Bug 452079 - (CVE-2008-2371) CVE-2008-2371 pcre: heap overflow caused by incorrect option handling
CVE-2008-2371 pcre: heap overflow caused by incorrect option handling
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
source=vendorsec,reported=20080613,pu...
: Security
Depends On: 453555 453556 453557 453559 453560 453561
Blocks:
  Show dependency treegraph
 
Reported: 2008-06-19 04:04 EDT by Tomas Hoger
Modified: 2008-07-15 08:24 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-07-07 11:05:23 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Upstream patch (2.03 KB, patch)
2008-07-15 08:22 EDT, Tomas Hoger
no flags Details | Diff

  None (edit)
Description Tomas Hoger 2008-06-19 04:04:22 EDT
Tavis Ormandy of the Google Security team reported a heap overflow issue
affecting PCRE:

The problem is that when an option is specified at the start of a pattern, to
avoid compiling it unnecessarily into the bytecode it's passed back up to the
caller as if it was specified via pcre_compile() options, i.e. /(?i)a|b/ ==
/a|b/i, and as the latter is somewhat easier to handle, they're made equivalent.
This usually works, but when a pattern contains multiple branches, the new
option is accidentally passed back too far, so when there are multiple branches,
only the first gets the new flag, however on the second compile pass the new
flag is always set, resulting in a mismatch between the size-calculation pass
and the actual compilation pass. The result is pcre overflowing a heap buffer.
Comment 1 Tomas Hoger 2008-06-19 04:05:52 EDT
Tavis' proposed patch:

 --- pcre_compile.c~     2008-06-12 16:55:22.860930000 +0200
 +++ pcre_compile.c      2008-06-12 16:54:53.647168000 +0200
 @@ -4931,7 +4931,7 @@
                (lengthptr == NULL || *lengthptr == 2 + 2*LINK_SIZE))
             {
             cd->external_options = newoptions;
 +            options = *optionsptr = newoptions;
 -            options = newoptions;
             }
          else
             {
Comment 3 Tomas Hoger 2008-06-19 04:07:58 EDT
This issue did not affect the versions of pcre as shipped with Red Hat
Enterprise Linux 2.1, 3, 4, or 5.

This issue only affects pcre 7.x versions, so all current Fedora versions are
affected.
Comment 7 Fedora Update System 2008-07-02 23:14:30 EDT
glib2-2.14.6-2.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2008-07-02 23:16:34 EDT
glib2-2.16.4-1.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 11 Fedora Update System 2008-07-06 02:11:36 EDT
pcre-7.3-4.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 12 Fedora Update System 2008-07-06 02:11:44 EDT
pcre-7.3-4.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 14 Tomas Hoger 2008-07-15 08:22:52 EDT
Created attachment 311810 [details]
Upstream patch
Comment 15 Tomas Hoger 2008-07-15 08:24:33 EDT
Upstream patch in comment #14 applied upstream in SVN r360:

  http://vcs.pcre.org/viewvc?view=rev&revision=360

Note You need to log in before you can comment on or make changes to this bug.