Bugzilla – Bug 922043
VUL-1: CVE-2015-2305: mysql: mysql uses regular expressions (regex) library contains a heap overflow vulnerability
Last modified: 2015-05-26 13:05:03 UTC
+++ This bug was initially created as a clone of Bug #921950 +++ Guido Vranken reported that regular expressions (regex) originally written by Henry Spencer contains a heap overflow vulnerability. CWE-122: Heap-based Buffer Overflow https://guidovranken.wordpress.com/2015/02/04/full-disclosure-heap-overflow-in-h-spencers-regex-library-on-32-bit-systems/ http://www.kb.cert.org/vuls/id/695940 The variable len that holds the length of a regular expression string is "enlarged to such an extent that, in the process of enlarging (multiplication and addition), causes the 32 bit register/variable to overflow." It may be possible for an attacker to use this overflow to change data in memory. Vulnerable function: > int /* 0 success, otherwise REG_something */ > regcomp(preg, pattern, cflags) > regex_t *preg; > const char *pattern; > int cflags; > { Vulnerable code: > len = strlen((char *)pattern); > [...] > p->ssize = len/(size_t)2*(size_t)3 + (size_t)1; /* ugh */ > p->strip = (sop *)malloc(p->ssize * sizeof(sop)); 32-bit systems are affected. It is highly unlikely that 64-bit operating systems would allow such an overflow. (Read: not impossible.) The library is known to be contained in many different upstream source projects. The code may not be active or used on our platform, e.g. only be used as fallback code. Mysql seems to contain the affected code in ./mysql/mysql-5.5.31.tar.bz2.contents/mysql-5.5.31/regex/regcomp.c Can you check if this code is used in our configuration?
bugbot adjusting priority
The attack scenario is as follows: Excessively long (>700 MB) regular expression pattern by user parsed using regcomp.c Please see attachment 627001 [details] to parent bug 921950 for an upstream patch taken from https://github.com/garyhouston/regex/commit/70bc2965604b6b8aaf260049e64c708dddf85334
Configure looks for a system regcomp [ 48s] -- Looking for regcomp [ 48s] -- Looking for regcomp - found but then builds the libary anyway. [ 65s] [ 1%] [ 1%] Building C object regex/CMakeFiles/regex.dir/regcomp.c.o We need to assume it is also used.
An update workflow for this issue was started. This issue was rated as important. Please submit fixed packages until 2015-04-28. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/61580
Created attachment 632594 [details] proposed patch I attach the patch (slightly modified for current mysql version of regex library).
Submitted to SLE11SP3 by https://build.suse.de/request/show/56498 Reassigned back to security-team
released
SUSE-SU-2015:0946-1: An update that fixes 31 vulnerabilities is now available. Category: security (important) Bug References: 922043,927623 CVE References: CVE-2014-3569,CVE-2014-3570,CVE-2014-3571,CVE-2014-3572,CVE-2014-8275,CVE-2015-0204,CVE-2015-0205,CVE-2015-0206,CVE-2015-0405,CVE-2015-0423,CVE-2015-0433,CVE-2015-0438,CVE-2015-0439,CVE-2015-0441,CVE-2015-0498,CVE-2015-0499,CVE-2015-0500,CVE-2015-0501,CVE-2015-0503,CVE-2015-0505,CVE-2015-0506,CVE-2015-0507,CVE-2015-0508,CVE-2015-0511,CVE-2015-2305,CVE-2015-2566,CVE-2015-2567,CVE-2015-2568,CVE-2015-2571,CVE-2015-2573,CVE-2015-2576 Sources used: SUSE Linux Enterprise Software Development Kit 11 SP3 (src): mysql-5.0.96-0.6.20, mysql-5.5.43-0.7.3 SUSE Linux Enterprise Server 11 SP3 for VMware (src): mysql-5.0.96-0.6.20, mysql-5.5.43-0.7.3 SUSE Linux Enterprise Server 11 SP3 (src): mysql-5.0.96-0.6.20, mysql-5.5.43-0.7.3 SUSE Linux Enterprise Desktop 11 SP3 (src): mysql-5.0.96-0.6.20, mysql-5.5.43-0.7.3