Bug 1735494 (CVE-2019-20454)
| Summary: | CVE-2019-20454 pcre: Out of bounds read in JIT mode when \X is used in non-UTF mode | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Pedro Sampaio <psampaio> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | adam.stokes, andrew, caillon+fedoraproject, csutherl, databases-maint, erik-fedora, extras-orphan, fedora, fidencio, gecko-bugs-nobody, gnome-sig, gzaronik, hhorak, jclere, jdoyle, jgrulich, jhorak, john.j5live, jorton, jwon, kasal, klember, krathod, lgao, lkundrak, manisandro, marcandre.lureau, mbabacek, mclasen, mmuzila, mschorm, mturk, myarboro, pjindal, ppisar, pslavice, rcollet, rh-spice-bugs, rhughes, rjones, rschiron, rstrode, rsvoboda, sandmann, security-response-team, stransky, thoger, tiagomatos, twalsh, walters, webstack-team, weli |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | pcre 10.34 | Doc Type: | If docs needed, set a value |
| Doc Text: |
An out-of-bounds read was discovered in PCRE when the pattern "\X" is JIT compiled and used to match specially crafted subjects in non-UTF mode. Applications that use PCRE to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to crash the application.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-09-08 13:18:10 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1734468, 1803176, 1803177, 1803178, 1803179, 1803180, 1803181, 1803199, 1857708 | ||
| Bug Blocks: | 1735495 | ||
|
Description
Pedro Sampaio
2019-08-01 01:28:16 UTC
(In reply to Pedro Sampaio from comment #0) > Upstream patch: > > http://git.php.net/?p=php-src.git;a=commitdiff; > h=8947fd9e9fdce87cd6c59817b1db58e789538fe9 PHP is not upstream of PCRE2. Upstream's fix is at <https://vcs.pcre.org/pcre2?view=revision&revision=1092>. Tests are added in <https://vcs.pcre.org/pcre2?view=revision&revision=1091>. Moreover, this bug hardly can be embargoed as it was publicly reported to upstream on 2019-07-28 and the fix is publicly available since 2019-05-13. This vulnerability is out of security support scope for the following products: * Red Hat JBoss Enterprise Web Server 2 * Red Hat JBoss Web Server 3 * Red Hat JBoss Core Services Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details. The flaw can be triggered only when JIT and non-UTF-8 mode is used. PHP in RHEL 8 sets pcre.jit=0 in /etc/php.ini by default, so unless the user changes that setting, the flaw cannot be triggered. Only php:7.3/php in RHEL 8 is affected by this flaw, while php:7.2/php is not because it embeds an older version of pcre, which does not contain the vulnerable code. There is already a pcre2 RHEL-8 bug #1734468 for this issue. If you are going make a bug vulnerability bug for RHEL-8 pcre2 component, please reuse that bug report. The flaw can be triggered when pattern \X is jit-compiled (e.g. with pcre2_jit_compile) and then it is matched (e.g. with pcre2_match) against particular subjects when in non-UTF mode. Option PCRE2_JIT_COMPLETE shall be passed to pcre2_jit_compile. Assuming the pattern is hard-coded in an application, an attacker just needs control over the subject to trigger the flaw, which would cause a crash in the application. Created glib2 tracking bugs for this issue: Affects: fedora-all [bug 1803178] Created mingw-glib2 tracking bugs for this issue: Affects: fedora-all [bug 1803179] Created mingw-pcre tracking bugs for this issue: Affects: fedora-all [bug 1803177] Created mingw-pcre2 tracking bugs for this issue: Affects: fedora-all [bug 1803181] Created pcre tracking bugs for this issue: Affects: fedora-all [bug 1803176] Created pcre2 tracking bugs for this issue: Affects: fedora-all [bug 1803180] rh-php73-php as shipped in Red Hat Software Collections 3.4 ships php-7.3.11 right now, which already fixes this flaw. This flaw in php is fixed since php-7.3.8. (In reply to Riccardo Schirone from comment #11) > Created pcre tracking bugs for this issue: > > Affects: fedora-all [bug 1803176] > Can you explain me how "pcre" (do not confuse with "pcre2") component is affected? In my opinion it is not. In reply to comment #14: > (In reply to Riccardo Schirone from comment #11) > > Created pcre tracking bugs for this issue: > > > > Affects: fedora-all [bug 1803176] > > > Can you explain me how "pcre" (do not confuse with "pcre2") component is > affected? In my opinion it is not. Please close the bug as NOTABUG then. We do not check all packages in Fedora and we often create trackers to let the maintainers know about the possible issue. They should know whether that applies to their packages or not and they can quickly close the opened bug if it does not apply, such as in this case probably. This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:3662 https://access.redhat.com/errata/RHSA-2020:3662 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-20454 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:4539 https://access.redhat.com/errata/RHSA-2020:4539 |