1285399 – (CVE-2015-2328) CVE-2015-2328 pcre: infinite recursion compiling pattern with recursive reference in a group with indefinite repeat (8.36/20)

Bug 1285399 (CVE-2015-2328) - CVE-2015-2328 pcre: infinite recursion compiling pattern with recursive reference in a group with indefinite repeat (8.36/20)

Summary: CVE-2015-2328 pcre: infinite recursion compiling pattern with recursive refer...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2015-2328
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1128577 1285401 1330508 1330509
Blocks:	1285420
TreeView+	depends on / blocked

Reported:	2015-11-25 14:23 UTC by Adam Mariš
Modified:	2019-09-29 13:40 UTC (History)
CC List:	36 users (show)
Fixed In Version:	pcre 8.36
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-05-11 13:46:33 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2016:1025	0	normal	SHIPPED_LIVE	Important: pcre security update	2016-05-11 17:07:01 UTC
Red Hat Product Errata	RHSA-2016:2750	0	normal	SHIPPED_LIVE	Moderate: rh-php56 security, bug fix, and enhancement update	2016-11-15 16:40:02 UTC

Description Adam Mariš 2015-11-25 14:23:41 UTC

A stack-based buffer overflow vulnerability was found in compile_regex(), triggered via crafted regular expression.

Upstream bug (contains reproducer):

https://bugs.exim.org/show_bug.cgi?id=1515

Upstream patch:

http://vcs.pcre.org/pcre?view=revision&revision=1498

CVE request:

http://www.openwall.com/lists/oss-security/2015/05/31/4

Comment 1 Adam Mariš 2015-11-25 14:25:21 UTC

Created pcre tracking bugs for this issue:

Affects: fedora-all [bug 1285401]

Comment 2 Petr Pisar 2015-11-25 16:11:20 UTC

Upstream fixed it in 8.36. Simple reproducer is crash when compiling /((?(R)a|(?1)))*/ expression.

Comment 3 Petr Pisar 2015-11-25 16:17:40 UTC

This has already been fixed as bug #1128577 in Fedora. No supported Fedora is affected since 2014-08-11.

Comment 4 Tomas Hoger 2016-02-17 21:45:08 UTC

This is not a stack based buffer overflow, but stack overflow, caused by infinite recursion.  The impact of this issue is limited to crash.

The problem was introduced upstream between version 8.12 and 8.13.

Comment 6 errata-xmlrpc 2016-05-11 13:07:32 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:1025 https://rhn.redhat.com/errata/RHSA-2016-1025.html

Comment 7 errata-xmlrpc 2016-11-15 11:47:11 UTC

This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS

Via RHSA-2016:2750 https://rhn.redhat.com/errata/RHSA-2016-2750.html

Note You need to log in before you can comment on or make changes to this bug.

adam.stokes
andrew
carnil
csutherl
databases-maint
dknox
erik-fedora
fedora-mingw
fedora
fidencio
jclere
jdornak
jdoyle
jgrulich
jorton
klember
lgao
lkundrak
marcandre.lureau
mbabacek
mclasen
mmaslano
myarboro
pmyers
ppisar
pslavice
rcollet
rjones
rmeggins
rsvoboda
sardella
slawomir
twalsh
walters
webstack-team
weli