Bug 201188
| Summary: | devel/pcre: Heap Overflow Vulnerability in find_fixedlength (CVE-2015-5073) | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | Ports & Packages | Reporter: | Jason Unovitch <junovitch> | ||||||||
| Component: | Individual Port(s) | Assignee: | Brendan Fabeny <bf> | ||||||||
| Status: | Closed FIXED | ||||||||||
| Severity: | Affects Many People | CC: | feld, ports-secteam | ||||||||
| Priority: | --- | Flags: | bugzilla:
maintainer-feedback?
(bf) |
||||||||
| Version: | Latest | ||||||||||
| Hardware: | Any | ||||||||||
| OS: | Any | ||||||||||
| Attachments: |
|
||||||||||
|
Description
Jason Unovitch
2015-06-29 03:28:42 UTC
Created attachment 158148 [details] security/vuxml entry for pcre CVE-2015-5073 security/vuxml is ready to apply ==== Validation ==== # env PKG_DBDIR=/usr/ports/security/vuxml pkg audit pcre-8.37_1 pcre-8.37_1 is vulnerable: pcre -- Heap Overflow Vulnerability in find_fixedlength() CVE: CVE-2015-5073 WWW: https://vuxml.FreeBSD.org/freebsd/8a1d0e63-1e07-11e5-b43d-002590263bf5.html 1 problem(s) in the installed packages found. # env PKG_DBDIR=/usr/ports/security/vuxml pkg audit pcre-8.37_2 0 problem(s) in the installed packages found. # make validate /bin/sh /usr/ports/security/vuxml/files/tidy.sh "/usr/ports/security/vuxml/files/tidy.xsl" "/usr/ports/security/vuxml/vuln.xml" > "/usr/ports/security/vuxml/vuln.xml.tidy" >>> Validating... /usr/local/bin/xmllint --valid --noout /usr/ports/security/vuxml/vuln.xml >>> Successful. Checking if tidy differs... ... seems okay Checking for space/tab... ... seems okay /usr/local/bin/python2.7 /usr/ports/security/vuxml/files/extra-validation.py /usr/ports/security/vuxml/vuln.xml Created attachment 158149 [details] devel/pcre patch for CVE-2015-5073 This patch extends the previous file under files/patch-buffer-overflow. This introduces the one line change for pcre_compile.c introduces upstream in: http://vcs.pcre.org/pcre?view=revision&revision=1571 Tentative Commit message: Apply upstream fixes for a buffer overflow issue: 1571 Fix buffer overflow for forward reference within backward assertion with excess closing parenthesis. Bugzilla 1651. Obtained from: PCRE svn (revision detailed above) MFH: 2015Q2 Security: 8a1d0e63-1e07-11e5-b43d-002590263bf5 Security: CVE-2015-5073 (In reply to Jason Unovitch from comment #2) Please note, I have not done any runtime validation (yet) on the above submission. I am opening the PR for notification on the issue that I saw reported on oss-security as well as peer review of the work so far. I have yet to test run time as well as address the test cases mentioned before in delphij@'s commit r388777. I have only done build time testing on the following releases shown by trimmed output from my `poudriere jail -l` below. No actionable Poudriere related QA was reported. 8.4-RELEASE-p31 amd64 8.4-RELEASE-p31 i386 9.3-RELEASE-p17 amd64 9.3-RELEASE-p17 i386 10.1-RELEASE-p13 amd64 10.1-RELEASE-p13 i386 11.0-CURRENT r284725 amd64 11.0-CURRENT r284725 i386 Created attachment 158173 [details]
test-suite.log plus results for pcre-8.37_2
Attach output from make test. The following steps were performed since as mentioned in r388777 the test suite changes were not included in the port patch. I grabbed r1571 from upstream svn, reverted the non-security related test case changess that occured between 8.37 release to now, started build of the port, updated the test cases, and ran the tests.
svnlite co -r 1571 svn://vcs.exim.org/pcre/code/trunk pcre
cd pcre/testdata/
svnlite log | less
svnlite merge -c -1563 .
svnlite merge -c -1566 .
svnlite merge -c -1565 .
svnlite merge -c -1569 .
cd /usr/ports/devel/pcre
make patch
rm -r /wrkdirs/usr/ports/devel/pcre/work/pcre-8.37/testdata
cp -r /root/pcre/testdata /wrkdirs/usr/ports/devel/pcre/work/pcre-8.37/
make test
Any feedback is appreciated.
Brendan/Xin, Any comments, suggestions, or recommendations on a way ahead for this PCRE issue? Ping. Any update? A commit references this bug: Author: feld Date: Mon Jul 20 15:00:24 UTC 2015 New revision: 392576 URL: https://svnweb.freebsd.org/changeset/ports/392576 Log: Document PCRE buffer overflow PR: 201188 Security: CVE-2015-5073 Changes: head/security/vuxml/vuln.xml (In reply to Jason Unovitch from comment #6) The vuxml entry was never committed so it was never urgent. Debian has had this in TESTING for a month. I'm going to say the patch is safe. http://metadata.ftp-master.debian.org/changelogs//main/p/pcre3/pcre3_8.35-7_changelog (In reply to Jason Unovitch from comment #4) *THANK YOU* for including the test cases. This is extremely valuable. A commit references this bug: Author: feld Date: Mon Jul 20 15:22:34 UTC 2015 New revision: 392588 URL: https://svnweb.freebsd.org/changeset/ports/392588 Log: MFH: r392587 Apply upstream fixes for a buffer overflow issue: 1571 Fix buffer overflow for forward reference within backward assertion with excess closing parenthesis. Bugzilla 1651. Obtained from: PCRE svn (r1571) Security: 8a1d0e63-1e07-11e5-b43d-002590263bf5 Security: CVE-2015-5073 PR: 201188 Approved by: ports-secteam (with hat) Changes: _U branches/2015Q3/ branches/2015Q3/devel/pcre/Makefile branches/2015Q3/devel/pcre/files/patch-CVE-2015-5073 Committed. I did not extend the existing patch-buffer-overflow but instead opted to put this change into its own patch file. Commit into the ports tree was 392587 https://svnweb.freebsd.org/ports?view=revision&revision=392587 |