Bug 922030 - VUL-1: CVE-2015-2305: llvm: uses regular expressions (regex) library containing a heap overflow vulnerability
VUL-1: CVE-2015-2305: llvm: uses regular expressions (regex) library containi...
Status: RESOLVED WONTFIX
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Minor
: ---
Assigned To: Ismail Dönmez
Security Team bot
https://guidovranken.wordpress.com/20...
:
Depends on:
Blocks: CVE-2015-2305
  Show dependency treegraph
 
Reported: 2015-03-12 15:01 UTC by Andreas Stieger
Modified: 2016-12-12 11:01 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2015-03-12 15:01:56 UTC
+++ This bug was initially created as a clone of Bug #921950 +++

Guido Vranken reported that regular expressions (regex) originally written by Henry Spencer contains a heap overflow vulnerability.

CWE-122: Heap-based Buffer Overflow

https://guidovranken.wordpress.com/2015/02/04/full-disclosure-heap-overflow-in-h-spencers-regex-library-on-32-bit-systems/
http://www.kb.cert.org/vuls/id/695940

The variable len that holds the length of a regular expression string is "enlarged to such an extent that, in the process of enlarging (multiplication and addition), causes the 32 bit register/variable to overflow." It may be possible for an attacker to use this overflow to change data in memory.

Vulnerable function:
> int /* 0 success, otherwise REG_something */
> regcomp(preg, pattern, cflags)
> regex_t *preg;
> const char *pattern;
> int cflags;
> {

Vulnerable code:
> len = strlen((char *)pattern);
> [...]
> p->ssize = len/(size_t)2*(size_t)3 + (size_t)1; /* ugh */
> p->strip = (sop *)malloc(p->ssize * sizeof(sop));

32-bit systems are affected. It is highly unlikely that 64-bit operating systems would allow such an overflow. (Read: not impossible.)

The library is known to be contained in many different upstream source projects. The code may not be active or used on our platform, e.g. only be used as fallback code.


LLVM seems to contain affected code. Found in ./llvm/llvm-3.1.tar.bz2.contents/llvm/lib/Support/regcomp.c
Comment 1 Swamp Workflow Management 2015-03-12 23:00:53 UTC
bugbot adjusting priority
Comment 2 Andreas Stieger 2015-03-16 13:40:29 UTC
The attack scenario is as follows:
Excessively long (>700 MB) regular expression pattern by user parsed using regcomp.c

Please see attachment 627001 [details] to parent bug 921950 for an upstream patch taken from https://github.com/garyhouston/regex/commit/70bc2965604b6b8aaf260049e64c708dddf85334