Bug 1256449

Summary: CVE-2015-8381 pcre: Heap Overflow in compile_regex()
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED DUPLICATE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: adam.stokes, andrew, carnil, erik-fedora, lkundrak, ppisar, sardella, slawomir
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-02-22 21:28:36 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1256452, 1256453, 1256454    
Bug Blocks: 1250945    

Description Adam Mariš 2015-08-24 15:22:51 UTC
Another heap overflow in PCRE (similar to 1250943) was found.
Taken from https://bugs.exim.org/show_bug.cgi?id=1672 :

"""
Latest version of PCRE is prone to a Heap Overflow vulnerability which could caused by the following regular expression.

/(?J:(?|(:(?|(?'R')(\z(?|(?'R')(\k'R')|((?'R')))k'R')|((?'R')))H'Ak'Rf)|s(?'R')))/

A dry run of this particular regular expression with pcretest will reports "double free or corruption (!prev)".
But it is actually a heap overflow problem.
It is a similar problem as https://bugs.exim.org/show_bug.cgi?id=1667 discussed.

Following test is conveyed with svn updated version of pcre,
Here is the memory layout of re(its size is 248) just before the second compile_regexp():
==============================================================
(gdb) x/256b 0x1f8a8a0
0x1f8a8a0:     [0x45    0x52    0x43    0x50    0xf8    0x00    0x00    0x00
0x1f8a8a8:      0x00    0x00    0x00    0x00    0x00    0x04    0x00    0x00
0x1f8a8b0:      0xff    0xff    0xff    0xff    0xff    0xff    0xff    0xff
0x1f8a8b8:      0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x1f8a8c0:      0x00    0x00    0x40    0x00    0x04    0x00    0x05    0x00
0x1f8a8c8:      0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x1f8a8d0:      0x50    0xaf    0xf8    0x01    0x00    0x00    0x00    0x00
0x1f8a8d8:      0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x1f8a8e0:      0x00    0x02    0x52    0x00    0x00    0x04    0x52    0x00
0x1f8a8e8:      0x00    0x05    0x52    0x00    0x00    0x03    0x52    0x00
0x1f8a8f0:      0x00    0x01    0x52    0x00    0x00    0x00    0x00    0x00
0x1f8a8f8:      0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x1f8a900:      0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x1f8a908:      0xc0    0x91    0x34    0xf7    0xff    0x7f    0x00    0x00
0x1f8a910:      0xff    0xff    0xff    0xff    0x00    0x00    0x00    0x00
0x1f8a918:      0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x1f8a920:      0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x1f8a928:      0x80    0xa9    0xf8    0x01    0x00    0x00    0x00    0x00
0x1f8a930:      0xff    0xff    0xff    0xff    0xff    0xff    0xff    0xff
0x1f8a938:      0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x1f8a940:      0x90    0xa9    0xf8    0x01    0x00    0x00    0x00    0x00
0x1f8a948:      0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x1f8a950:      0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x1f8a958:      0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x1f8a960:      0xff    0xff    0xff    0xff    0x00    0x00    0x00    0x00
0x1f8a968:      0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x1f8a970:      0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x1f8a978:      0xa0    0x76    0x34    0xf7    0xff    0x7f    0x00    0x00
0x1f8a980:      0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x1f8a988:      0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x1f8a990:      0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00]
0x1f8a998:      0x41    0x01    0x00    0x00    0x00    0x00    0x00    0x00
==============================================================

After the second compile_regexp:

==============================================================
(gdb) x/192b 0x1f8a8a0
0x1f8a8a0:     [0x45    0x52    0x43    0x50    0xf8    0x00    0x00    0x00
0x1f8a8a8:      0x00    0x00    0x00    0x00    0x00    0x04    0x00    0x00
0x1f8a8b0:      0xff    0xff    0xff    0xff    0xff    0xff    0xff    0xff
0x1f8a8b8:      0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x1f8a8c0:      0x00    0x00    0x40    0x00    0x04    0x00    0x05    0x00
0x1f8a8c8:      0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x1f8a8d0:      0x50    0xaf    0xf8    0x01    0x00    0x00    0x00    0x00
0x1f8a8d8:      0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x1f8a8e0:      0x00    0x02    0x52    0x00    0x00    0x04    0x52    0x00
0x1f8a8e8:      0x00    0x05    0x52    0x00    0x00    0x03    0x52    0x00
0x1f8a8f0:      0x00    0x01    0x52    0x00    0x83    0x00    0xa6    0x83
0x1f8a8f8:      0x00    0xa0    0x83    0x00    0x8d    0x81    0x00    0x87
0x1f8a900:      0x85    0x00    0x81    0x00    0x01    0x1d    0x3a    0x83
0x1f8a908:      0x00    0x56    0x85    0x00    0x05    0x00    0x02    0x78
0x1f8a910:      0x00    0x05    0x81    0x00    0x48    0x85    0x00    0x42
0x1f8a918:      0x00    0x03    0x18    0x83    0x00    0x1e    0x85    0x00
0x1f8a920:      0x05    0x00    0x04    0x78    0x00    0x05    0x81    0x00
0x1f8a928:      0x10    0x85    0x00    0x0a    0x00    0x05    0x73    0x00
0x1f8a930:      0x00    0x00    0x05    0x78    0x00    0x0a    0x78    0x00
0x1f8a938:      0x10    0x77    0x00    0x13    0x85    0x00    0x0d    0x00
0x1f8a940:      0x04    0x85    0x00    0x05    0x00    0x05    0x78    0x00
0x1f8a948:      0x05    0x78    0x00    0x0d    0x78    0x00    0x31    0x1d
0x1f8a950:      0x6b    0x1d    0x27    0x1d    0x52    0x1d    0x27    0x78
0x1f8a958:      0x00    0x42    0x78    0x00    0x48    0x77    0x00    0x13
0x1f8a960:      0x85    0x00    0x0d    0x00    0x02    0x85    0x00    0x05
0x1f8a968:      0x00    0x03    0x78    0x00    0x05    0x78    0x00    0x0d
0x1f8a970:      0x78    0x00    0x69    0x1d    0x48    0x1d    0x27    0x1d
0x1f8a978:      0x41    0x1d    0x6b    0x1d    0x27    0x1d    0x52    0x1d
0x1f8a980:      0x66    0x78    0x00    0x81    0x78    0x00    0x87    0x77
0x1f8a988:      0x00    0x0d    0x1d    0x73    0x85    0x00    0x05    0x00
0x1f8a990:      0x01    0x78    0x00    0x05    0x78    0x00    0x9a    0x78]
0x1f8a998:      0x00    0xa0    0x78    0x00    0xa6    0x00    0x00    0x00
==============================================================
At least 5 more bytes are written to the heap.
"""

CVE request:

http://www.openwall.com/lists/oss-security/2015/08/24/1

Upstream patch:

http://vcs.pcre.org/pcre?view=revision&revision=1594

Comment 1 Adam Mariš 2015-08-24 15:25:29 UTC
Created pcre tracking bugs for this issue:

Affects: fedora-all [bug 1256452]

Comment 2 Adam Mariš 2015-08-24 15:25:31 UTC
Created mingw-pcre tracking bugs for this issue:

Affects: fedora-all [bug 1256453]
Affects: epel-7 [bug 1256454]

Comment 3 Stefan Cornelius 2015-08-24 15:54:40 UTC
Statement:

(none)

Comment 4 Fedora Update System 2015-08-25 13:18:43 UTC
pcre-8.37-4.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2015-14229

Comment 5 Fedora Update System 2015-08-25 13:25:43 UTC
pcre-8.37-4.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2015-14235

Comment 6 Fedora Update System 2015-08-25 13:41:36 UTC
pcre-8.35-14.fc21 has been submitted as an update to Fedora 21. https://bodhi.fedoraproject.org/updates/FEDORA-2015-14242

Comment 7 Fedora Update System 2015-08-26 04:25:12 UTC
pcre-8.37-4.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.\nIf you want to test the update, you can install it with \n su -c 'yum --enablerepo=updates-testing update pcre'. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-14229

Comment 8 Fedora Update System 2015-08-26 17:24:43 UTC
pcre-8.35-14.fc21 has been pushed to the Fedora 21 testing repository. If problems still persist, please make note of it in this bug report.\nIf you want to test the update, you can install it with \n su -c 'yum --enablerepo=updates-testing update pcre'. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-14242

Comment 9 Fedora Update System 2015-08-26 17:27:19 UTC
pcre-8.37-4.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.\nIf you want to test the update, you can install it with \n su -c 'yum --enablerepo=updates-testing update pcre'. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-14235

Comment 10 Fedora Update System 2015-08-27 17:56:56 UTC
pcre-8.37-4.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Comment 11 Fedora Update System 2015-09-11 17:22:52 UTC
pcre-8.37-4.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.

Comment 12 Fedora Update System 2015-09-11 18:48:44 UTC
pcre-8.35-14.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.

Comment 13 Tomas Hoger 2016-02-22 21:28:36 UTC

*** This bug has been marked as a duplicate of bug 1287711 ***