Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 551240 (CVE-2015-3210) - <dev-libs/libpcre-8.37-r2: Multiple Vulnerabilities (CVE-2015-3210)
Summary: <dev-libs/libpcre-8.37-r2: Multiple Vulnerabilities (CVE-2015-3210)
Status: RESOLVED FIXED
Alias: CVE-2015-3210
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A2 [glsa cve]
Keywords:
Depends on: CVE-2015-5073
Blocks:
  Show dependency tree
 
Reported: 2015-06-04 21:24 UTC by Thomas Deutschmann
Modified: 2016-07-09 02:11 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Deutschmann gentoo-dev Security 2015-06-04 21:24:56 UTC
Hi,

the following vulnerabilities were published for pcre:


1) heap buffer overflow in pcre_compile2() / compile_regex()

Latest version of PCRE is prone to a Heap Overflow vulnerability which could caused by the following regular expression.

/^(?P=B)((?P=B)(?J:(?P<B>c)(?P<B>a(?P=B)))>WGXCREDITS)/

To reproduce the problem, we could use pcretest provide by PCRE library or applications which is wrapped with PCRE such as PHP.

Information: https://bugs.exim.org/show_bug.cgi?id=1636

CVE: CVE-2015-3210


2) PCRE Library Call Stack Overflow Vulnerability in match()

Latest version of PCRE is prone to a Stack Overflow vulnerability which could caused by the following regular expression.

/^(?:(?(1)\\.|([^\\\\W_])?)+)+$/

To reproduce the problem, we could use pcretest provide by PCRE library or applications which is wrapped with PCRE such as PHP.

Information: https://bugs.exim.org/show_bug.cgi?id=1638

CVE: CVE-2015-3217


3) PCRE Library Stack Overflow Vulnerability (1)

PCRE library is prone to a vulnerability which leads to Stack Overflow. Without enough bound checking inside compile_regex(), the stack memory could be overflowed via a crafted regular expression. Since PCRE library is widely used, this vulnerability should affect many applications. An attacker may exploit this issue to execute arbitrary code in the context of the user running the affected application.

Information: https://bugs.exim.org/show_bug.cgi?id=1503

CVE-Request: http://www.openwall.com/lists/oss-security/2015/05/31/5


4) PCRE Library Stack Overflow Vulnerability (2)

PCRE library is prone to a vulnerability which leads to Stack Overflow. Without enough bound checking inside compile_regex(), the stack memory could be overflowed via a crafted regular expression. Since PCRE library is widely used, this vulnerability should affect many applications. An attacker may exploit this issue to DOS the user running the affected application.

Information: https://bugs.exim.org/show_bug.cgi?id=1515

CVE-Request: http://www.openwall.com/lists/oss-security/2015/05/31/4



Reproducible: Always
Comment 1 Kristian Fiskerstrand gentoo-dev Security 2015-06-05 09:23:20 UTC
Thanks for the report, as far as I can see there has been no single release fixing all issues yet, but there are some possible patches referenced in the various bug reports in the initial report that can possibly backported so setting an upstream/ebuild status
Comment 2 Agostino Sarubbo gentoo-dev 2015-06-05 09:33:41 UTC
Summary for maintainer(s):

Upstream bug 1636 (CVE-2015-3210) is fixed in the source repo.
Upstream bug 1638 (CVE-2015-3217) is fixed in 10.10
Upstream bug 1503 (CVE N/A) is fixed in 8.35
Upstream bug 1515 (CVE N/A) is fixed in 8.35
Comment 3 Lars Wendler (Polynomial-C) gentoo-dev 2015-06-05 12:12:04 UTC
FYI, I have a test ebuild of libpcre2-10.10 in poly-c overlay. I can add it to the tree if necessary.
Comment 4 Thomas Deutschmann gentoo-dev Security 2015-06-17 10:58:58 UTC
Looks like 8.38 won't be released in the next days. Can somebody please release dev-libs/libpcre-8.37-r2 with https://svnweb.freebsd.org/ports?view=revision&revision=388777 ? FreeBSD took this road already, see https://svnweb.freebsd.org/ports/head/devel/pcre/Makefile?view=log
Comment 5 Thomas Deutschmann gentoo-dev Security 2015-06-26 20:10:55 UTC
Another one:

Title: PCRE Library Heap Overflow Vulnerability in find_fixedlength()

PCRE library is prone to a vulnerability which leads to Heap Overflow. 
During subpattern calculation of a malformed regular expression, an offset that is used as an array index is fully controlled and can be large enough so that unexpected heap memory regions are accessed. 
One could at least exploit this issue to read objects nearby of the affected application's memory. 
Such information disclosure may also be used to bypass memory protection method such as ASLR.

Upstream bug: https://bugs.exim.org/show_bug.cgi?id=1651

Fix: http://vcs.pcre.org/pcre?diff_format=l&view=revision&revision=1571

CVE: CVE-2015-5073 (http://www.openwall.com/lists/oss-security/2015/06/26/3)
Comment 6 SpanKY gentoo-dev 2015-07-06 08:16:37 UTC
CVE-2015-5073 is tracked in bug 553300 already
Comment 7 SpanKY gentoo-dev 2015-07-06 16:35:32 UTC
looking through the upstream svn for libpcre and redhat's bugzilla, it doesn't seem like a fix is needed for CVE-2015-3217 in the older code base.  only in the newer libpcre2 was a fix deployed.

if that turns out to not be the case, we can file/track in a new bug.
Comment 10 SpanKY gentoo-dev 2015-07-08 05:50:30 UTC
(In reply to Thomas D. from comment #9)

it makes no sense to backport every single revision.  this bug is specifically about CVE-2015-3210 which is now fixed.  i don't want this to explode into analyzing/tracking each upstream commit.
Comment 11 Yury German Gentoo Infrastructure gentoo-dev Security 2015-11-22 15:19:27 UTC
Setting depend to 553300 for stabilization
Comment 12 Yury German Gentoo Infrastructure gentoo-dev Security 2016-02-25 07:02:18 UTC
Arches and Maintainer(s), Thank you for your work.

Cleanup as part of Bug 553300
Added to an existing GLSA Request.
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2016-07-09 02:10:15 UTC
This issue was resolved and addressed in
 GLSA 201607-02 at https://security.gentoo.org/glsa/201607-02
by GLSA coordinator Aaron Bauman (b-man).
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2016-07-09 02:11:51 UTC
This issue was resolved and addressed in
 GLSA 201607-02 at https://security.gentoo.org/glsa/201607-02
by GLSA coordinator Aaron Bauman (b-man).