Bug 166334 - CAN-2005-2491 PCRE heap overflow
CAN-2005-2491 PCRE heap overflow
Status: CLOSED WONTFIX
Product: Red Hat Enterprise Linux 2.1
Classification: Red Hat
Component: php (Show other bugs)
2.1
All Linux
medium Severity medium
: ---
: ---
Assigned To: Joe Orton
David Lawrence
:
Depends On:
Blocks: CVE-2005-2491
  Show dependency treegraph
 
Reported: 2005-08-19 07:56 EDT by Mark J. Cox (Product Security)
Modified: 2008-01-29 04:40 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-09-21 08:03:32 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Mark J. Cox (Product Security) 2005-08-19 07:56:11 EDT
+++ This bug was initially created as a clone of Bug #166330 +++

PCRE 6.2 was released recently which included a fix for a heap buffer overflow.
 PCRE is used by things such as Apache but only for configuration (therefore
making an exploit low severity).  A number of packages also include PCRE code
internally, I'll be adding separate bugs for those that contain PCRE and do not
use system PCRE later.

Changelog states:

1. There was no test for integer overflow of quantifier values. A construction
such as {1111111111111111} would give undefined results. What is worse, if
a minimum quantifier for a parenthesized subpattern overflowed and became
negative, the calculation of the memory size went wrong. This  could have led to
memory overwriting.

A minimal diff of the flaw is attached, the full 6.2 to 6.1 diff contains other
fixes that might be worth incorporating and a test for this flaw.


Although PHP in RHEL3 and RHEL4 definately uses the system pcre library, the one
in RHEL2.1 seemed to use the internal version.  This needs confirming and
determining if there is a security context from this flaw.
Comment 1 sauron 2005-08-24 00:52:43 EDT
unixlabs@noos.fr
Comment 2 Joe Orton 2005-08-24 08:17:55 EDT
It does affect the pcre library bundled in the RHEL2.1 php, but only in a manner
such that the script author can crash the interpreter (untrusted user input
should not be passed as a regex); downgrading to normal severity.
Comment 3 Joe Orton 2005-09-21 08:03:32 EDT
This problem is resolved in the errata updates for Red Hat Enterprise Linux 3
and 4.  Red Hat does not currently plan to provide a resolution for this in a
Red Hat Enterprise Linux 2.1 update for currently deployed systems.
Comment 4 Leonard den Ottolander 2005-11-11 08:21:14 EST
May I inquire as to why you don't fix an issue that is an obvious DOS and for
which I assume patches are available?
Comment 5 Mark J. Cox (Product Security) 2005-11-11 08:34:41 EST
Due to comment #2, that untrusted data should never be passed to a regexp -
otherwise only the script author can cause their PHP script to cras.

Note You need to log in before you can comment on or make changes to this bug.