Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 553300 (CVE-2015-5073)

Summary: <dev-libs/libpcre-8.38: Heap Overflow Vulnerability in find_fixedlength() (CVE-2015-{5073,8380,8381,8383,8384,8385,8386,8387,8388,8389,8390,8391,8392,8393,8394,8395})
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: arm64, base-system, m68k, s390, sh+disabled
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.openwall.com/lists/oss-security/2015/06/26/1
See Also: https://bugs.exim.org/show_bug.cgi?id=1651
https://bugzilla.redhat.com/show_bug.cgi?id=1237224
Whiteboard: A2 [glsa cve]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 551240    

Description Agostino Sarubbo gentoo-dev 2015-06-26 09:22:37 UTC 
From ${URL} :


PCRE library is prone to a vulnerability which leads to Heap Overflow.
During subpattern calculation of a malformed regular expression, an offset
that is used as an array index is fully controlled and can be large enough
so that unexpected heap memory regions are accessed.
One could at least exploit this issue to read objects nearby of the
affected application's memory.
Such information discloure may also be used to bypass memory protection
method such as ASLR.

Reference:
https://bugs.exim.org/show_bug.cgi?id=1651



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 2 Yury German Gentoo Infrastructure gentoo-dev 2015-11-22 15:05:59 UTC 
Maintainer(s), please advise if you when you are ready for stabilization or call for stabilization yourself.
Comment 3 Agostino Sarubbo gentoo-dev 2015-11-25 11:04:33 UTC 
Can we stabilize 8.38 ?
Comment 4 Agostino Sarubbo gentoo-dev 2015-11-25 13:53:28 UTC 
Arches, please test and mark stable:
=dev-libs/libpcre-8.38
Target keywords : "alpha amd64 arm arm64 hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
Comment 5 Agostino Sarubbo gentoo-dev 2015-11-26 09:58:54 UTC 
amd64 stable
Comment 6 Jeroen Roovers (RETIRED) gentoo-dev 2015-11-29 07:01:07 UTC 
Stable for PPC64.
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2015-11-30 06:06:32 UTC 
Stable for HPPA.
Comment 8 Markus Meier gentoo-dev 2015-12-05 12:45:44 UTC 
arm stable
Comment 9 Matt Turner gentoo-dev 2015-12-06 22:08:23 UTC 
alpha stable
Comment 10 Agostino Sarubbo gentoo-dev 2015-12-07 11:40:36 UTC 
ppc stable
Comment 11 Myckel Habets 2015-12-08 17:03:49 UTC 
Builds fine on x86. Rdeps also build fine on x86. Please mark stable for x86.
Comment 12 Agostino Sarubbo gentoo-dev 2015-12-25 18:20:44 UTC 
x86 stable
Comment 13 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2015-12-27 09:35:47 UTC 
sparc stable
Comment 14 Agostino Sarubbo gentoo-dev 2016-01-11 09:08:01 UTC 
ia64 stable
Comment 15 Yury German Gentoo Infrastructure gentoo-dev 2016-02-25 07:00:25 UTC 
All supported arches are stable.
Arches, Thank you for your work.

New GLSA Request filed.
Maintainer(s), please drop the vulnerable version(s).
Comment 17 GLSAMaker/CVETool Bot gentoo-dev 2016-06-21 05:44:55 UTC 
CVE-2015-8395 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8395):
  PCRE before 8.38 mishandles certain references, which allows remote
  attackers to cause a denial of service or possibly have unspecified other
  impact via a crafted regular expression, as demonstrated by a JavaScript
  RegExp object encountered by Konqueror, a related issue to CVE-2015-8384 and
  CVE-2015-8392.

CVE-2015-8394 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8394):
  PCRE before 8.38 mishandles the (?(<digits>) and (?(R<digits>) conditions,
  which allows remote attackers to cause a denial of service (integer
  overflow) or possibly have unspecified other impact via a crafted regular
  expression, as demonstrated by a JavaScript RegExp object encountered by
  Konqueror.

CVE-2015-8393 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8393):
  pcregrep in PCRE before 8.38 mishandles the -q option for binary files,
  which might allow remote attackers to obtain sensitive information via a
  crafted file, as demonstrated by a CGI script that sends stdout data to a
  client.
Comment 18 GLSAMaker/CVETool Bot gentoo-dev 2016-06-21 05:47:01 UTC 
CVE-2015-8392 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8392):
  PCRE before 8.38 mishandles certain instances of the (?| substring, which
  allows remote attackers to cause a denial of service (unintended recursion
  and buffer overflow) or possibly have unspecified other impact via a crafted
  regular expression, as demonstrated by a JavaScript RegExp object
  encountered by Konqueror, a related issue to CVE-2015-8384 and
  CVE-2015-8395.

CVE-2015-8391 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8391):
  The pcre_compile function in pcre_compile.c in PCRE before 8.38 mishandles
  certain [: nesting, which allows remote attackers to cause a denial of
  service (CPU consumption) or possibly have unspecified other impact via a
  crafted regular expression, as demonstrated by a JavaScript RegExp object
  encountered by Konqueror.

CVE-2015-8390 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8390):
  PCRE before 8.38 mishandles the [: and \\ substrings in character classes,
  which allows remote attackers to cause a denial of service (uninitialized
  memory read) or possibly have unspecified other impact via a crafted regular
  expression, as demonstrated by a JavaScript RegExp object encountered by
  Konqueror.

CVE-2015-8389 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8389):
  PCRE before 8.38 mishandles the /(?:|a|){100}x/ pattern and related
  patterns, which allows remote attackers to cause a denial of service
  (infinite recursion) or possibly have unspecified other impact via a crafted
  regular expression, as demonstrated by a JavaScript RegExp object
  encountered by Konqueror.

CVE-2015-8388 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8388):
  PCRE before 8.38 mishandles the /(?=di(?<=(?1))|(?=(.))))/ pattern and
  related patterns with an unmatched closing parenthesis, which allows remote
  attackers to cause a denial of service (buffer overflow) or possibly have
  unspecified other impact via a crafted regular expression, as demonstrated
  by a JavaScript RegExp object encountered by Konqueror.

CVE-2015-8387 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8387):
  PCRE before 8.38 mishandles (?123) subroutine calls and related subroutine
  calls, which allows remote attackers to cause a denial of service (integer
  overflow) or possibly have unspecified other impact via a crafted regular
  expression, as demonstrated by a JavaScript RegExp object encountered by
  Konqueror.

CVE-2015-8386 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8386):
  PCRE before 8.38 mishandles the interaction of lookbehind assertions and
  mutually recursive subpatterns, which allows remote attackers to cause a
  denial of service (buffer overflow) or possibly have unspecified other
  impact via a crafted regular expression, as demonstrated by a JavaScript
  RegExp object encountered by Konqueror.

CVE-2015-8385 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8385):
  PCRE before 8.38 mishandles the /(?|(\k'Pm')|(?'Pm'))/ pattern and related
  patterns with certain forward references, which allows remote attackers to
  cause a denial of service (buffer overflow) or possibly have unspecified
  other impact via a crafted regular expression, as demonstrated by a
  JavaScript RegExp object encountered by Konqueror.

CVE-2015-8384 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8384):
  PCRE before 8.38 mishandles the /(?J)(?'d'(?'d'\g{d}))/ pattern and related
  patterns with certain recursive back references, which allows remote
  attackers to cause a denial of service (buffer overflow) or possibly have
  unspecified other impact via a crafted regular expression, as demonstrated
  by a JavaScript RegExp object encountered by Konqueror, a related issue to
  CVE-2015-8392 and CVE-2015-8395.

CVE-2015-8383 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8383):
  PCRE before 8.38 mishandles certain repeated conditional groups, which
  allows remote attackers to cause a denial of service (buffer overflow) or
  possibly have unspecified other impact via a crafted regular expression, as
  demonstrated by a JavaScript RegExp object encountered by Konqueror.

CVE-2015-8381 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8381):
  The compile_regex function in pcre_compile.c in PCRE before 8.38 and
  pcre2_compile.c in PCRE2 before 10.2x mishandles the
  /(?J:(?|(:(?|(?'R')(\k'R')|((?'R')))H'Rk'Rf)|s(?'R'))))/ and
  /(?J:(?|(:(?|(?'R')(\z(?|(?'R')(\k'R')|((?'R')))k'R')|((?'R')))H'Ak'Rf)|s(?'R')))/
  patterns, and related patterns with certain group references, which allows
  remote attackers to cause a denial of service (heap-based buffer overflow)
  or possibly have unspecified other impact via a crafted regular expression,
  as demonstrated by a JavaScript RegExp object encountered by Konqueror.

CVE-2015-8380 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8380):
  The pcre_exec function in pcre_exec.c in PCRE before 8.38 mishandles a //
  pattern with a \01 string, which allows remote attackers to cause a denial
  of service (heap-based buffer overflow) or possibly have unspecified other
  impact via a crafted regular expression, as demonstrated by a JavaScript
  RegExp object encountered by Konqueror.
Comment 19 GLSAMaker/CVETool Bot gentoo-dev 2016-07-09 02:10:23 UTC 
This issue was resolved and addressed in
 GLSA 201607-02 at https://security.gentoo.org/glsa/201607-02
by GLSA coordinator Aaron Bauman (b-man).
Comment 20 GLSAMaker/CVETool Bot gentoo-dev 2016-07-09 02:11:58 UTC 
This issue was resolved and addressed in
 GLSA 201607-02 at https://security.gentoo.org/glsa/201607-02
by GLSA coordinator Aaron Bauman (b-man).