Bugzilla – Bug 924961
VUL-0: CVE-2015-2326: pcre: heap buffer overflow in pcre_compile2()
Last modified: 2020-03-27 17:07:31 UTC
A flaw was found in the PCRE library: PCRE library is prone to a vulnerability which leads to Heap overflow. Without enough bound checking inside pcre_compile2(), the heap memory could be overflowed via a crafted regular expression. Since PCRE library is widely used, this vulnerability should affect many applications. An attacker may exploit this issue to execute arbitrary code in the context of the user running the affected application. Upstream issue: http://bugs.exim.org/show_bug.cgi?id=1592 Upstream patch: http://vcs.pcre.org/viewvc?revision=1529&view=revision References: https://bugzilla.redhat.com/show_bug.cgi?id=1207202
bugbot adjusting priority
unclear if it affects SLE11, code looks a bit different
A reproducer that works on openSUSE 13.2: valgrind pcretest ==24744== Memcheck, a memory error detector ==24744== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al. ==24744== Using Valgrind-3.10.0 and LibVEX; rerun with -h for copyright info ==24744== Command: pcretest ==24744== PCRE version 8.36-RC1 2014-04-21 re> /((?+1)(\1))/ ==24744== Invalid read of size 1 ==24744== at 0x4E37442: ??? (in /usr/lib64/libpcre.so.1.2.3) ==24744== by 0x4E371D9: ??? (in /usr/lib64/libpcre.so.1.2.3) ==24744== by 0x4E371D9: ??? (in /usr/lib64/libpcre.so.1.2.3) ==24744== by 0x4E40B6F: pcre_compile2 (in /usr/lib64/libpcre.so.1.2.3) ==24744== by 0x4040D8: ??? (in /usr/bin/pcretest) ==24744== by 0x5740B04: (below main) (in /lib64/libc-2.19.so) ==24744== Address 0x5ae69a2 is 32,914 bytes inside an unallocated block of size 4,093,648 in arena "client" ==24744== data>
SLE 11 SP3 with 7.8 does not seem to be affected: $ valgrind pcretest ==24802== Memcheck, a memory error detector ==24802== Copyright (C) 2002-2012, and GNU GPL'd, by Julian Seward et al. ==24802== Using Valgrind-3.8.1 and LibVEX; rerun with -h for copyright info ==24802== Command: pcretest ==24802== PCRE version 7.8 2008-09-05 re> /((?i)(?+1)a(a|b\1))\s+\1/ data> abc No match data> ==24802== ==24802== HEAP SUMMARY: ==24802== in use at exit: 0 bytes in 0 blocks ==24802== total heap usage: 6 allocs, 6 frees, 150,461 bytes allocated ==24802== ==24802== All heap blocks were freed -- no leaks are possible ==24802== ==24802== For counts of detected and suppressed errors, rerun with: -v ==24802== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 4 from 4) Same for /((?+1)(\1))/
is there anything left for me to do? :)
(In reply to Stephan Kulow from comment #5) > is there anything left for me to do? :) SLE 12 needs the fix.
SLE 12 doesn't have 8.36, it has 8.33 and this one gives: coolo@gertrude#pcre-8.33>valgrind ./a.out "/((?i)(?+1)a(a|b\1))\s+\1/" AAAAAAAAA ==26927== Memcheck, a memory error detector ==26927== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al. ==26927== Using Valgrind-3.10.0 and LibVEX; rerun with -h for copyright info ==26927== Command: ./a.out /((?i)(?+1)a(a|b\\1))\\s+\\1/ AAAAAAAAA ==26927== No match. ==26927==
according to my analysis (and kind of RH's) this does not affect SLE-12 but is a side effect of refactoring happened between 8.33 and 8.36
This makes it an openSUSE 13.2 only bug then. Assigning to bugowner of Base:System/pcre
I'm not the maintainer of pcre, if that's configured it's a mistake like it happened with so many other packages sorry
Right, noted. Taking back to security team, adding recent version updaters, including community.
https://build.opensuse.org/request/show/304864 https://build.opensuse.org/request/show/304866
openSUSE-SU-2015:0858-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 906574,924960,924961 CVE References: CVE-2014-8964,CVE-2015-2325,CVE-2015-2326 Sources used: openSUSE 13.2 (src): pcre-8.37-3.5.1 openSUSE 13.1 (src): pcre-8.37-2.4.1
Releasing MariaDB for SLE 12
SUSE-SU-2015:1273-1: An update that solves 12 vulnerabilities and has one errata is now available. Category: security (important) Bug References: 906574,919053,919062,920865,920896,921333,924663,924960,924961,934789,936407,936408,936409 CVE References: CVE-2014-8964,CVE-2015-0433,CVE-2015-0441,CVE-2015-0499,CVE-2015-0501,CVE-2015-0505,CVE-2015-2325,CVE-2015-2326,CVE-2015-2568,CVE-2015-2571,CVE-2015-2573,CVE-2015-3152 Sources used: SUSE Linux Enterprise Workstation Extension 12 (src): mariadb-10.0.20-18.1 SUSE Linux Enterprise Software Development Kit 12 (src): mariadb-10.0.20-18.1 SUSE Linux Enterprise Server 12 (src): mariadb-10.0.20-18.1 SUSE Linux Enterprise Desktop 12 (src): mariadb-10.0.20-18.1
This is an autogenerated message for OBS integration: This bug (924961) was mentioned in https://build.opensuse.org/request/show/653587 Backports:SLE-12 / pcre2