Bug 202209 - devel/pcre: Heap Overflow Vulnerability (CVE TBD)
Summary: devel/pcre: Heap Overflow Vulnerability (CVE TBD)
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Many People
Assignee: Jason Unovitch
URL:
Keywords: security
Depends on:
Blocks:
 
Reported: 2015-08-10 00:58 UTC by Jason Unovitch
Modified: 2015-09-23 02:52 UTC (History)
2 users (show)

See Also:
bugzilla: maintainer-feedback? (bf)


Attachments
security/vuxml for pcre <= 8.37_2 (1.65 KB, patch)
2015-08-10 01:10 UTC, Jason Unovitch
no flags Details | Diff
pcre-8.37_3.patch (5.98 KB, patch)
2015-08-10 01:15 UTC, Jason Unovitch
no flags Details | Diff
PCRE `make test` output (10.07 KB, text/x-log)
2015-08-10 01:18 UTC, Jason Unovitch
no flags Details
Poudriere testport log from 10.1-RELEASE jail (46.89 KB, text/x-log)
2015-08-10 01:30 UTC, Jason Unovitch
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Jason Unovitch freebsd_committer 2015-08-10 00:58:48 UTC
PCRE library is prone to a vulnerability which leads to Heap Overflow.
During the compilation of a malformed regular expression, more data is
written on the malloced block than the expected size output by
compile_regex. Exploits with advanced Heap Fengshui techniques may allow an
attacker to execute arbitrary code in the context of the user running the
affected application.

Latest version of PCRE is prone to a Heap Overflow vulnerability which could caused by the following regular expression.

/(?J:(?|(:(?|(?'R')(\k'R')|((?'R')))H'Rk'Rf)|s(?'R'))))/

Reference:
https://bugs.exim.org/show_bug.cgi?id=1667
Comment 1 Jason Unovitch freebsd_committer 2015-08-10 01:10:08 UTC
Created attachment 159717 [details]
security/vuxml for pcre <= 8.37_2

Document PCRE heap overflow vulnerability in '(?|' situations

PR: 202209
Security: ff0acfb4-3efa-11e5-93ad-002590263bf5


% make validate
/bin/sh /usr/ports/security/vuxml/files/tidy.sh "/usr/ports/security/vuxml/files/tidy.xsl" "/usr/ports/security/vuxml/vuln.xml" > "/usr/ports/security/vuxml/vuln.xml.tidy"
>>> Validating...
/usr/local/bin/xmllint --valid --noout /usr/ports/security/vuxml/vuln.xml
>>> Successful.
Checking if tidy differs...
... seems okay
Checking for space/tab...
... seems okay
/usr/local/bin/python2.7 /usr/ports/security/vuxml/files/extra-validation.py /usr/ports/security/vuxml/vuln.xml

% env PKG_DBDIR=/usr/ports/security/vuxml pkg audit pcre-8.37_2
pcre-8.37_2 is vulnerable:
pcre -- heap overflow vulnerability
WWW: https://vuxml.FreeBSD.org/freebsd/ff0acfb4-3efa-11e5-93ad-002590263bf5.html

1 problem(s) in the installed packages found.

% env PKG_DBDIR=/usr/ports/security/vuxml pkg audit pcre-8.37_3
0 problem(s) in the installed packages found.
Comment 2 Jason Unovitch freebsd_committer 2015-08-10 01:15:21 UTC
Created attachment 159718 [details]
pcre-8.37_3.patch

I'm working on a patch for this based off applying http://vcs.pcre.org/pcre?view=revision&revision=1585

Here's the start of things pending further validation.

Log:
Apply upstream fixes for a buffer overflow issue

1585 Fix buffer overflow for named references in (?| situations.

Obtained from:	PCRE svn (r1585)
Security:	ff0acfb4-3efa-11e5-93ad-002590263bf5
MFH:		2015Q3
Comment 3 Jason Unovitch freebsd_committer 2015-08-10 01:18:55 UTC
Created attachment 159719 [details]
PCRE `make test` output

Since our port patches haven't carried the test case changes, I ran the following in an interactive Poudriere jail for a successful `make test`.

# Get 8.37 from PCRE SVN and apply each revision we have applied for security fixes
svnlite co -r 1554 svn://vcs.exim.org/pcre/code/trunk pcre
cd pcre/testdata/
for rev in 1555 1556 1557 1558 1559 1560 1562 1571 1585; do svnlite merge -c $rev .; done

# Start a build and replace the test cases with the corrected ones.
cd /usr/ports/devel/pcre
make extract
rm -r /wrkdirs/usr/ports/devel/pcre/work/pcre-8.37/testdata
cp -r /root/pcre/testdata /wrkdirs/usr/ports/devel/pcre/work/pcre-8.37/
make test
Comment 4 Jason Unovitch freebsd_committer 2015-08-10 01:30:14 UTC
Created attachment 159720 [details]
Poudriere testport log from 10.1-RELEASE jail

Poudriere testport from 10.1-RELEASE jail attached.  Build was also good on all supported releases and HEAD:

List:
9.3-RELEASE-p21      amd64
9.3-RELEASE-p21      i386
10.1-RELEASE-p16     amd64
10.1-RELEASE-p16     i386
10.2-RC2             amd64
10.2-RC2             i386
11.0-CURRENT r286208 amd64
11.0-CURRENT r286208 i386
Comment 5 Jason Unovitch freebsd_committer 2015-08-10 01:36:01 UTC
Address PCRE heap overflow vulnerability reported last week on oss-security:
http://seclists.org/oss-sec/2015/q3/295

No CVE has been assigned for this just yet.

At runtime with pcretest, I can see that the output goes from an overflow to an unmatched parenthesis.


pcre-8.37_2

  re> /(?J:(?|(:(?|(?'R')(\k'R')|((?'R')))H'Rk'Rf)|s(?'R'))))/
Failed: internal error: code overflow at offset 53

pcre-8.37_3

  re> /(?J:(?|(:(?|(?'R')(\k'R')|((?'R')))H'Rk'Rf)|s(?'R'))))/
Failed: unmatched parentheses at offset 53
Comment 6 commit-hook freebsd_committer 2015-08-10 10:35:09 UTC
A commit references this bug:

Author: junovitch
Date: Mon Aug 10 10:34:55 UTC 2015
New revision: 393854
URL: https://svnweb.freebsd.org/changeset/ports/393854

Log:
  Document PCRE heap overflow vulnerability in '(?|' situations

  PR:		202209
  Security:	ff0acfb4-3efa-11e5-93ad-002590263bf5
  Approved by:	feld (mentor)

Changes:
  head/security/vuxml/vuln.xml
Comment 7 commit-hook freebsd_committer 2015-08-10 22:14:21 UTC
A commit references this bug:

Author: junovitch
Date: Mon Aug 10 22:13:20 UTC 2015
New revision: 393915
URL: https://svnweb.freebsd.org/changeset/ports/393915

Log:
  Apply upstream fixes for a buffer overflow issue

  1585 Fix buffer overflow for named references in (?| situations.

  PR:		202209
  Obtained from:	PCRE svn (r1585)
  Approved by:	ports-secteam (feld), feld (mentor)
  Security:	ff0acfb4-3efa-11e5-93ad-002590263bf5
  MFH:		2015Q3

Changes:
  head/devel/pcre/Makefile
  head/devel/pcre/files/patch-r1585-buffer-overflow
Comment 8 commit-hook freebsd_committer 2015-08-10 22:23:24 UTC
A commit references this bug:

Author: junovitch
Date: Mon Aug 10 22:23:03 UTC 2015
New revision: 393917
URL: https://svnweb.freebsd.org/changeset/ports/393917

Log:
  MFH: r393915

  Apply upstream fixes for a buffer overflow issue

  1585 Fix buffer overflow for named references in (?| situations.

  PR:		202209
  Obtained from:	PCRE svn (r1585)
  Approved by:	ports-secteam (feld), feld (mentor)
  Security:	ff0acfb4-3efa-11e5-93ad-002590263bf5

Changes:
_U  branches/2015Q3/
  branches/2015Q3/devel/pcre/Makefile
  branches/2015Q3/devel/pcre/files/patch-r1585-buffer-overflow
Comment 9 Jason Unovitch freebsd_committer 2015-08-10 22:26:51 UTC
On hold pending VuXML correction to document the CVE assignment when it happens.
Comment 10 Jason Unovitch freebsd_committer 2015-08-10 23:37:02 UTC
Assign to myself and set "in progress" pending VuXML correction to document the CVE assignment when it happens.
Comment 11 Jason Unovitch freebsd_committer 2015-09-23 02:52:18 UTC
Close.  If CVE assignment happens it can be documented at that time.  After 6 weeks I don't see a reason to hold the PR open solely for that reason.