Bug 452079 (CVE-2008-2371)

Summary: CVE-2008-2371 pcre: heap overflow caused by incorrect option handling
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: kasal, mclasen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-07-07 15:05:23 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 453555, 453556, 453557, 453559, 453560, 453561    
Bug Blocks:    
Attachments:
Description Flags
Upstream patch none

Description Tomas Hoger 2008-06-19 08:04:22 UTC
Tavis Ormandy of the Google Security team reported a heap overflow issue
affecting PCRE:

The problem is that when an option is specified at the start of a pattern, to
avoid compiling it unnecessarily into the bytecode it's passed back up to the
caller as if it was specified via pcre_compile() options, i.e. /(?i)a|b/ ==
/a|b/i, and as the latter is somewhat easier to handle, they're made equivalent.
This usually works, but when a pattern contains multiple branches, the new
option is accidentally passed back too far, so when there are multiple branches,
only the first gets the new flag, however on the second compile pass the new
flag is always set, resulting in a mismatch between the size-calculation pass
and the actual compilation pass. The result is pcre overflowing a heap buffer.

Comment 1 Tomas Hoger 2008-06-19 08:05:52 UTC
Tavis' proposed patch:

 --- pcre_compile.c~     2008-06-12 16:55:22.860930000 +0200
 +++ pcre_compile.c      2008-06-12 16:54:53.647168000 +0200
 @@ -4931,7 +4931,7 @@
                (lengthptr == NULL || *lengthptr == 2 + 2*LINK_SIZE))
             {
             cd->external_options = newoptions;
 +            options = *optionsptr = newoptions;
 -            options = newoptions;
             }
          else
             {


Comment 3 Tomas Hoger 2008-06-19 08:07:58 UTC
This issue did not affect the versions of pcre as shipped with Red Hat
Enterprise Linux 2.1, 3, 4, or 5.

This issue only affects pcre 7.x versions, so all current Fedora versions are
affected.

Comment 7 Fedora Update System 2008-07-03 03:14:30 UTC
glib2-2.14.6-2.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 8 Fedora Update System 2008-07-03 03:16:34 UTC
glib2-2.16.4-1.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 11 Fedora Update System 2008-07-06 06:11:36 UTC
pcre-7.3-4.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 12 Fedora Update System 2008-07-06 06:11:44 UTC
pcre-7.3-4.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 14 Tomas Hoger 2008-07-15 12:22:52 UTC
Created attachment 311810 [details]
Upstream patch

Comment 15 Tomas Hoger 2008-07-15 12:24:33 UTC
Upstream patch in comment #14 applied upstream in SVN r360:

  http://vcs.pcre.org/viewvc?view=rev&revision=360