Bug 166334

Summary: CAN-2005-2491 PCRE heap overflow
Product: Red Hat Enterprise Linux 2.1 Reporter: Mark J. Cox <mjc>
Component: phpAssignee: Joe Orton <jorton>
Status: CLOSED WONTFIX QA Contact: David Lawrence <dkl>
Severity: medium Docs Contact:
Priority: medium    
Version: 2.1CC: leonard-rh-bugzilla, unixlabs
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-09-21 12:03:32 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 430638    

Description Mark J. Cox 2005-08-19 11:56:11 UTC 
+++ This bug was initially created as a clone of Bug #166330 +++

PCRE 6.2 was released recently which included a fix for a heap buffer overflow.
 PCRE is used by things such as Apache but only for configuration (therefore
making an exploit low severity).  A number of packages also include PCRE code
internally, I'll be adding separate bugs for those that contain PCRE and do not
use system PCRE later.

Changelog states:

1. There was no test for integer overflow of quantifier values. A construction
such as {1111111111111111} would give undefined results. What is worse, if
a minimum quantifier for a parenthesized subpattern overflowed and became
negative, the calculation of the memory size went wrong. This  could have led to
memory overwriting.

A minimal diff of the flaw is attached, the full 6.2 to 6.1 diff contains other
fixes that might be worth incorporating and a test for this flaw.


Although PHP in RHEL3 and RHEL4 definately uses the system pcre library, the one
in RHEL2.1 seemed to use the internal version.  This needs confirming and
determining if there is a security context from this flaw.
Comment 1 sauron 2005-08-24 04:52:43 UTC 
unixlabs
Comment 2 Joe Orton 2005-08-24 12:17:55 UTC 
It does affect the pcre library bundled in the RHEL2.1 php, but only in a manner
such that the script author can crash the interpreter (untrusted user input
should not be passed as a regex); downgrading to normal severity.
Comment 3 Joe Orton 2005-09-21 12:03:32 UTC 
This problem is resolved in the errata updates for Red Hat Enterprise Linux 3
and 4.  Red Hat does not currently plan to provide a resolution for this in a
Red Hat Enterprise Linux 2.1 update for currently deployed systems.
Comment 4 Leonard den Ottolander 2005-11-11 13:21:14 UTC 
May I inquire as to why you don't fix an issue that is an obvious DOS and for
which I assume patches are available?
Comment 5 Mark J. Cox 2005-11-11 13:34:41 UTC 
Due to comment #2, that untrusted data should never be passed to a regexp -
otherwise only the script author can cause their PHP script to cras.