PCRE library is prone to a vulnerability which leads to Heap Overflow. During the compilation of a malformed regular expression, more data is written on the malloced block than the expected size output by compile_regex. Exploits with advanced Heap Fengshui techniques may allow an attacker to execute arbitrary code in the context of the user running the affected application. Latest version of PCRE is prone to a Heap Overflow vulnerability which could caused by the following regular expression. /(?J:(?|(:(?|(?'R')(\k'R')|((?'R')))H'Rk'Rf)|s(?'R'))))/ Reference: https://bugs.exim.org/show_bug.cgi?id=1667
Created attachment 159717 [details] security/vuxml for pcre <= 8.37_2 Document PCRE heap overflow vulnerability in '(?|' situations PR: 202209 Security: ff0acfb4-3efa-11e5-93ad-002590263bf5 % make validate /bin/sh /usr/ports/security/vuxml/files/tidy.sh "/usr/ports/security/vuxml/files/tidy.xsl" "/usr/ports/security/vuxml/vuln.xml" > "/usr/ports/security/vuxml/vuln.xml.tidy" >>> Validating... /usr/local/bin/xmllint --valid --noout /usr/ports/security/vuxml/vuln.xml >>> Successful. Checking if tidy differs... ... seems okay Checking for space/tab... ... seems okay /usr/local/bin/python2.7 /usr/ports/security/vuxml/files/extra-validation.py /usr/ports/security/vuxml/vuln.xml % env PKG_DBDIR=/usr/ports/security/vuxml pkg audit pcre-8.37_2 pcre-8.37_2 is vulnerable: pcre -- heap overflow vulnerability WWW: https://vuxml.FreeBSD.org/freebsd/ff0acfb4-3efa-11e5-93ad-002590263bf5.html 1 problem(s) in the installed packages found. % env PKG_DBDIR=/usr/ports/security/vuxml pkg audit pcre-8.37_3 0 problem(s) in the installed packages found.
Created attachment 159718 [details] pcre-8.37_3.patch I'm working on a patch for this based off applying http://vcs.pcre.org/pcre?view=revision&revision=1585 Here's the start of things pending further validation. Log: Apply upstream fixes for a buffer overflow issue 1585 Fix buffer overflow for named references in (?| situations. Obtained from: PCRE svn (r1585) Security: ff0acfb4-3efa-11e5-93ad-002590263bf5 MFH: 2015Q3
Created attachment 159719 [details] PCRE `make test` output Since our port patches haven't carried the test case changes, I ran the following in an interactive Poudriere jail for a successful `make test`. # Get 8.37 from PCRE SVN and apply each revision we have applied for security fixes svnlite co -r 1554 svn://vcs.exim.org/pcre/code/trunk pcre cd pcre/testdata/ for rev in 1555 1556 1557 1558 1559 1560 1562 1571 1585; do svnlite merge -c $rev .; done # Start a build and replace the test cases with the corrected ones. cd /usr/ports/devel/pcre make extract rm -r /wrkdirs/usr/ports/devel/pcre/work/pcre-8.37/testdata cp -r /root/pcre/testdata /wrkdirs/usr/ports/devel/pcre/work/pcre-8.37/ make test
Created attachment 159720 [details] Poudriere testport log from 10.1-RELEASE jail Poudriere testport from 10.1-RELEASE jail attached. Build was also good on all supported releases and HEAD: List: 9.3-RELEASE-p21 amd64 9.3-RELEASE-p21 i386 10.1-RELEASE-p16 amd64 10.1-RELEASE-p16 i386 10.2-RC2 amd64 10.2-RC2 i386 11.0-CURRENT r286208 amd64 11.0-CURRENT r286208 i386
Address PCRE heap overflow vulnerability reported last week on oss-security: http://seclists.org/oss-sec/2015/q3/295 No CVE has been assigned for this just yet. At runtime with pcretest, I can see that the output goes from an overflow to an unmatched parenthesis. pcre-8.37_2 re> /(?J:(?|(:(?|(?'R')(\k'R')|((?'R')))H'Rk'Rf)|s(?'R'))))/ Failed: internal error: code overflow at offset 53 pcre-8.37_3 re> /(?J:(?|(:(?|(?'R')(\k'R')|((?'R')))H'Rk'Rf)|s(?'R'))))/ Failed: unmatched parentheses at offset 53
A commit references this bug: Author: junovitch Date: Mon Aug 10 10:34:55 UTC 2015 New revision: 393854 URL: https://svnweb.freebsd.org/changeset/ports/393854 Log: Document PCRE heap overflow vulnerability in '(?|' situations PR: 202209 Security: ff0acfb4-3efa-11e5-93ad-002590263bf5 Approved by: feld (mentor) Changes: head/security/vuxml/vuln.xml
A commit references this bug: Author: junovitch Date: Mon Aug 10 22:13:20 UTC 2015 New revision: 393915 URL: https://svnweb.freebsd.org/changeset/ports/393915 Log: Apply upstream fixes for a buffer overflow issue 1585 Fix buffer overflow for named references in (?| situations. PR: 202209 Obtained from: PCRE svn (r1585) Approved by: ports-secteam (feld), feld (mentor) Security: ff0acfb4-3efa-11e5-93ad-002590263bf5 MFH: 2015Q3 Changes: head/devel/pcre/Makefile head/devel/pcre/files/patch-r1585-buffer-overflow
A commit references this bug: Author: junovitch Date: Mon Aug 10 22:23:03 UTC 2015 New revision: 393917 URL: https://svnweb.freebsd.org/changeset/ports/393917 Log: MFH: r393915 Apply upstream fixes for a buffer overflow issue 1585 Fix buffer overflow for named references in (?| situations. PR: 202209 Obtained from: PCRE svn (r1585) Approved by: ports-secteam (feld), feld (mentor) Security: ff0acfb4-3efa-11e5-93ad-002590263bf5 Changes: _U branches/2015Q3/ branches/2015Q3/devel/pcre/Makefile branches/2015Q3/devel/pcre/files/patch-r1585-buffer-overflow
On hold pending VuXML correction to document the CVE assignment when it happens.
Assign to myself and set "in progress" pending VuXML correction to document the CVE assignment when it happens.
Close. If CVE assignment happens it can be documented at that time. After 6 weeks I don't see a reason to hold the PR open solely for that reason.