&view=revision&revision=1571

CVE: CVE-2015-5073 (http://www.openwall.com/lists/oss-security/2015/06/26/3)
Comment 6 SpanKY gentoo-dev 2015-07-06 08:16:37 UTC
CVE-2015-5073 is tracked in bug 553300 already
Comment 7 SpanKY gentoo-dev 2015-07-06 16:35:32 UTC
looking through the upstream svn for libpcre and redhat's bugzilla, it doesn't seem like a fix is needed for CVE-2015-3217 in the older code base.  only in the newer libpcre2 was a fix deployed.

if that turns out to not be the case, we can file/track in a new bug.
Comment 10 SpanKY gentoo-dev 2015-07-08 05:50:30 UTC
(In reply to Thomas D. from comment #9)

it makes no sense to backport every single revision.  this bug is specifically about CVE-2015-3210 which is now fixed.  i don't want this to explode into analyzing/tracking each upstream commit.
Comment 11 Yury German Gentoo Infrastructure gentoo-dev 2015-11-22 15:19:27 UTC
Setting depend to 553300 for stabilization
Comment 12 Yury German Gentoo Infrastructure gentoo-dev 2016-02-25 07:02:18 UTC
Arches and Maintainer(s), Thank you for your work.

Cleanup as part of Bug 553300
Added to an existing GLSA Request.
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2016-07-09 02:10:15 UTC
This issue was resolved and addressed in
 GLSA 201607-02 at https://security.gentoo.org/glsa/201607-02
by GLSA coordinator Aaron Bauman (b-man).
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2016-07-09 02:11:51 UTC
This issue was resolved and addressed in
 GLSA 201607-02 at https://security.gentoo.org/glsa/201607-02
by GLSA coordinator Aaron Bauman (b-man).