Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 609592 (CVE-2017-6004)

Summary: <dev-libs/libpcre-8.40-r1: OOB read / application crash
Product: Gentoo Security Reporter: ncl
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: base-system
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: All   
URL: https://bugs.exim.org/show_bug.cgi?id=2035
See Also: https://bugs.exim.org/show_bug.cgi?id=2035
Whiteboard: A3 [glsa cve]
Package list:
=dev-libs/libpcre-8.40-r1
Runtime testing required: ---
Attachments:
Description Flags
Upstream fix for CVE-2017-6004 with updated tests none

Description ncl 2017-02-17 04:53:40 UTC
The compile_bracket_matchingpath function in pcre_jit_compile.c in PCRE through 8.x before revision 1680 (e.g., the PHP 7.1.1 bundled version) allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted regular expression.

This seems to be fixed in the 8.40 release.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6004
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-6004
https://bugs.exim.org/show_bug.cgi?id=2035
Comment 1 Thomas Deutschmann gentoo-dev 2017-02-17 07:40:35 UTC
Upstream patch:

https://vcs.pcre.org/pcre/code/trunk/pcre_jit_compile.c?r1=1676&r2=1680&view=patch

This is _not_ included in v8.40 release.


@ Maintainer(s): Could you please rev bump and cherry-pick the patch (I attached a complete patch including updated tests)? You may also want to cherry-pick https://vcs.pcre.org/pcre/code/trunk/pcregrep.c?r1=1678&r2=1679&view=patch which fixes a bug/incomplete fix for

> 1.  Using -o with -M in pcregrep could cause unnecessary repeated output when
>     the match extended over a line boundary.
Comment 2 Thomas Deutschmann gentoo-dev 2017-02-17 07:41:37 UTC
Created attachment 464034 [details, diff]
Upstream fix for CVE-2017-6004 with updated tests
Comment 3 SpanKY gentoo-dev 2017-03-20 07:49:32 UTC
libpcre-8.40-r1 in the tree now w/the two fixes:
https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ef1e0f46ae56483d3b5695108e684a887bab4d33

should be fine for stable
Comment 4 Agostino Sarubbo gentoo-dev 2017-03-25 14:43:34 UTC
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2017-03-25 19:25:37 UTC
ppc stable
Comment 6 Agostino Sarubbo gentoo-dev 2017-03-25 19:28:04 UTC
ppc64 stable
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2017-03-27 06:38:20 UTC
Stable for HPPA.
Comment 8 Michael Weber (RETIRED) gentoo-dev 2017-03-28 10:55:45 UTC
arm stable.
Comment 9 Michael Weber (RETIRED) gentoo-dev 2017-03-28 23:36:24 UTC
arm64 stable.
Comment 10 Matt Turner gentoo-dev 2017-03-30 02:39:13 UTC
alpha/ia64 stable
Comment 11 Agostino Sarubbo gentoo-dev 2017-04-01 16:07:16 UTC
x86 stable
Comment 12 Yury German Gentoo Infrastructure gentoo-dev 2017-04-26 00:54:57 UTC
We can not wait any longer on sparc. Please stabilize, we are going to work on releasing the GLSA.
Comment 13 Agostino Sarubbo gentoo-dev 2017-04-27 11:23:58 UTC
sparc stable.

Maintainer(s), please cleanup.
Comment 14 Thomas Deutschmann gentoo-dev 2017-06-04 12:59:53 UTC
Cleanup PR: https://github.com/gentoo/gentoo/pull/4848
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2017-06-06 19:46:41 UTC
This issue was resolved and addressed in
 GLSA 201706-11 at https://security.gentoo.org/glsa/201706-11
by GLSA coordinator Kristian Fiskerstrand (K_F).