Bug 1285413 (CVE-2015-8380) - CVE-2015-8380 pcre: OOB write when pcre_exec() is called with ovecsize of 1 (8.38/10)
Summary: CVE-2015-8380 pcre: OOB write when pcre_exec() is called with ovecsize of 1 (...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2015-8380
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
unspecified
unspecified
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1285415
Blocks: 1287727
TreeView+ depends on / blocked
 
Reported: 2015-11-25 14:44 UTC by Adam Mariš
Modified: 2019-09-29 13:40 UTC (History)
10 users (show)

Fixed In Version: pcre 8.38
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-02-18 11:14:54 UTC
Embargoed:


Attachments (Terms of Use)
Upstream fix (2.26 KB, patch)
2015-11-26 07:09 UTC, Petr Pisar
no flags Details | Diff
Fix ported to Fedora 22's 8.37 version (1.85 KB, patch)
2015-11-26 07:24 UTC, Petr Pisar
no flags Details | Diff

Description Adam Mariš 2015-11-25 14:44:22 UTC
A heap-based buffer overflow vulnerability was found in pcre_exec causing crash.

Upstream bug (contains reproducer):

https://bugs.exim.org/show_bug.cgi?id=1637

Upstream patch:

http://vcs.pcre.org/pcre?view=revision&revision=1565

CVE request:

http://seclists.org/oss-sec/2015/q4/363

Comment 1 Adam Mariš 2015-11-25 14:45:05 UTC
Created pcre tracking bugs for this issue:

Affects: fedora-all [bug 1285415]

Comment 2 Petr Pisar 2015-11-25 16:53:22 UTC
Upstream fixed it in 8.38 version.

Reproducer is passing "printf '//\n\\O1\n'" output to pcretest under valgrind.

Comment 3 Petr Pisar 2015-11-26 07:09:24 UTC
Created attachment 1099151 [details]
Upstream fix

Comment 4 Petr Pisar 2015-11-26 07:24:08 UTC
Created attachment 1099152 [details]
Fix ported to Fedora 22's 8.37 version

Comment 5 Fedora Update System 2015-11-26 20:55:46 UTC
pcre-8.38-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Comment 6 Fedora Update System 2015-12-12 01:55:06 UTC
pcre-8.37-7.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.

Comment 7 Tomas Hoger 2016-02-18 11:14:54 UTC
I can reproduce OOB write starting with upstream version 8.31.  The actual problematic code was introduced earlier, in version 8.13, in this commit:

http://vcs.pcre.org/pcre?view=revision&revision=615

I have not tried to investigate why OOB write is not reproducible in version 8.13 - 8.30.

I do not think this should be considered a security flaw.  This problem is not triggered by a malicious pattern or malicious input, but by incorrect arguments passed to pcre_exec().  The function accepts the following arguments among others:

   ovector      Points to a vector of ints for result offsets
   ovecsize     Number of elements in the vector (a multiple of 3)

The pcretest tool allows specifying ovecsize using \O used on the data line.  It does not ensure the value specified is actually multiple of 3, and allows ovecsize 1, which triggers this problem.  So the fix applied in r1565 seems to add safeguard against incorrect use of PCRE API.


Note You need to log in before you can comment on or make changes to this bug.