Bug 1285413 (CVE-2015-8380)

Summary: CVE-2015-8380 pcre: OOB write when pcre_exec() is called with ovecsize of 1 (8.38/10)
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: unspecifiedCC: carnil, jorton, lkundrak, mmaslano, ppisar, rcollet, rmeggins, sardella, slawomir, webstack-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: pcre 8.38 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-02-18 11:14:54 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1285415    
Bug Blocks: 1287727    
Attachments:
Description Flags
Upstream fix
none
Fix ported to Fedora 22's 8.37 version none

Description Adam Mariš 2015-11-25 14:44:22 UTC 
A heap-based buffer overflow vulnerability was found in pcre_exec causing crash.

Upstream bug (contains reproducer):

https://bugs.exim.org/show_bug.cgi?id=1637

Upstream patch:

http://vcs.pcre.org/pcre?view=revision&revision=1565

CVE request:

http://seclists.org/oss-sec/2015/q4/363
Comment 1 Adam Mariš 2015-11-25 14:45:05 UTC 
Created pcre tracking bugs for this issue:

Affects: fedora-all [bug 1285415]
Comment 2 Petr Pisar 2015-11-25 16:53:22 UTC 
Upstream fixed it in 8.38 version.

Reproducer is passing "printf '//\n\\O1\n'" output to pcretest under valgrind.
Comment 3 Petr Pisar 2015-11-26 07:09:24 UTC 
Created attachment 1099151 [details]
Upstream fix
Comment 4 Petr Pisar 2015-11-26 07:24:08 UTC 
Created attachment 1099152 [details]
Fix ported to Fedora 22's 8.37 version
Comment 5 Fedora Update System 2015-11-26 20:55:46 UTC 
pcre-8.38-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2015-12-12 01:55:06 UTC 
pcre-8.37-7.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
Comment 7 Tomas Hoger 2016-02-18 11:14:54 UTC 
I can reproduce OOB write starting with upstream version 8.31.  The actual problematic code was introduced earlier, in version 8.13, in this commit:

http://vcs.pcre.org/pcre?view=revision&revision=615

I have not tried to investigate why OOB write is not reproducible in version 8.13 - 8.30.

I do not think this should be considered a security flaw.  This problem is not triggered by a malicious pattern or malicious input, but by incorrect arguments passed to pcre_exec().  The function accepts the following arguments among others:

   ovector      Points to a vector of ints for result offsets
   ovecsize     Number of elements in the vector (a multiple of 3)

The pcretest tool allows specifying ovecsize using \O used on the data line.  It does not ensure the value specified is actually multiple of 3, and allows ovecsize 1, which triggers this problem.  So the fix applied in r1565 seems to add safeguard against incorrect use of PCRE API.