Bug 201188 - devel/pcre: Heap Overflow Vulnerability in find_fixedlength (CVE-2015-5073)
Summary: devel/pcre: Heap Overflow Vulnerability in find_fixedlength (CVE-2015-5073)
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Many People
Assignee: Brendan Fabeny
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-06-29 03:28 UTC by Jason Unovitch
Modified: 2015-07-20 15:24 UTC (History)
2 users (show)

See Also:
bugzilla: maintainer-feedback? (bf)


Attachments
security/vuxml entry for pcre CVE-2015-5073 (1.77 KB, patch)
2015-06-29 03:32 UTC, Jason Unovitch
no flags Details | Diff
devel/pcre patch for CVE-2015-5073 (1.04 KB, patch)
2015-06-29 03:39 UTC, Jason Unovitch
no flags Details | Diff
test-suite.log plus results for pcre-8.37_2 (10.12 KB, text/x-log)
2015-06-30 01:57 UTC, Jason Unovitch
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Jason Unovitch freebsd_committer 2015-06-29 03:28:42 UTC
Seen on:
http://openwall.com/lists/oss-security/2015/06/26/1

Also see upstream bug tracker:
https://bugs.exim.org/show_bug.cgi?id=1651
Comment 1 Jason Unovitch freebsd_committer 2015-06-29 03:32:19 UTC
Created attachment 158148 [details]
security/vuxml entry for pcre CVE-2015-5073

security/vuxml is ready to apply

==== Validation ====

# env PKG_DBDIR=/usr/ports/security/vuxml pkg audit pcre-8.37_1
pcre-8.37_1 is vulnerable:
pcre -- Heap Overflow Vulnerability in find_fixedlength()
CVE: CVE-2015-5073
WWW: https://vuxml.FreeBSD.org/freebsd/8a1d0e63-1e07-11e5-b43d-002590263bf5.html

1 problem(s) in the installed packages found.

# env PKG_DBDIR=/usr/ports/security/vuxml pkg audit pcre-8.37_2
0 problem(s) in the installed packages found.

# make validate
/bin/sh /usr/ports/security/vuxml/files/tidy.sh "/usr/ports/security/vuxml/files/tidy.xsl" "/usr/ports/security/vuxml/vuln.xml" > "/usr/ports/security/vuxml/vuln.xml.tidy"
>>> Validating...
/usr/local/bin/xmllint --valid --noout /usr/ports/security/vuxml/vuln.xml
>>> Successful.
Checking if tidy differs...
... seems okay
Checking for space/tab...
... seems okay
/usr/local/bin/python2.7 /usr/ports/security/vuxml/files/extra-validation.py /usr/ports/security/vuxml/vuln.xml
Comment 2 Jason Unovitch freebsd_committer 2015-06-29 03:39:00 UTC
Created attachment 158149 [details]
devel/pcre patch for CVE-2015-5073

This patch extends the previous file under files/patch-buffer-overflow.

This introduces the one line change for pcre_compile.c introduces upstream in:
http://vcs.pcre.org/pcre?view=revision&revision=1571

Tentative Commit message:

Apply upstream fixes for a buffer overflow issue:
1571 Fix buffer overflow for forward reference within backward assertion with excess closing parenthesis. Bugzilla 1651.

Obtained from: PCRE svn (revision detailed above)
MFH: 2015Q2
Security: 8a1d0e63-1e07-11e5-b43d-002590263bf5
Security: CVE-2015-5073
Comment 3 Jason Unovitch freebsd_committer 2015-06-29 04:02:39 UTC
(In reply to Jason Unovitch from comment #2)

Please note, I have not done any runtime validation (yet) on the above submission. I am opening the PR for notification on the issue that I saw reported on oss-security as well as peer review of the work so far.  I have yet to test run time as well as address the test cases mentioned before in delphij@'s commit r388777.

I have only done build time testing on the following releases shown by trimmed output from my `poudriere jail -l` below.  No actionable Poudriere related QA was reported.

8.4-RELEASE-p31      amd64
8.4-RELEASE-p31      i386
9.3-RELEASE-p17      amd64
9.3-RELEASE-p17      i386
10.1-RELEASE-p13     amd64
10.1-RELEASE-p13     i386
11.0-CURRENT r284725 amd64
11.0-CURRENT r284725 i386
Comment 4 Jason Unovitch freebsd_committer 2015-06-30 01:57:49 UTC
Created attachment 158173 [details]
test-suite.log plus results for pcre-8.37_2

Attach output from make test.  The following steps were performed since as mentioned in r388777 the test suite changes were not included in the port patch.  I grabbed r1571 from upstream svn, reverted the non-security related test case changess that occured between 8.37 release to now, started build of the port, updated the test cases, and ran the tests.

svnlite co -r 1571 svn://vcs.exim.org/pcre/code/trunk pcre
cd pcre/testdata/
svnlite log | less
svnlite merge -c -1563 .
svnlite merge -c -1566 .
svnlite merge -c -1565 .
svnlite merge -c -1569 .

cd /usr/ports/devel/pcre
make patch
rm -r /wrkdirs/usr/ports/devel/pcre/work/pcre-8.37/testdata
cp -r /root/pcre/testdata /wrkdirs/usr/ports/devel/pcre/work/pcre-8.37/
make test

Any feedback is appreciated.
Comment 5 Jason Unovitch freebsd_committer 2015-07-05 15:36:53 UTC
Brendan/Xin,
Any comments, suggestions, or recommendations on a way ahead for this PCRE issue?
Comment 6 Jason Unovitch freebsd_committer 2015-07-20 01:33:17 UTC
Ping. Any update?
Comment 7 commit-hook freebsd_committer 2015-07-20 15:01:01 UTC
A commit references this bug:

Author: feld
Date: Mon Jul 20 15:00:24 UTC 2015
New revision: 392576
URL: https://svnweb.freebsd.org/changeset/ports/392576

Log:
  Document PCRE buffer overflow

  PR:		201188
  Security:	CVE-2015-5073

Changes:
  head/security/vuxml/vuln.xml
Comment 8 Mark Felder freebsd_committer 2015-07-20 15:08:14 UTC
(In reply to Jason Unovitch from comment #6)

The vuxml entry was never committed so it was never urgent.

Debian has had this in TESTING for a month. I'm going to say the patch is safe.

http://metadata.ftp-master.debian.org/changelogs//main/p/pcre3/pcre3_8.35-7_changelog
Comment 9 Mark Felder freebsd_committer 2015-07-20 15:09:45 UTC
(In reply to Jason Unovitch from comment #4)

*THANK YOU* for including the test cases. This is extremely valuable.
Comment 10 commit-hook freebsd_committer 2015-07-20 15:23:05 UTC
A commit references this bug:

Author: feld
Date: Mon Jul 20 15:22:34 UTC 2015
New revision: 392588
URL: https://svnweb.freebsd.org/changeset/ports/392588

Log:
  MFH: r392587

  Apply upstream fixes for a buffer overflow issue:
  1571 Fix buffer overflow for forward reference within backward assertion
  with excess closing parenthesis. Bugzilla 1651.

  Obtained from:	PCRE svn (r1571)
  Security:	8a1d0e63-1e07-11e5-b43d-002590263bf5
  Security:	CVE-2015-5073
  PR:		201188
  Approved by:	ports-secteam (with hat)

Changes:
_U  branches/2015Q3/
  branches/2015Q3/devel/pcre/Makefile
  branches/2015Q3/devel/pcre/files/patch-CVE-2015-5073
Comment 11 Mark Felder freebsd_committer 2015-07-20 15:24:00 UTC
Committed. I did not extend the existing patch-buffer-overflow but instead opted to put this change into its own patch file.

Commit into the ports tree was 392587

https://svnweb.freebsd.org/ports?view=revision&revision=392587