Bug 452079 (CVE-2008-2371) - CVE-2008-2371 pcre: heap overflow caused by incorrect option handling
Summary: CVE-2008-2371 pcre: heap overflow caused by incorrect option handling
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2008-2371
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 453555 453556 453557 453559 453560 453561
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-06-19 08:04 UTC by Tomas Hoger
Modified: 2019-09-29 12:24 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-07-07 15:05:23 UTC


Attachments (Terms of Use)
Upstream patch (2.03 KB, patch)
2008-07-15 12:22 UTC, Tomas Hoger
no flags Details | Diff

Description Tomas Hoger 2008-06-19 08:04:22 UTC
Tavis Ormandy of the Google Security team reported a heap overflow issue
affecting PCRE:

The problem is that when an option is specified at the start of a pattern, to
avoid compiling it unnecessarily into the bytecode it's passed back up to the
caller as if it was specified via pcre_compile() options, i.e. /(?i)a|b/ ==
/a|b/i, and as the latter is somewhat easier to handle, they're made equivalent.
This usually works, but when a pattern contains multiple branches, the new
option is accidentally passed back too far, so when there are multiple branches,
only the first gets the new flag, however on the second compile pass the new
flag is always set, resulting in a mismatch between the size-calculation pass
and the actual compilation pass. The result is pcre overflowing a heap buffer.

Comment 1 Tomas Hoger 2008-06-19 08:05:52 UTC
Tavis' proposed patch:

 --- pcre_compile.c~     2008-06-12 16:55:22.860930000 +0200
 +++ pcre_compile.c      2008-06-12 16:54:53.647168000 +0200
 @@ -4931,7 +4931,7 @@
                (lengthptr == NULL || *lengthptr == 2 + 2*LINK_SIZE))
             {
             cd->external_options = newoptions;
 +            options = *optionsptr = newoptions;
 -            options = newoptions;
             }
          else
             {


Comment 3 Tomas Hoger 2008-06-19 08:07:58 UTC
This issue did not affect the versions of pcre as shipped with Red Hat
Enterprise Linux 2.1, 3, 4, or 5.

This issue only affects pcre 7.x versions, so all current Fedora versions are
affected.

Comment 7 Fedora Update System 2008-07-03 03:14:30 UTC
glib2-2.14.6-2.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 8 Fedora Update System 2008-07-03 03:16:34 UTC
glib2-2.16.4-1.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 11 Fedora Update System 2008-07-06 06:11:36 UTC
pcre-7.3-4.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 12 Fedora Update System 2008-07-06 06:11:44 UTC
pcre-7.3-4.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 14 Tomas Hoger 2008-07-15 12:22:52 UTC
Created attachment 311810 [details]
Upstream patch

Comment 15 Tomas Hoger 2008-07-15 12:24:33 UTC
Upstream patch in comment #14 applied upstream in SVN r360:

  http://vcs.pcre.org/viewvc?view=rev&revision=360


Note You need to log in before you can comment on or make changes to this bug.