Bug 718350 (CVE-2020-11958)

Summary:	<dev-util/re2c-1.3-r1: heap overflow in Scanner::fill (scanner.cc) (CVE-2020-11958)
Product:	Gentoo Security	Reporter:	Agostino Sarubbo <ago>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	major	CC:	nobrowser, robbat2
Priority:	Normal	Flags:	nattka: sanity-check+
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:	A2 [glsa+ cve]
Package list:	=dev-util/re2c-1.3-r1 amd64 arm arm64 hppa ppc ppc64 s390 sparc x86	Runtime testing required:	---

Description Agostino Sarubbo gentoo-dev

2020-04-19 15:01:17 UTC

From https://www.openwall.com/lists/oss-security/2020/04/19/1 :

Description:
re2c is a tool for generating C-based recognizers from regular expressions.

There is an heap overflow reproducible with a crafted file.

~ $ re2c -o /tmp/out $FILE
=================================================================
==43995==ERROR: AddressSanitizer: heap-buffer-overflow on address 
0x629000004212 at pc 0x00000049937f bp 0x7ffc0521bc00 sp 0x7ffc0521b3c8
WRITE of size 18 at 0x629000004212 thread T0
    #0 0x49937e in __asan_memset /var/tmp/portage/sys-libs/compiler-rt-
sanitizers-9.0.0/work/compiler-rt-9.0.0.src/lib/asan/
asan_interceptors_memintrinsics.cc:26:3
    #1 0x67a291 in re2c::Scanner::fill(unsigned long) /var/tmp/portage/dev-
util/re2c-1.3/work/re2c-1.3/src/parse/scanner.cc:167:9
    #2 0x682a51 in re2c::Scanner::echo(re2c::Output&) /var/tmp/portage/dev-
util/re2c-1.3/work/re2c-1.3/src/parse/lex.cc:94:33
    #3 0x61d5f4 in re2c::compile(re2c::Scanner&, re2c::Output&, re2c::Opt&) /
var/tmp/portage/dev-util/re2c-1.3/work/re2c-1.3/src/compile.cc:148:41
    #4 0x4cc668 in main /var/tmp/portage/dev-util/re2c-1.3/work/re2c-1.3/src/
main.cc:33:5
    #5 0x7f26392c9dca in __libc_start_main /var/tmp/portage/sys-libs/
glibc-2.29-r2/work/glibc-2.29/csu/../csu/libc-start.c:308:16
    #6 0x421d39  (/usr/bin/re2c+0x421d39)

0x629000004212 is located 0 bytes to the right of 16402-byte region 
[0x629000000200,0x629000004212)
allocated by thread T0 here:
    #0 0x4c949d in operator new[](unsigned long) /var/tmp/portage/sys-libs/
compiler-rt-sanitizers-9.0.0/work/compiler-rt-9.0.0.src/lib/asan/
asan_new_delete.cc:102:3
    #1 0x67a0f2 in re2c::Scanner::fill(unsigned long) /var/tmp/portage/dev-
util/re2c-1.3/work/re2c-1.3/src/parse/scanner.cc:154:22
    #2 0x682a51 in re2c::Scanner::echo(re2c::Output&) /var/tmp/portage/dev-
util/re2c-1.3/work/re2c-1.3/src/parse/lex.cc:94:33
    #3 0x61d5f4 in re2c::compile(re2c::Scanner&, re2c::Output&, re2c::Opt&) /
var/tmp/portage/dev-util/re2c-1.3/work/re2c-1.3/src/compile.cc:148:41
    #4 0x4cc668 in main /var/tmp/portage/dev-util/re2c-1.3/work/re2c-1.3/src/
main.cc:33:5
    #5 0x7f26392c9dca in __libc_start_main /var/tmp/portage/sys-libs/
glibc-2.29-r2/work/glibc-2.29/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: heap-buffer-overflow /var/tmp/portage/sys-libs/
compiler-rt-sanitizers-9.0.0/work/compiler-rt-9.0.0.src/lib/asan/
asan_interceptors_memintrinsics.cc:26:3 in __asan_memset

Affected version:
1.3

Fixed version:
Will be 2.0

Commit fix:
https://github.com/skvadrik/re2c/commit/
c4603ba5ce229db83a2a4fb93e6d4b4e3ec3776a

Credit:
This bug was discovered by Agostino Sarubbo.

CVE:
I don’t care anymore about a CVE. If you will obtain one about this issue, 
feel free to reach me. I will update this as well.

Timeline:
2020-04-17: bug discovered and reported to upstream
2020-04-17: upstream fixed the issue
2020-04-19: blog post about the issue

Note:
This bug was found with American Fuzzy Lop.
This bug was identified with bare metal servers donated by Packet. This work 
is also supported by the Core Infrastructure Initiative.

Permalink:
http://blogs.gentoo.org/ago/2020/04/19/re2c-heap-overflow-in-scannerfill-scanner-cc/


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.

Comment 1 Larry the Git Cow gentoo-dev

2020-04-19 19:11:32 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9f09c916426f9ad39d29f800db74c0ced7c8f252

commit 9f09c916426f9ad39d29f800db74c0ced7c8f252
Author:     Sergei Trofimovich <slyfox@gentoo.org>
AuthorDate: 2020-04-19 19:11:05 +0000
Commit:     Sergei Trofimovich <slyfox@gentoo.org>
CommitDate: 2020-04-19 19:11:25 +0000

    dev-util/re2c: fix lexer overflow, bug #718350
    
    Direct backport of c4603ba5ce229db ("Fix crash in lexer
    refill (reported by Agostino Sarubbo).")
    
    Reported-by: Agostino Sarubbo
    Bug: https://bugs.gentoo.org/718350
    Package-Manager: Portage-2.3.99, Repoman-2.3.22
    Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org>

 dev-util/re2c/files/re2c-1.3-lexer-overflow.patch | 40 +++++++++++++++++++++++
 dev-util/re2c/re2c-1.3-r1.ebuild                  | 28 ++++++++++++++++
 2 files changed, 68 insertions(+)

Comment 2 Sergei Trofimovich (RETIRED) gentoo-dev

2020-04-19 19:12:19 UTC

It is safe to stabilize new version.

Comment 3 Sam James archtester

2020-04-19 19:42:56 UTC

(In reply to Sergei Trofimovich from comment #2)
> It is safe to stabilize new version.

Thank you (both ago and slyfox). Nice quick job.
Let's do it.

[changing to B2 because spamassassin seems to be from previous bugs, and that is only rdep].

Comment 4 Rolf Eike Beer archtester

2020-04-20 05:37:20 UTC

hppa/sparc stable

Comment 5 Agostino Sarubbo gentoo-dev

2020-04-20 08:09:09 UTC

(In reply to Sam James (sec padawan) from comment #3)
> [changing to B2 because spamassassin seems to be from previous bugs, and
> that is only rdep].

Chromium requires ninja that requires re2c. If chromium is A, all packages pulled by him should be A too..or what is the criteria?

Comment 6 Agostino Sarubbo gentoo-dev

2020-04-20 08:29:09 UTC

x86 stable

Comment 7 Agostino Sarubbo gentoo-dev

2020-04-20 09:29:49 UTC

s390 stable

Comment 8 Agostino Sarubbo gentoo-dev

2020-04-20 09:45:40 UTC

amd64 stable

Comment 9 Agostino Sarubbo gentoo-dev

2020-04-20 09:46:41 UTC

arm stable

Comment 10 Agostino Sarubbo gentoo-dev

2020-04-20 09:49:19 UTC

ppc stable

Comment 11 Agostino Sarubbo gentoo-dev

2020-04-20 09:51:28 UTC

ppc64 stable

Comment 12 Sam James archtester

2020-04-20 10:56:58 UTC

(In reply to Agostino Sarubbo from comment #5)
> (In reply to Sam James (sec padawan) from comment #3)
> > [changing to B2 because spamassassin seems to be from previous bugs, and
> > that is only rdep].
> 
> Chromium requires ninja that requires re2c. If chromium is A, all packages
> pulled by him should be A too..or what is the criteria?

You are definitely right.

I had looked here:
https://qa-reports.gentoo.org/output/genrdeps/rindex/dev-util/re2c
and asked willikins but apparently it does not pick it up. Maybe because of BDEPEND.

I've switched it back!

Comment 13 Sam James archtester

2020-04-21 10:16:29 UTC

arm64 stable

Comment 14 Sam James archtester

2020-04-21 21:02:08 UTC

@maintainer(s), please cleanup!

Comment 15 Larry the Git Cow gentoo-dev

2020-04-25 11:13:39 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ecfce5a7c8841e5429f5fc4704d7a71aeefbef9f

commit ecfce5a7c8841e5429f5fc4704d7a71aeefbef9f
Author:     Sergei Trofimovich <slyfox@gentoo.org>
AuthorDate: 2020-04-25 11:13:27 +0000
Commit:     Sergei Trofimovich <slyfox@gentoo.org>
CommitDate: 2020-04-25 11:13:33 +0000

    dev-util/re2c: drop old
    
    Bug: https://bugs.gentoo.org/718350
    Package-Manager: Portage-2.3.99, Repoman-2.3.22
    Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org>

 dev-util/re2c/re2c-1.3.ebuild | 26 --------------------------
 1 file changed, 26 deletions(-)

Comment 16 GLSAMaker/CVETool Bot gentoo-dev

2020-07-27 00:21:45 UTC

This issue was resolved and addressed in
 GLSA 202007-28 at https://security.gentoo.org/glsa/202007-28
by GLSA coordinator Sam James (sam_c).