Bug 1425365 (CVE-2017-6004) - CVE-2017-6004 pcre: Out-of-bounds read in compile_bracket_matchingpath function (8.41/3)
Summary: CVE-2017-6004 pcre: Out-of-bounds read in compile_bracket_matchingpath functi...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2017-6004
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1425391 1425392 1425393 1425394 1425395 1425396
Blocks: 1425368 1439436
TreeView+ depends on / blocked
 
Reported: 2017-02-21 09:39 UTC by Adam Mariš
Modified: 2020-12-15 15:22 UTC (History)
37 users (show)

Fixed In Version: pcre 8.41
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-06-08 03:07:56 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:2486 0 None None None 2018-08-16 16:08:32 UTC

Description Adam Mariš 2017-02-21 09:39:48 UTC
The compile_bracket_matchingpath function in pcre_jit_compile.c in PCRE through 8.x before revision 1680 (e.g., the PHP 7.1.1 bundled version) allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted regular expression.

Upstream patch:

https://vcs.pcre.org/pcre?view=revision&revision=1680

Upstream bug:

https://bugs.exim.org/show_bug.cgi?id=2035

Comment 1 Adam Mariš 2017-02-21 10:28:57 UTC
Created glib2 tracking bugs for this issue:

Affects: fedora-all [bug 1425394]


Created mingw-glib2 tracking bugs for this issue:

Affects: epel-7 [bug 1425392]
Affects: fedora-all [bug 1425396]


Created mingw-pcre tracking bugs for this issue:

Affects: epel-7 [bug 1425393]
Affects: fedora-all [bug 1425391]


Created pcre tracking bugs for this issue:

Affects: fedora-all [bug 1425395]

Comment 2 Richard W.M. Jones 2017-02-21 11:29:14 UTC
virt-p2v (an ISO that we ship in RHEL 7) contains an embedded
copy of pcre.

However it does NOT call pcre_jit_compile explicitly.  Do you know
if this function can be called implicitly (eg from pcre_compile,
which virt-p2v does call)?

Comment 3 Petr Pisar 2017-02-21 13:58:13 UTC
PCRE does not use JIT by default. An application must request JIT explicitly by calling pcre_study() (pcre16_study() or pcre32_study()) with some of PCRE_STUDY_JIT_* values in the second parameter.

Comment 4 Fedora Update System 2017-02-22 17:52:06 UTC
pcre-8.40-2.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.

Comment 11 Stefan Cornelius 2017-08-25 12:58:23 UTC
This issue affects the versions of rh-php70-php as shipped with Red Hat Software Collections 2.4 for Red Hat Enterprise Linux 6. This issue does not affect the versions of rh-php70-php as shipped with Red Hat Software Collections 2.4 for Red Hat Enterprise Linux 7.

Comment 12 errata-xmlrpc 2018-08-16 16:08:16 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Core Services

Via RHSA-2018:2486 https://access.redhat.com/errata/RHSA-2018:2486


Note You need to log in before you can comment on or make changes to this bug.