Bug 202209
| Summary: | devel/pcre: Heap Overflow Vulnerability (CVE TBD) | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | Ports & Packages | Reporter: | Jason Unovitch <junovitch> | ||||||||||
| Component: | Individual Port(s) | Assignee: | Jason Unovitch <junovitch> | ||||||||||
| Status: | Closed FIXED | ||||||||||||
| Severity: | Affects Many People | CC: | junovitch, ports-secteam | ||||||||||
| Priority: | --- | Keywords: | security | ||||||||||
| Version: | Latest | Flags: | bugzilla:
maintainer-feedback?
(bf) |
||||||||||
| Hardware: | Any | ||||||||||||
| OS: | Any | ||||||||||||
| Attachments: |
|
||||||||||||
|
Description
Jason Unovitch
2015-08-10 00:58:48 UTC
Created attachment 159717 [details] security/vuxml for pcre <= 8.37_2 Document PCRE heap overflow vulnerability in '(?|' situations PR: 202209 Security: ff0acfb4-3efa-11e5-93ad-002590263bf5 % make validate /bin/sh /usr/ports/security/vuxml/files/tidy.sh "/usr/ports/security/vuxml/files/tidy.xsl" "/usr/ports/security/vuxml/vuln.xml" > "/usr/ports/security/vuxml/vuln.xml.tidy" >>> Validating... /usr/local/bin/xmllint --valid --noout /usr/ports/security/vuxml/vuln.xml >>> Successful. Checking if tidy differs... ... seems okay Checking for space/tab... ... seems okay /usr/local/bin/python2.7 /usr/ports/security/vuxml/files/extra-validation.py /usr/ports/security/vuxml/vuln.xml % env PKG_DBDIR=/usr/ports/security/vuxml pkg audit pcre-8.37_2 pcre-8.37_2 is vulnerable: pcre -- heap overflow vulnerability WWW: https://vuxml.FreeBSD.org/freebsd/ff0acfb4-3efa-11e5-93ad-002590263bf5.html 1 problem(s) in the installed packages found. % env PKG_DBDIR=/usr/ports/security/vuxml pkg audit pcre-8.37_3 0 problem(s) in the installed packages found. Created attachment 159718 [details] pcre-8.37_3.patch I'm working on a patch for this based off applying http://vcs.pcre.org/pcre?view=revision&revision=1585 Here's the start of things pending further validation. Log: Apply upstream fixes for a buffer overflow issue 1585 Fix buffer overflow for named references in (?| situations. Obtained from: PCRE svn (r1585) Security: ff0acfb4-3efa-11e5-93ad-002590263bf5 MFH: 2015Q3 Created attachment 159719 [details]
PCRE `make test` output
Since our port patches haven't carried the test case changes, I ran the following in an interactive Poudriere jail for a successful `make test`.
# Get 8.37 from PCRE SVN and apply each revision we have applied for security fixes
svnlite co -r 1554 svn://vcs.exim.org/pcre/code/trunk pcre
cd pcre/testdata/
for rev in 1555 1556 1557 1558 1559 1560 1562 1571 1585; do svnlite merge -c $rev .; done
# Start a build and replace the test cases with the corrected ones.
cd /usr/ports/devel/pcre
make extract
rm -r /wrkdirs/usr/ports/devel/pcre/work/pcre-8.37/testdata
cp -r /root/pcre/testdata /wrkdirs/usr/ports/devel/pcre/work/pcre-8.37/
make test
Created attachment 159720 [details]
Poudriere testport log from 10.1-RELEASE jail
Poudriere testport from 10.1-RELEASE jail attached. Build was also good on all supported releases and HEAD:
List:
9.3-RELEASE-p21 amd64
9.3-RELEASE-p21 i386
10.1-RELEASE-p16 amd64
10.1-RELEASE-p16 i386
10.2-RC2 amd64
10.2-RC2 i386
11.0-CURRENT r286208 amd64
11.0-CURRENT r286208 i386
Address PCRE heap overflow vulnerability reported last week on oss-security: http://seclists.org/oss-sec/2015/q3/295 No CVE has been assigned for this just yet. At runtime with pcretest, I can see that the output goes from an overflow to an unmatched parenthesis. pcre-8.37_2 re> /(?J:(?|(:(?|(?'R')(\k'R')|((?'R')))H'Rk'Rf)|s(?'R'))))/ Failed: internal error: code overflow at offset 53 pcre-8.37_3 re> /(?J:(?|(:(?|(?'R')(\k'R')|((?'R')))H'Rk'Rf)|s(?'R'))))/ Failed: unmatched parentheses at offset 53 A commit references this bug: Author: junovitch Date: Mon Aug 10 10:34:55 UTC 2015 New revision: 393854 URL: https://svnweb.freebsd.org/changeset/ports/393854 Log: Document PCRE heap overflow vulnerability in '(?|' situations PR: 202209 Security: ff0acfb4-3efa-11e5-93ad-002590263bf5 Approved by: feld (mentor) Changes: head/security/vuxml/vuln.xml A commit references this bug: Author: junovitch Date: Mon Aug 10 22:13:20 UTC 2015 New revision: 393915 URL: https://svnweb.freebsd.org/changeset/ports/393915 Log: Apply upstream fixes for a buffer overflow issue 1585 Fix buffer overflow for named references in (?| situations. PR: 202209 Obtained from: PCRE svn (r1585) Approved by: ports-secteam (feld), feld (mentor) Security: ff0acfb4-3efa-11e5-93ad-002590263bf5 MFH: 2015Q3 Changes: head/devel/pcre/Makefile head/devel/pcre/files/patch-r1585-buffer-overflow A commit references this bug: Author: junovitch Date: Mon Aug 10 22:23:03 UTC 2015 New revision: 393917 URL: https://svnweb.freebsd.org/changeset/ports/393917 Log: MFH: r393915 Apply upstream fixes for a buffer overflow issue 1585 Fix buffer overflow for named references in (?| situations. PR: 202209 Obtained from: PCRE svn (r1585) Approved by: ports-secteam (feld), feld (mentor) Security: ff0acfb4-3efa-11e5-93ad-002590263bf5 Changes: _U branches/2015Q3/ branches/2015Q3/devel/pcre/Makefile branches/2015Q3/devel/pcre/files/patch-r1585-buffer-overflow On hold pending VuXML correction to document the CVE assignment when it happens. Assign to myself and set "in progress" pending VuXML correction to document the CVE assignment when it happens. Close. If CVE assignment happens it can be documented at that time. After 6 weeks I don't see a reason to hold the PR open solely for that reason. |