Bug 1735494 (CVE-2019-20454) - CVE-2019-20454 pcre: Out of bounds read in JIT mode when \X is used in non-UTF mode
Summary: CVE-2019-20454 pcre: Out of bounds read in JIT mode when \X is used in non-UT...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-20454
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1734468 1803176 1803177 1803178 1803179 1803180 1803181 1803199 1857708
Blocks: 1735495
TreeView+ depends on / blocked
 
Reported: 2019-08-01 01:28 UTC by Pedro Sampaio
Modified: 2020-11-04 01:49 UTC (History)
52 users (show)

Fixed In Version: pcre 10.34
Doc Type: If docs needed, set a value
Doc Text:
An out-of-bounds read was discovered in PCRE when the pattern "\X" is JIT compiled and used to match specially crafted subjects in non-UTF mode. Applications that use PCRE to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to crash the application.
Clone Of:
Environment:
Last Closed: 2020-09-08 13:18:10 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:3662 0 None None None 2020-09-08 09:46:13 UTC
Red Hat Product Errata RHSA-2020:4539 0 None None None 2020-11-04 01:49:23 UTC

Description Pedro Sampaio 2019-08-01 01:28:16 UTC 
A flaw was found in libpcre. A buffer overread in JIT mode when \X is used in non-UTF mode may cause application crash and denial of service. The flaw is in function do_extuni_no_utf() in pcre2_jit_compile.c, which uses the macro GETCHARINC to read a character. However, in case there is an invalid UTF character the value read is too big, which causes an out-of-bounds read in the next statement, while executing macro UCD_GRAPHBREAK.

References:

https://bugs.exim.org/show_bug.cgi?id=2421
https://bugzilla.redhat.com/show_bug.cgi?id=1734468

Upstream patch:

http://git.php.net/?p=php-src.git;a=commitdiff;h=8947fd9e9fdce87cd6c59817b1db58e789538fe9
Comment 1 Petr Pisar 2019-08-01 09:05:37 UTC 
(In reply to Pedro Sampaio from comment #0)
> Upstream patch:
> 
> http://git.php.net/?p=php-src.git;a=commitdiff;
> h=8947fd9e9fdce87cd6c59817b1db58e789538fe9

PHP is not upstream of PCRE2.

Upstream's fix is at <https://vcs.pcre.org/pcre2?view=revision&revision=1092>. Tests are added in <https://vcs.pcre.org/pcre2?view=revision&revision=1091>.

Moreover, this bug hardly can be embargoed as it was publicly reported to upstream on 2019-07-28 and the fix is publicly available since 2019-05-13.
Comment 2 Joshua Padman 2019-08-12 02:29:41 UTC 
This vulnerability is out of security support scope for the following products:
 * Red Hat JBoss Enterprise Web Server 2
 * Red Hat JBoss Web Server 3 
 * Red Hat JBoss Core Services

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
Comment 4 Riccardo Schirone 2020-02-14 10:59:04 UTC 
The flaw can be triggered only when JIT and non-UTF-8 mode is used.
Comment 5 Riccardo Schirone 2020-02-14 11:02:29 UTC 
PHP in RHEL 8 sets pcre.jit=0 in /etc/php.ini by default, so unless the user changes that setting, the flaw cannot be triggered.
Comment 6 Riccardo Schirone 2020-02-14 11:04:49 UTC 
Only php:7.3/php in RHEL 8 is affected by this flaw, while php:7.2/php is not because it embeds an older version of pcre, which does not contain the vulnerable code.
Comment 7 Petr Pisar 2020-02-14 11:45:25 UTC 
There is already a pcre2 RHEL-8 bug #1734468 for this issue. If you are going make a bug vulnerability bug for RHEL-8 pcre2 component, please reuse that bug report.
Comment 8 Riccardo Schirone 2020-02-14 12:55:27 UTC 
The flaw can be triggered when pattern \X is jit-compiled (e.g. with pcre2_jit_compile) and then it is matched (e.g. with pcre2_match) against particular subjects when in non-UTF mode. Option PCRE2_JIT_COMPLETE shall be passed to pcre2_jit_compile. Assuming the pattern is hard-coded in an application, an attacker just needs control over the subject to trigger the flaw, which would cause a crash in the application.
Comment 11 Riccardo Schirone 2020-02-14 15:43:12 UTC 
Created glib2 tracking bugs for this issue:

Affects: fedora-all [bug 1803178]


Created mingw-glib2 tracking bugs for this issue:

Affects: fedora-all [bug 1803179]


Created mingw-pcre tracking bugs for this issue:

Affects: fedora-all [bug 1803177]


Created mingw-pcre2 tracking bugs for this issue:

Affects: fedora-all [bug 1803181]


Created pcre tracking bugs for this issue:

Affects: fedora-all [bug 1803176]


Created pcre2 tracking bugs for this issue:

Affects: fedora-all [bug 1803180]
Comment 12 Riccardo Schirone 2020-02-14 16:18:24 UTC 
rh-php73-php as shipped in Red Hat Software Collections 3.4 ships php-7.3.11 right now, which already fixes this flaw.
This flaw in php is fixed since php-7.3.8.
Comment 14 Petr Pisar 2020-02-17 15:09:09 UTC 
(In reply to Riccardo Schirone from comment #11) 
> Created pcre tracking bugs for this issue:
> 
> Affects: fedora-all [bug 1803176]
> 
Can you explain me how "pcre" (do not confuse with "pcre2") component is affected? In my opinion it is not.
Comment 15 Riccardo Schirone 2020-02-17 15:21:42 UTC 
In reply to comment #14:
> (In reply to Riccardo Schirone from comment #11) 
> > Created pcre tracking bugs for this issue:
> > 
> > Affects: fedora-all [bug 1803176]
> > 
> Can you explain me how "pcre" (do not confuse with "pcre2") component is
> affected? In my opinion it is not.

Please close the bug as NOTABUG then. We do not check all packages in Fedora and we often create trackers to let the maintainers know about the possible issue. They should know whether that applies to their packages or not and they can quickly close the opened bug if it does not apply, such as in this case probably.
Comment 18 errata-xmlrpc 2020-09-08 09:46:08 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:3662 https://access.redhat.com/errata/RHSA-2020:3662
Comment 19 Product Security DevOps Team 2020-09-08 13:18:10 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-20454
Comment 20 errata-xmlrpc 2020-11-04 01:49:38 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4539 https://access.redhat.com/errata/RHSA-2020:4539
Note You need to log in before you can comment on or make changes to this bug.