Bug 1048266 – VUL-0: CVE-2017-11164: pcre: OP_KETRMAX feature allows stack exhaustion when processing regular expressions

Bug 1048266 - (CVE-2017-11164) VUL-0: CVE-2017-11164: pcre: OP_KETRMAX feature allows stack exhaustion when processing regular expressions

(CVE-2017-11164)
Summary:	VUL-0: CVE-2017-11164: pcre: OP_KETRMAX feature allows stack exhaustion when ...

Status:	RESOLVED WONTFIX

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/188271/
Whiteboard:	CVSSv2:SUSE:CVE-2017-11164:2.1:(AV:L/...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2017-07-12 06:13 UTC by Victor Pereira
Modified:	2022-03-25 14:09 UTC (History)
CC List:	4 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
xx.c (269 bytes, text/x-csrc) 2017-08-09 20:40 UTC, Marcus Meissner	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Victor Pereira 2017-07-12 06:13:36 UTC

CVE-2017-11164

In PCRE 8.41, the OP_KETRMAX feature in the match function in pcre_exec.c allows
stack exhaustion (uncontrolled recursion) when processing a crafted regular
expression.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11164
http://seclists.org/oss-sec/2017/q3/111
http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-11164.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11164
http://openwall.com/lists/oss-security/2017/07/11/3

Comment 1 Stephan Kulow 2017-07-12 06:30:52 UTC

We don't ship PCRE 8.41 even on Tumbleweed

Comment 2 Victor Pereira 2017-07-12 06:44:39 UTC

Hi, 

The problem was reported against version 8.41, but the affected code could be found in other versions as well. 

The original report can be found here http://openwall.com/lists/oss-security/2017/07/11/3

Comment 3 Stephan Kulow 2017-07-17 05:51:12 UTC

There is still no relevant information about this bug, but it's in nature very similiar to other upstream bugs. So all upstream comments apply:

https://bugs.exim.org/show_bug.cgi?id=2126#c2 -> I suggest WONTFIX.

The test program crashes instantly and there is no code execution going on. But it does crash also with 8.39 that we currently have released. And it's about impossible that pcre.org will release a fix for this - because the flaw is deep into there and pcre2 doesn't have it.

Comment 4 Marcus Meissner 2017-08-09 20:40:15 UTC

Created attachment 735956 [details]
xx.c

QA REPRODUCER:

gcc -O2 -g -Wall -o xx xx.c -lpcre 
./xx

should not crash

Comment 5 Marcus Meissner 2017-08-09 20:44:14 UTC

the crash happens in regcomp(), the stack is overwritten.

gcc -O2 -fstack-protector-all -o xx xx.c -lpcre -g
./xx

will show the canary being overwritten.

Comment 6 Marcus Meissner 2017-08-09 20:48:29 UTC

triggers also on sle11, so all affected.

Comment 9 Stephan Kulow 2021-10-19 05:21:24 UTC

Reassiging back to security-team. I repeat: it's WONTFIX upstream and that's what I suggest here too.

Comment 10 Nathan Cutler 2022-03-23 12:26:27 UTC

It would be useful to get a statement whether this bug affects the pcre that ships with SLE-15-SP*.

Comment 11 Gianluca Gabrielli 2022-03-25 14:09:25 UTC

The higher codestream where this package has been branched is SUSE:SLE-15:Update, which in turn ships to products from SLE-15 to SLE-15-SP4 and to MicroOS 5.0 to 5.1.

Closing as WONTFIX.