Bug 1191049 (CVE-2015-2305)

Summary: CVE-2015-2305 regex: heap overflow in regcomp() on 32-bit architectures
Product: [Other] Security Response Reporter: Vasyl Kaigorodov <vkaigoro>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bgollahe, bleanhar, bos, byte, carnil, ccoleman, databases-maint, davejohansen, dkutalek, dmalcolm, dmcphers, fedora, hhorak, jialiu, jokerman, jorton, jv+fedora, kanderso, knoha, lmeyer, mmaslano, mmccomas, mmuzila, petersen, rcollet, scottt.tw, security-response-team, sisharma, spacewar, wburrows, yoguma
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: php 5.6.7, php 5.5.23, php 5.4.39, mysql 5.5.45, mysql 5.6.26, mariadb 5.5.45 Doc Type: Bug Fix
Doc Text:
A heap buffer overflow flaw was found in the regcomp() function of Henry Spencer's regular expression library. An attacker able to make an application process a specially crafted regular expression pattern with the regcomp() function could cause that application to crash and possibly execute arbitrary code.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-20 10:50:06 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1209880, 1209884, 1209887    
Bug Blocks: 1191051    

Description Vasyl Kaigorodov 2015-02-10 11:16:58 UTC 
A heap buffer overflow was discovered [1] in the regcomp() function of Henry Spencer's regular expression library. The impact of this issue depends on how the affected application uses the regcomp() function. An attacker would have to pass a specially crafted regular expression to the regcomp() function to be able to exploit this issue.

Note that this issue only affects 32-bit architectures.

[1] https://guidovranken.wordpress.com/2015/02/04/full-disclosure-heap-overflow-in-h-spencers-regex-library-on-32-bit-systems/
Comment 1 Jens Petersen 2015-02-17 02:15:14 UTC 
Note that on Linux, ghc-regex-posix (Haskell regex-posix library)
does not actually use regcomp.c.

I just committed:

http://pkgs.fedoraproject.org/cgit/ghc-regex-posix.git/commit/?id=468216b9ce33051a7e0878cc430f6f7c791d2763
Comment 2 Honza Horak 2015-02-17 16:09:56 UTC 
Do we have some patch for this issue? from the blog it doesn't seem to be obvious.
Comment 3 Martin Prpič 2015-02-19 10:09:54 UTC 
(In reply to Honza Horak from comment #2)
> Do we have some patch for this issue? from the blog it doesn't seem to be
> obvious.

Hey Honza, dragonflybsd came up with this fix:

http://gitweb.dragonflybsd.org/dragonfly.git/commitdiff/2841837793bd095a82f477e9c370cfe6cfb3862c

which was also used by FreeBSD:

https://svnweb.freebsd.org/base?view=revision&revision=278739
Comment 6 Siddharth Sharma 2015-03-11 12:15:47 UTC 
Analysis
========

Problematic code is in the regcomp function which is part of regex as shipped in the affected products. Following is the Problematic code in
the regex as shipped in mariadb

int                             /* 0 success, otherwise REG_something */
my_regcomp(preg, pattern, cflags, charset)
my_regex_t *preg;
const char *pattern;
int cflags;
CHARSET_INFO *charset;
{
...
1. sending large string to regcomp() function would make 'len' overgrow
to such an extent that would cause 32 bit register/variable overflow.

len = strlen((char *)pattern);
...

2. p->ssize does not overflow here and contains number of elements allocated by malloc, which indicates wrong allocated buffer size.

p->ssize = (long) (len/(size_t)2*(size_t)3 + (size_t)1); /* ugh */
        p->strip = (sop *)malloc(p->ssize * sizeof(sop));
...
}
Comment 14 Remi Collet 2015-04-09 06:14:42 UTC 
PHP fix
http://git.php.net/?p=php-src.git;a=patch;h=fb04dcf6dbb48aecd8d2dc986806cb58c8ae5282
Comment 15 Remi Collet 2015-04-09 06:16:34 UTC 
And PHP bug #69248
Comment 19 errata-xmlrpc 2015-06-04 08:03:48 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6.5 EUS

Via RHSA-2015:1066 https://rhn.redhat.com/errata/RHSA-2015-1066.html
Comment 20 errata-xmlrpc 2015-06-04 08:07:12 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6.5 EUS

Via RHSA-2015:1053 https://rhn.redhat.com/errata/RHSA-2015-1053.html
Comment 24 Tomas Hoger 2016-02-02 19:22:13 UTC 
This patch was applied to MySQL to address this issue:

https://github.com/mysql/mysql-server/commit/dc45e408250c582eb532417a42cef5b5a8e2fe77

The fix was applied in versions 5.5.45 and 5.6.26.

  The Spencer regex library used for the REGEXP operator could be subject
  to heap overflow in some circumstances. (Bug #20642505)

http://dev.mysql.com/doc/relnotes/mysql/5.6/en/news-5-6-26.html
http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-45.html

It can not be ruled out that Oracle assigned different duplicate CVE for a fix of this issue in MySQL as part of the Oct 2015 CPU.

MariaDB picked up the MySQL fix in version 5.5.45:

https://github.com/MariaDB/server/commit/dc45e408250c582eb532417a42cef5b5a8e2fe77

MariaDB 10.0 and later do no longer use Henry Spencer's regex library and switched to the use of PCRE in version 10.0.5:

https://mariadb.com/kb/en/mariadb/pcre/