Bug 922022

Summary:	VUL-1: php5, php53: php's built-in regular expression (regex) library contains a heap overflow vulnerability
Product:	[Novell Products] SUSE Security Incidents	Reporter:	Andreas Stieger <astieger>
Component:	Incidents	Assignee:	Security Team bot <security-team>
Status:	RESOLVED FIXED	QA Contact:	Security Team bot <security-team>
Severity:	Normal
Priority:	P4 - Low	CC:	astieger, meissner
Version:	unspecified
Target Milestone:	---
Hardware:	Other
OS:	Other
URL:	https://guidovranken.wordpress.com/2015/02/04/full-disclosure-heap-overflow-in-h-spencers-regex-library-on-32-bit-systems/
Whiteboard:	maint:released:sle11-sp3:61841
Found By:	Security Response Team	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---
Bug Depends on:
Bug Blocks:	921950

Description Andreas Stieger 2015-03-12 14:34:11 UTC

+++ This bug was initially created as a clone of Bug #921950 +++

Guido Vranken reported that regular expressions (regex) originally written by Henry Spencer contains a heap overflow vulnerability.

CWE-122: Heap-based Buffer Overflow

https://guidovranken.wordpress.com/2015/02/04/full-disclosure-heap-overflow-in-h-spencers-regex-library-on-32-bit-systems/
http://www.kb.cert.org/vuls/id/695940

The variable len that holds the length of a regular expression string is "enlarged to such an extent that, in the process of enlarging (multiplication and addition), causes the 32 bit register/variable to overflow." It may be possible for an attacker to use this overflow to change data in memory.

Vulnerable function:
> int /* 0 success, otherwise REG_something */
> regcomp(preg, pattern, cflags)
> regex_t *preg;
> const char *pattern;
> int cflags;
> {

Vulnerable code:
> len = strlen((char *)pattern);
> [...]
> p->ssize = len/(size_t)2*(size_t)3 + (size_t)1; /* ugh */
> p->strip = (sop *)malloc(p->ssize * sizeof(sop));

32-bit systems are affected. It is highly unlikely that 64-bit operating systems would allow such an overflow. (Read: not impossible.)

The library is known to be contained in many different upstream source projects. The code may not be active or used on our platform, e.g. only be used as fallback code.


PHP seems to be affected:
[   88s] checking which regex library to use... php

ext/ereg/regex/regcomp.c:
	p->ssize = len/(size_t)2*(size_t)3 + (size_t)1;	/* ugh */
	p->strip = (sop *)malloc(p->ssize * sizeof(sop));

Configure option default:
  --with-regex=TYPE       regex library type: system, apache, php. [TYPE=php]

Comment 1 Swamp Workflow Management 2015-03-12 23:00:33 UTC

bugbot adjusting priority

Comment 2 Petr Gajdos 2015-03-16 11:04:33 UTC

(In reply to Andreas Stieger from comment #0)
> Configure option default:
>   --with-regex=TYPE       regex library type: system, apache, php. [TYPE=php]

The problem is in following configure snippet:

case $PHP_REGEX in
  system)
    if test "$PHP_SAPI" = "apache" || test "$PHP_SAPI" = "apache2filter" || test "$PHP_SAPI" = "apache2handler"; then
      REGEX_TYPE=php
    else
 ....

So even if 'system' is chosen, for apache module you will get 'php' anyway for whatever -- I believe good -- reason.

Have that somebody reported to php upstream?

Comment 3 Andreas Stieger 2015-03-16 13:40:29 UTC

The attack scenario is as follows:
Excessively long (>700 MB) regular expression pattern by user parsed using regcomp.c

Please see attachment 627001 [details] to parent bug 921950 for an upstream patch taken from https://github.com/garyhouston/regex/commit/70bc2965604b6b8aaf260049e64c708dddf85334

Comment 4 Petr Gajdos 2015-03-17 12:15:40 UTC

Yep, exacly 715827882 or a bit more :).

$ cat test.php
<?php
$date = "2015-03-17";
if (ereg (str_repeat("a", 715827882), $date, $regs)) {
    echo "$regs[3].$regs[2].$regs[1]";
} else {
    echo "Invalid date format: $date";
}
?>
$ php test.php
Segmentation fault
$

Comment 5 Petr Gajdos 2015-03-17 12:16:28 UTC

Do php upstream know about this problem?

Comment 6 Petr Gajdos 2015-03-17 12:20:28 UTC

Oops,

$ php -r 'ereg (str_repeat("a", 715827882), "b", $regs);'
Segmentation fault

is of course enough.

Comment 10 Petr Gajdos 2015-03-17 13:01:33 UTC

summary for QA: 
1. build php for 32-bit
2. install php5 rpm (only)
3. change memory_limit to e.g. 1024 in /etc/php5/cli/php.ini
4. run testcase from comment 6

Comment 11 Petr Gajdos 2015-03-17 13:55:50 UTC

AFTER

$ php -r 'ereg (str_repeat("a", 715827883), "b", $regs);'
PHP Warning:  ereg(): REG_INVARG in Command line code on line 1
$

Comment 13 Petr Gajdos 2015-03-18 11:03:38 UTC

php upstream commit

http://git.php.net/?p=php-src.git;a=commitdiff;h=fb04dcf6dbb48aecd8d2dc986806cb58c8ae5282

Comment 14 Petr Gajdos 2015-03-19 10:39:39 UTC

P4 for VUL-1.

Comment 15 Petr Gajdos 2015-03-24 16:24:39 UTC

Please review my submit requests.

Comment 17 Swamp Workflow Management 2015-03-30 15:09:29 UTC

An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2015-04-13.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/61384

Comment 19 Swamp Workflow Management 2015-04-01 16:06:01 UTC

openSUSE-SU-2015:0644-1: An update that fixes 5 vulnerabilities is now available.

Category: security (moderate)
Bug References: 922022,922451,922452,922894,923946
CVE References: CVE-2014-9705,CVE-2014-9709,CVE-2015-2301,CVE-2015-2305,CVE-2015-2331
Sources used:
openSUSE 13.2 (src):    php5-5.6.1-15.1
openSUSE 13.1 (src):    php5-5.4.20-45.1

Comment 22 Swamp Workflow Management 2015-05-13 13:07:14 UTC

SUSE-SU-2015:0868-1: An update that solves 9 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 922022,922451,922452,923946,924970,924972,925109,928408,928506,928511
CVE References: CVE-2014-9705,CVE-2014-9709,CVE-2015-2301,CVE-2015-2305,CVE-2015-2348,CVE-2015-2783,CVE-2015-2787,CVE-2015-3329,CVE-2015-3330
Sources used:
SUSE Linux Enterprise Software Development Kit 12 (src):    php5-5.5.14-22.1
SUSE Linux Enterprise Module for Web Scripting 12 (src):    php5-5.5.14-22.1

Comment 23 Swamp Workflow Management 2015-06-09 12:05:08 UTC

SUSE-SU-2015:1018-1: An update that solves 11 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 922022,922451,922452,923946,924972,925109,928506,928511,931421,931769,931772,931776
CVE References: CVE-2014-9705,CVE-2014-9709,CVE-2015-2301,CVE-2015-2305,CVE-2015-2783,CVE-2015-2787,CVE-2015-3329,CVE-2015-4021,CVE-2015-4022,CVE-2015-4024,CVE-2015-4026
Sources used:
SUSE Linux Enterprise Software Development Kit 11 SP3 (src):    php53-5.3.17-0.41.1
SUSE Linux Enterprise Server 11 SP3 for VMware (src):    php53-5.3.17-0.41.1
SUSE Linux Enterprise Server 11 SP3 (src):    php53-5.3.17-0.41.1

Comment 24 Marcus Meissner 2015-09-10 14:51:45 UTC

released