Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 228091 (CVE-2008-2371) - dev-libs/libpcre <7.7-r1 pcre_compile.c Heap-based buffer overflow (CVE-2008-2371)
Summary: dev-libs/libpcre <7.7-r1 pcre_compile.c Heap-based buffer overflow (CVE-2008-...
Status: RESOLVED FIXED
Alias: CVE-2008-2371
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High critical (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A1 [glsa]
Keywords:
Depends on:
Blocks: 230039
  Show dependency tree
 
Reported: 2008-06-18 14:17 UTC by Robert Buchholz (RETIRED)
Modified: 2008-07-18 03:02 UTC (History)
5 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
libpcre-7.7-r1.ebuild (libpcre-7.7-r1.ebuild,1.36 KB, text/plain)
2008-06-18 15:24 UTC, Peter Alfredsen (RETIRED)
no flags Details
libpcre-7.7-buffer-overflow.patch (libpcre-7.7-buffer-overflow.patch,636 bytes, patch)
2008-06-18 15:25 UTC, Peter Alfredsen (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2008-06-18 14:17:24 UTC
** Please note that this issue is confidential and no information should be
disclosed until it is made public, see "Whiteboard" for a date **

Tavis Ormandy writes:

The problem is that when an option is specified at the start of a
pattern, to avoid compiling it unnecessarily into the bytecode it's
passed back up to the caller as if it was specified via pcre_compile()
options, i.e. /(?i)a|b/ == /a|b/i, and as the latter is somewhat easier
to handle, they're made equivalent. This usually works, but when a
pattern contains multiple branches, the new option is accidentally passed
back too far, so when there are multiple branches, only the first gets the
new flag, however on the second compile pass the new flag is always
set, resulting in a mismatch between the size-calculation pass and the
actual compilation pass. The result is pcre overflowing a heap buffer.

 --- pcre_compile.c~     2008-06-12 16:55:22.860930000 +0200
 +++ pcre_compile.c      2008-06-12 16:54:53.647168000 +0200
 @@ -4931,7 +4931,7 @@
                (lengthptr == NULL || *lengthptr == 2 + 2*LINK_SIZE))
             {
             cd->external_options = newoptions;
 +            options = *optionsptr = newoptions;
 -            options = newoptions;
             }
          else
             {
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-06-18 14:21:28 UTC
Adding Peter as he is maintaining this package now, sorry for the spam.

Peter, please prepare an ebuild including the patch and attach it to this bug. Do not commit anything to CVS. We will do prestable testing on this bug.
Comment 2 Peter Alfredsen (RETIRED) gentoo-dev 2008-06-18 15:24:09 UTC
Created attachment 157447 [details]
libpcre-7.7-r1.ebuild

Ebuild for patch. Compiles, passes tests.
Comment 3 Peter Alfredsen (RETIRED) gentoo-dev 2008-06-18 15:25:10 UTC
Created attachment 157449 [details, diff]
libpcre-7.7-buffer-overflow.patch

Patch as used in ebuild.
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2008-06-18 15:58:51 UTC
Do you want the 7.7 branch to go stable via this bug?
Comment 5 Peter Alfredsen (RETIRED) gentoo-dev 2008-06-18 16:06:56 UTC
(In reply to comment #4)
> Do you want the 7.7 branch to go stable via this bug?
> 

Yes:
7.7 is mainly a bug-fix release.
No new bugs have been filed since bump.
A bug would have been filed in 8 days anyway.
Comment 6 Robert Buchholz (RETIRED) gentoo-dev 2008-06-18 17:25:23 UTC
Arch Security Liaisons, please test the attached ebuild and report it stable on this bug.
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 release s390 sh sparc x86"

CC'ing current Liaisons:
   alpha : yoswink
   amd64 : welp
    hppa : jer
     ppc : dertobi123
   ppc64 : corsair
 release : pva
   sparc : fmccor
     x86 : opfer
Comment 7 Jose Luis Rivero (yoswink) (RETIRED) gentoo-dev 2008-06-18 23:36:38 UTC
Report on alpha:
 - compiles fine
 - tests passed
 - grep built ok with prce support

Green light.
Comment 8 Jeroen Roovers gentoo-dev 2008-06-19 04:02:16 UTC
OK for HPPA.
Comment 9 Markus Rothe (RETIRED) gentoo-dev 2008-06-19 05:39:20 UTC
looks good on ppc64
Comment 10 Peter Weller (RETIRED) gentoo-dev 2008-06-19 12:24:53 UTC
Good to go on amd64.
Comment 11 Raúl Porcel (RETIRED) gentoo-dev 2008-06-19 12:59:40 UTC
Looks fine on ia64/sparc/x86
Comment 12 Christian Faulhammer (RETIRED) gentoo-dev 2008-06-19 13:04:41 UTC
(In reply to comment #11)
> Looks fine on ia64/sparc/x86

 And as I know that Raul is a complete failure, I checked x86, too.  Built about 40 reverse deps and they seem to work all fine.  So Raul is right by accident. :)
Comment 13 Tobias Scherbaum (RETIRED) gentoo-dev 2008-06-26 20:44:53 UTC
looks good on ppc
Comment 14 Robert Buchholz (RETIRED) gentoo-dev 2008-06-30 20:51:55 UTC
Lifting embargo, Peter please commit straight to stable for the arches that tested.
Comment 15 Peter Alfredsen (RETIRED) gentoo-dev 2008-06-30 21:19:07 UTC
Ebuild in tree.
Comment 16 Robert Buchholz (RETIRED) gentoo-dev 2008-06-30 21:20:56 UTC
=dev-libs/libpcre-7.7-r1
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
Already stabled : "alpha amd64 hppa ia64 ppc ppc64 sparc x86"
Missing keywords: "arm m68k s390 sh"
Comment 17 Robert Buchholz (RETIRED) gentoo-dev 2008-07-07 20:34:06 UTC
Rerating A1 due to possible remote exploitation vector.
Comment 18 Robert Buchholz (RETIRED) gentoo-dev 2008-07-07 20:35:43 UTC
GLSA 200807-03
Comment 19 Robert Buchholz (RETIRED) gentoo-dev 2008-07-18 03:02:04 UTC
Upstream committed a different patch, see
http://vcs.pcre.org/viewvc?view=rev&revision=360