Bug 1048266 - (CVE-2017-11164) VUL-0: CVE-2017-11164: pcre: OP_KETRMAX feature allows stack exhaustion when processing regular expressions
VUL-0: CVE-2017-11164: pcre: OP_KETRMAX feature allows stack exhaustion when ...
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
Depends on:
  Show dependency treegraph
Reported: 2017-07-12 06:13 UTC by Victor Pereira
Modified: 2022-03-25 14:09 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

xx.c (269 bytes, text/x-csrc)
2017-08-09 20:40 UTC, Marcus Meissner

Note You need to log in before you can comment on or make changes to this bug.
Description Victor Pereira 2017-07-12 06:13:36 UTC

In PCRE 8.41, the OP_KETRMAX feature in the match function in pcre_exec.c allows
stack exhaustion (uncontrolled recursion) when processing a crafted regular

Comment 1 Stephan Kulow 2017-07-12 06:30:52 UTC
We don't ship PCRE 8.41 even on Tumbleweed
Comment 2 Victor Pereira 2017-07-12 06:44:39 UTC

The problem was reported against version 8.41, but the affected code could be found in other versions as well. 

The original report can be found here http://openwall.com/lists/oss-security/2017/07/11/3
Comment 3 Stephan Kulow 2017-07-17 05:51:12 UTC
There is still no relevant information about this bug, but it's in nature very similiar to other upstream bugs. So all upstream comments apply:

https://bugs.exim.org/show_bug.cgi?id=2126#c2 -> I suggest WONTFIX.

The test program crashes instantly and there is no code execution going on. But it does crash also with 8.39 that we currently have released. And it's about impossible that pcre.org will release a fix for this - because the flaw is deep into there and pcre2 doesn't have it.
Comment 4 Marcus Meissner 2017-08-09 20:40:15 UTC
Created attachment 735956 [details]


gcc -O2 -g -Wall -o xx xx.c -lpcre 

should not crash
Comment 5 Marcus Meissner 2017-08-09 20:44:14 UTC
the crash happens in regcomp(), the stack is overwritten.

gcc -O2 -fstack-protector-all -o xx xx.c -lpcre -g

will show the canary being overwritten.
Comment 6 Marcus Meissner 2017-08-09 20:48:29 UTC
triggers also on sle11, so all affected.
Comment 9 Stephan Kulow 2021-10-19 05:21:24 UTC
Reassiging back to security-team. I repeat: it's WONTFIX upstream and that's what I suggest here too.
Comment 10 Nathan Cutler 2022-03-23 12:26:27 UTC
It would be useful to get a statement whether this bug affects the pcre that ships with SLE-15-SP*.
Comment 11 Gianluca Gabrielli 2022-03-25 14:09:25 UTC
The higher codestream where this package has been branched is SUSE:SLE-15:Update, which in turn ships to products from SLE-15 to SLE-15-SP4 and to MicroOS 5.0 to 5.1.

Closing as WONTFIX.