Bug 1425365 (CVE-2017-6004)

Summary: CVE-2017-6004 pcre: Out-of-bounds read in compile_bracket_matchingpath function (8.41/3)
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: adam.stokes, andrew, csutherl, databases-maint, dmoppert, erik-fedora, fedora-mingw, fedora, fidencio, gzaronik, hhorak, jclere, jdoyle, jgrulich, jorton, klember, lgao, lkundrak, marcandre.lureau, mbabacek, mclasen, mmuzila, mschorm, mturk, myarboro, pmyers, ppisar, pslavice, rcollet, rjones, rsvoboda, sardella, scorneli, twalsh, walters, webstack-team, weli
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: pcre 8.41 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 03:07:56 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1425391, 1425392, 1425393, 1425394, 1425395, 1425396    
Bug Blocks: 1425368, 1439436    

Description Adam Mariš 2017-02-21 09:39:48 UTC 
The compile_bracket_matchingpath function in pcre_jit_compile.c in PCRE through 8.x before revision 1680 (e.g., the PHP 7.1.1 bundled version) allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted regular expression.

Upstream patch:

https://vcs.pcre.org/pcre?view=revision&revision=1680

Upstream bug:

https://bugs.exim.org/show_bug.cgi?id=2035
Comment 1 Adam Mariš 2017-02-21 10:28:57 UTC 
Created glib2 tracking bugs for this issue:

Affects: fedora-all [bug 1425394]


Created mingw-glib2 tracking bugs for this issue:

Affects: epel-7 [bug 1425392]
Affects: fedora-all [bug 1425396]


Created mingw-pcre tracking bugs for this issue:

Affects: epel-7 [bug 1425393]
Affects: fedora-all [bug 1425391]


Created pcre tracking bugs for this issue:

Affects: fedora-all [bug 1425395]
Comment 2 Richard W.M. Jones 2017-02-21 11:29:14 UTC 
virt-p2v (an ISO that we ship in RHEL 7) contains an embedded
copy of pcre.

However it does NOT call pcre_jit_compile explicitly.  Do you know
if this function can be called implicitly (eg from pcre_compile,
which virt-p2v does call)?
Comment 3 Petr Pisar 2017-02-21 13:58:13 UTC 
PCRE does not use JIT by default. An application must request JIT explicitly by calling pcre_study() (pcre16_study() or pcre32_study()) with some of PCRE_STUDY_JIT_* values in the second parameter.
Comment 4 Fedora Update System 2017-02-22 17:52:06 UTC 
pcre-8.40-2.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
Comment 11 Stefan Cornelius 2017-08-25 12:58:23 UTC 
This issue affects the versions of rh-php70-php as shipped with Red Hat Software Collections 2.4 for Red Hat Enterprise Linux 6. This issue does not affect the versions of rh-php70-php as shipped with Red Hat Software Collections 2.4 for Red Hat Enterprise Linux 7.
Comment 12 errata-xmlrpc 2018-08-16 16:08:16 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Core Services

Via RHSA-2018:2486 https://access.redhat.com/errata/RHSA-2018:2486