Bug 1311503 (CVE-2016-3191)

Summary: CVE-2016-3191 pcre: workspace overflow for (*ACCEPT) with deeply nested parentheses (8.39/13, 10.22/12)
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: adam.stokes, andrew, carnil, csutherl, databases-maint, dknox, erik-fedora, fedora-mingw, fedora, fidencio, jclere, jdornak, jdoyle, jgrulich, jorton, klember, lgao, lkundrak, marcandre.lureau, mbabacek, mclasen, mmaslano, myarboro, pmyers, ppisar, pslavice, rcollet, rjones, rmeggins, rsvoboda, sardella, slawomir, twalsh, walters, webstack-team, weli, yozone
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: pcre 8.39, pcre2 10.22 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-11-23 14:02:12 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1330490, 1330491, 1330494, 1330508, 1330509    
Bug Blocks: 1295388    

Description Tomas Hoger 2016-02-24 11:42:04 UTC 
ZDI reported a stack-based buffer overflow in pcre and pcre2.  ZDI-CAN-3542 id is used to identify the issue.

https://bugs.exim.org/show_bug.cgi?id=1791

  PCRE does not validate that handling the (*ACCEPT) verb will occur within
  the bounds of the cworkspace stack buffer, leading to a stack buffer overflow.

Fixed upstream in pcre and pcre2 via the following commits:

http://vcs.pcre.org/pcre?view=revision&revision=1631
http://vcs.pcre.org/pcre2?view=revision&revision=489

Issue is triggered by the following pattern:

/([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00](*ACCEPT)/

PCRE 8.00 seems to be the first affected version.
Comment 1 Tomas Hoger 2016-02-24 12:06:41 UTC 
The above fix was already applied to Fedora pcre and pcre2 packages.
Comment 2 Andrej Nemec 2016-03-18 10:27:24 UTC 
CVE assigned by Mitre today, via CVENEW.
Comment 6 errata-xmlrpc 2016-05-11 13:08:20 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:1025 https://rhn.redhat.com/errata/RHSA-2016-1025.html
Comment 7 errata-xmlrpc 2016-05-26 08:36:55 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS

Via RHSA-2016:1132 https://access.redhat.com/errata/RHSA-2016:1132