From https://www.openwall.com/lists/oss-security/2020/04/19/1 : Description: re2c is a tool for generating C-based recognizers from regular expressions. There is an heap overflow reproducible with a crafted file. ~ $ re2c -o /tmp/out $FILE ================================================================= ==43995==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x629000004212 at pc 0x00000049937f bp 0x7ffc0521bc00 sp 0x7ffc0521b3c8 WRITE of size 18 at 0x629000004212 thread T0 #0 0x49937e in __asan_memset /var/tmp/portage/sys-libs/compiler-rt- sanitizers-9.0.0/work/compiler-rt-9.0.0.src/lib/asan/ asan_interceptors_memintrinsics.cc:26:3 #1 0x67a291 in re2c::Scanner::fill(unsigned long) /var/tmp/portage/dev- util/re2c-1.3/work/re2c-1.3/src/parse/scanner.cc:167:9 #2 0x682a51 in re2c::Scanner::echo(re2c::Output&) /var/tmp/portage/dev- util/re2c-1.3/work/re2c-1.3/src/parse/lex.cc:94:33 #3 0x61d5f4 in re2c::compile(re2c::Scanner&, re2c::Output&, re2c::Opt&) / var/tmp/portage/dev-util/re2c-1.3/work/re2c-1.3/src/compile.cc:148:41 #4 0x4cc668 in main /var/tmp/portage/dev-util/re2c-1.3/work/re2c-1.3/src/ main.cc:33:5 #5 0x7f26392c9dca in __libc_start_main /var/tmp/portage/sys-libs/ glibc-2.29-r2/work/glibc-2.29/csu/../csu/libc-start.c:308:16 #6 0x421d39 (/usr/bin/re2c+0x421d39) 0x629000004212 is located 0 bytes to the right of 16402-byte region [0x629000000200,0x629000004212) allocated by thread T0 here: #0 0x4c949d in operator new[](unsigned long) /var/tmp/portage/sys-libs/ compiler-rt-sanitizers-9.0.0/work/compiler-rt-9.0.0.src/lib/asan/ asan_new_delete.cc:102:3 #1 0x67a0f2 in re2c::Scanner::fill(unsigned long) /var/tmp/portage/dev- util/re2c-1.3/work/re2c-1.3/src/parse/scanner.cc:154:22 #2 0x682a51 in re2c::Scanner::echo(re2c::Output&) /var/tmp/portage/dev- util/re2c-1.3/work/re2c-1.3/src/parse/lex.cc:94:33 #3 0x61d5f4 in re2c::compile(re2c::Scanner&, re2c::Output&, re2c::Opt&) / var/tmp/portage/dev-util/re2c-1.3/work/re2c-1.3/src/compile.cc:148:41 #4 0x4cc668 in main /var/tmp/portage/dev-util/re2c-1.3/work/re2c-1.3/src/ main.cc:33:5 #5 0x7f26392c9dca in __libc_start_main /var/tmp/portage/sys-libs/ glibc-2.29-r2/work/glibc-2.29/csu/../csu/libc-start.c:308:16 SUMMARY: AddressSanitizer: heap-buffer-overflow /var/tmp/portage/sys-libs/ compiler-rt-sanitizers-9.0.0/work/compiler-rt-9.0.0.src/lib/asan/ asan_interceptors_memintrinsics.cc:26:3 in __asan_memset Affected version: 1.3 Fixed version: Will be 2.0 Commit fix: https://github.com/skvadrik/re2c/commit/ c4603ba5ce229db83a2a4fb93e6d4b4e3ec3776a Credit: This bug was discovered by Agostino Sarubbo. CVE: I don’t care anymore about a CVE. If you will obtain one about this issue, feel free to reach me. I will update this as well. Timeline: 2020-04-17: bug discovered and reported to upstream 2020-04-17: upstream fixed the issue 2020-04-19: blog post about the issue Note: This bug was found with American Fuzzy Lop. This bug was identified with bare metal servers donated by Packet. This work is also supported by the Core Infrastructure Initiative. Permalink: http://blogs.gentoo.org/ago/2020/04/19/re2c-heap-overflow-in-scannerfill-scanner-cc/ @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9f09c916426f9ad39d29f800db74c0ced7c8f252 commit 9f09c916426f9ad39d29f800db74c0ced7c8f252 Author: Sergei Trofimovich <slyfox@gentoo.org> AuthorDate: 2020-04-19 19:11:05 +0000 Commit: Sergei Trofimovich <slyfox@gentoo.org> CommitDate: 2020-04-19 19:11:25 +0000 dev-util/re2c: fix lexer overflow, bug #718350 Direct backport of c4603ba5ce229db ("Fix crash in lexer refill (reported by Agostino Sarubbo).") Reported-by: Agostino Sarubbo Bug: https://bugs.gentoo.org/718350 Package-Manager: Portage-2.3.99, Repoman-2.3.22 Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org> dev-util/re2c/files/re2c-1.3-lexer-overflow.patch | 40 +++++++++++++++++++++++ dev-util/re2c/re2c-1.3-r1.ebuild | 28 ++++++++++++++++ 2 files changed, 68 insertions(+)
It is safe to stabilize new version.
(In reply to Sergei Trofimovich from comment #2) > It is safe to stabilize new version. Thank you (both ago and slyfox). Nice quick job. Let's do it. [changing to B2 because spamassassin seems to be from previous bugs, and that is only rdep].
hppa/sparc stable
(In reply to Sam James (sec padawan) from comment #3) > [changing to B2 because spamassassin seems to be from previous bugs, and > that is only rdep]. Chromium requires ninja that requires re2c. If chromium is A, all packages pulled by him should be A too..or what is the criteria?
x86 stable
s390 stable
amd64 stable
arm stable
ppc stable
ppc64 stable
(In reply to Agostino Sarubbo from comment #5) > (In reply to Sam James (sec padawan) from comment #3) > > [changing to B2 because spamassassin seems to be from previous bugs, and > > that is only rdep]. > > Chromium requires ninja that requires re2c. If chromium is A, all packages > pulled by him should be A too..or what is the criteria? You are definitely right. I had looked here: https://qa-reports.gentoo.org/output/genrdeps/rindex/dev-util/re2c and asked willikins but apparently it does not pick it up. Maybe because of BDEPEND. I've switched it back!
arm64 stable
@maintainer(s), please cleanup!
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ecfce5a7c8841e5429f5fc4704d7a71aeefbef9f commit ecfce5a7c8841e5429f5fc4704d7a71aeefbef9f Author: Sergei Trofimovich <slyfox@gentoo.org> AuthorDate: 2020-04-25 11:13:27 +0000 Commit: Sergei Trofimovich <slyfox@gentoo.org> CommitDate: 2020-04-25 11:13:33 +0000 dev-util/re2c: drop old Bug: https://bugs.gentoo.org/718350 Package-Manager: Portage-2.3.99, Repoman-2.3.22 Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org> dev-util/re2c/re2c-1.3.ebuild | 26 -------------------------- 1 file changed, 26 deletions(-)
This issue was resolved and addressed in GLSA 202007-28 at https://security.gentoo.org/glsa/202007-28 by GLSA coordinator Sam James (sam_c).