Bug 452079 (CVE-2008-2371) - CVE-2008-2371 pcre: heap overflow caused by incorrect option handling
Summary: CVE-2008-2371 pcre: heap overflow caused by incorrect option handling
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2008-2371
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 453555 453556 453557 453559 453560 453561
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-06-19 08:04 UTC by Tomas Hoger
Modified: 2021-11-12 19:50 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-07-07 15:05:23 UTC
Embargoed:

Attachments (Terms of Use)
Upstream patch (2.03 KB, patch)
2008-07-15 12:22 UTC, Tomas Hoger 		no flags Details | Diff
View All

Description Tomas Hoger 2008-06-19 08:04:22 UTC 
Tavis Ormandy of the Google Security team reported a heap overflow issue
affecting PCRE:

The problem is that when an option is specified at the start of a pattern, to
avoid compiling it unnecessarily into the bytecode it's passed back up to the
caller as if it was specified via pcre_compile() options, i.e. /(?i)a|b/ ==
/a|b/i, and as the latter is somewhat easier to handle, they're made equivalent.
This usually works, but when a pattern contains multiple branches, the new
option is accidentally passed back too far, so when there are multiple branches,
only the first gets the new flag, however on the second compile pass the new
flag is always set, resulting in a mismatch between the size-calculation pass
and the actual compilation pass. The result is pcre overflowing a heap buffer.
Comment 1 Tomas Hoger 2008-06-19 08:05:52 UTC 
Tavis' proposed patch:

 --- pcre_compile.c~     2008-06-12 16:55:22.860930000 +0200
 +++ pcre_compile.c      2008-06-12 16:54:53.647168000 +0200
 @@ -4931,7 +4931,7 @@
                (lengthptr == NULL || *lengthptr == 2 + 2*LINK_SIZE))
             {
             cd->external_options = newoptions;
 +            options = *optionsptr = newoptions;
 -            options = newoptions;
             }
          else
             {
Comment 3 Tomas Hoger 2008-06-19 08:07:58 UTC 
This issue did not affect the versions of pcre as shipped with Red Hat
Enterprise Linux 2.1, 3, 4, or 5.

This issue only affects pcre 7.x versions, so all current Fedora versions are
affected.
Comment 4 Tomas Hoger 2008-07-01 06:41:17 UTC 
Public now via:

http://bugs.gentoo.org/show_bug.cgi?id=228091
http://bugs.gentoo.org/show_bug.cgi?id=230039
Comment 7 Fedora Update System 2008-07-03 03:14:30 UTC 
glib2-2.14.6-2.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2008-07-03 03:16:34 UTC 
glib2-2.16.4-1.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 11 Fedora Update System 2008-07-06 06:11:36 UTC 
pcre-7.3-4.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 12 Fedora Update System 2008-07-06 06:11:44 UTC 
pcre-7.3-4.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 13 Red Hat Product Security 2008-07-07 15:05:23 UTC 
This issue was addressed in:

Fedora:
  https://admin.fedoraproject.org/updates/F8/FEDORA-2008-6025
  https://admin.fedoraproject.org/updates/F8/FEDORA-2008-6111
  https://admin.fedoraproject.org/updates/F9/FEDORA-2008-6048
  https://admin.fedoraproject.org/updates/F9/FEDORA-2008-6110
Comment 14 Tomas Hoger 2008-07-15 12:22:52 UTC 
Created attachment 311810 [details]
Upstream patch
Comment 15 Tomas Hoger 2008-07-15 12:24:33 UTC 
Upstream patch in comment #14 applied upstream in SVN r360:

  http://vcs.pcre.org/viewvc?view=rev&revision=360
Note You need to log in before you can comment on or make changes to this bug.