Bugzilla – Bug 1048266
VUL-0: CVE-2017-11164: pcre: OP_KETRMAX feature allows stack exhaustion when processing regular expressions
Last modified: 2022-03-25 14:09:25 UTC
In PCRE 8.41, the OP_KETRMAX feature in the match function in pcre_exec.c allows
stack exhaustion (uncontrolled recursion) when processing a crafted regular
We don't ship PCRE 8.41 even on Tumbleweed
The problem was reported against version 8.41, but the affected code could be found in other versions as well.
The original report can be found here http://openwall.com/lists/oss-security/2017/07/11/3
There is still no relevant information about this bug, but it's in nature very similiar to other upstream bugs. So all upstream comments apply:
https://bugs.exim.org/show_bug.cgi?id=2126#c2 -> I suggest WONTFIX.
The test program crashes instantly and there is no code execution going on. But it does crash also with 8.39 that we currently have released. And it's about impossible that pcre.org will release a fix for this - because the flaw is deep into there and pcre2 doesn't have it.
Created attachment 735956 [details]
gcc -O2 -g -Wall -o xx xx.c -lpcre
should not crash
the crash happens in regcomp(), the stack is overwritten.
gcc -O2 -fstack-protector-all -o xx xx.c -lpcre -g
will show the canary being overwritten.
triggers also on sle11, so all affected.
Reassiging back to security-team. I repeat: it's WONTFIX upstream and that's what I suggest here too.
It would be useful to get a statement whether this bug affects the pcre that ships with SLE-15-SP*.
The higher codestream where this package has been branched is SUSE:SLE-15:Update, which in turn ships to products from SLE-15 to SLE-15-SP4 and to MicroOS 5.0 to 5.1.
Closing as WONTFIX.