Bug 1164384 - (CVE-2019-20454) VUL-0: CVE-2019-20454: pcre2: out-of-bounds read in JIT mode when \X is used in non-UTF mode
(CVE-2019-20454)
VUL-0: CVE-2019-20454: pcre2: out-of-bounds read in JIT mode when \X is used ...
Status: IN_PROGRESS
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/253196/
CVSSv3.1:SUSE:CVE-2019-20454:6.8:(AV...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-02-19 15:54 UTC by Alexandros Toptsoglou
Modified: 2022-09-01 14:08 UTC (History)
5 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
POC (77 bytes, text/plain)
2020-02-19 16:02 UTC, Alexandros Toptsoglou
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Alexandros Toptsoglou 2020-02-19 15:54:48 UTC
CVE-2019-20454

A flaw was found in libpcre. A buffer overread in JIT mode when \X is used in non-UTF mode may cause application crash and denial of service. The flaw is in function do_extuni_no_utf() in pcre2_jit_compile.c, which uses the macro GETCHARINC to read a character. However, in case there is an invalid UTF character the value read is too big, which causes an out-of-bounds read in the next statement, while executing macro UCD_GRAPHBREAK.

References:

https://bugs.exim.org/show_bug.cgi?id=2421
https://bugs.php.net/bug.php?id=78338

Upstream patch:

http://git.php.net/?p=php-src.git;a=commitdiff;h=8947fd9e9fdce87cd6c59817b1db58e789538fe9

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1735494
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-20454
http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-20454.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20454
https://bugs.exim.org/show_bug.cgi?id=2421
https://bugs.php.net/bug.php?id=78338
https://vcs.pcre.org/pcre2?view=revision&revision=1092
Comment 1 Alexandros Toptsoglou 2020-02-19 16:02:17 UTC
Only pcre2 is affected. The fix can be found at [1] along with some test cases at [2].

Reproduced the issue by running the following: 


gdb pcre2test
(gdb) run -jit $POC

OUTPUT: 
Starting program: /usr/bin/pcre2test -jit pcretest
Missing separate debuginfos, use: zypper install glibc-debuginfo-2.26-lp151.18.7.x86_64
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
PCRE2 version 10.31 2018-02-12
#newline_default lf anycrlf any
#perltest


/\X*/
  \xF3aaa\xE4\xEA\xEB\xFEa

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff79382eb in do_extuni_no_utf (args=<optimized out>, cc=0x5555557944a4 "") at src/pcre2_jit_compile.c:7281
7281	lgb = UCD_GRAPHBREAK(c);

Alternatively running with valgrind will throw: 

Invalid read of size 1
==8904==    at 0x508E593: do_extuni_no_utf (pcre2_jit_compile.c:7280)

[1] https://vcs.pcre.org/pcre2/code/trunk/src/pcre2_jit_compile.c?r1=1092&r2=1091&pathrev=1092
[2] https://vcs.pcre.org/pcre2?view=revision&revision=1091
Comment 2 Alexandros Toptsoglou 2020-02-19 16:02:39 UTC
Created attachment 830707 [details]
POC
Comment 3 Alexandros Toptsoglou 2020-02-19 16:06:01 UTC
Tracked pcre2 in SLE15 as affected. 

PHP could have potentially been affected by this but pcre2 is included in versions 7.3 and on. The issue had been fixed in version of PHP 7.3.8 and 7.4. However, non of our PHP versions are among the affected versions.
Comment 4 Simon Logan 2021-01-18 15:07:00 UTC
At present, Leap 15.2 seems to be affected.

~> rpm -qa libpcre2*
libpcre2-8-0-10.31-lp152.3.9.x86_64
libpcre2-16-0-10.31-lp152.3.9.x86_64

~> rpm -q --qf '%{disturl}' libpcre2-8-0-10.31-lp152.3.9.x86_64
obs://build.opensuse.org/openSUSE:Leap:15.2/standard/24bc55cc557ddb378880b0bba3cb5887-pcre2
~> rpm -q --qf '%{disturl}' libpcre2-16-0-10.31-lp152.3.9.x86_64
obs://build.opensuse.org/openSUSE:Leap:15.2/standard/24bc55cc557ddb378880b0bba3cb5887-pcre2

osc co -r 24bc55cc557ddb378880b0bba3cb5887 openSUSE:Leap:15.2 pcre2

This contains the affected version of pcre2-10.31/src/pcre2_jit_compile.c
I don't see a patch that contains the fix.

Please bring this fix into Leap 15.2.
Comment 5 Alexander Bergmann 2022-01-13 13:37:14 UTC
This is the commit in question and it was introduced in pcre2-10.34.

commit 342c16ecd31bd12fc350ee31d2dcc041832ebb3f
Author: Philip.Hazel <Philip.Hazel@gmail.com>
Date:   Mon May 13 16:38:18 2019 +0000

    Forgot this file in previous commit. Fixes JIT non-UTF bug.

diff --git a/src/pcre2_jit_compile.c b/src/pcre2_jit_compile.c
index ae0fbcf..a19ce8b 100644
--- a/src/pcre2_jit_compile.c
+++ b/src/pcre2_jit_compile.c
@@ -8571,7 +8571,10 @@ int lgb, rgb, ricount;
 PCRE2_SPTR bptr;
 uint32_t c;
 
-GETCHARINC(c, cc);
+/* Patch by PH */
+/* GETCHARINC(c, cc); */
+
+c = *cc++;
 #if PCRE2_CODE_UNIT_WIDTH == 32
 if (c >= 0x110000)
   return NULL;
Comment 7 Gabriele Sonnu 2022-04-13 09:58:13 UTC
Only SUSE:SLE-12:Update/pcre2 is affected.

@Jason, any update on this?
Comment 8 Jason Sikes 2022-07-19 05:45:36 UTC
(In reply to Gabriele Sonnu from comment #7)
> Only SUSE:SLE-12:Update/pcre2 is affected.
> 
> @Jason, any update on this?

Alexander's patch (from comment #5) is correct. There is also another patch labeled "Fix crash when \X is used without UTF in JIT" that contains test data, but no fix.

The fix and the test are here:
- https://github.com/PCRE2Project/pcre2/commit/342c16ecd31bd12fc350ee31d2dcc041832ebb3f
- https://github.com/PCRE2Project/pcre2/commit/e118e60a68f03f38dd2ff3d16ca2e2e0d800e1d9

Also, this fix was introduced in pcre2 version 10.34, so only versions below that are affected by this issue. Interestingly, SLE-15 contains the older, affected version whereas SLE-12 has the newer, unaffected version.

Anyway, a fix for SLE-15 has been submitted.

| Stream                 | Version | Status                    |
|------------------------+---------+---------------------------|
| SUSE:SLE-12:Update     |   10.34 | Not Affected              |
| SUSE:SLE-15:Update     |   10.31 | created request id 276067 |
| SUSE:SLE-15-SP4:Update |   10.39 | Not Affected              |

No version bump is necessary, I believe.
Comment 11 Swamp Workflow Management 2022-08-03 16:18:03 UTC
SUSE-SU-2022:2649-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1164384,1199235
CVE References: CVE-2019-20454,CVE-2022-1587
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    pcre2-10.31-150000.3.12.1
SUSE Manager Server 4.1 (src):    pcre2-10.31-150000.3.12.1
SUSE Manager Retail Branch Server 4.1 (src):    pcre2-10.31-150000.3.12.1
SUSE Manager Proxy 4.1 (src):    pcre2-10.31-150000.3.12.1
SUSE Linux Enterprise Server for SAP 15-SP2 (src):    pcre2-10.31-150000.3.12.1
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    pcre2-10.31-150000.3.12.1
SUSE Linux Enterprise Server for SAP 15 (src):    pcre2-10.31-150000.3.12.1
SUSE Linux Enterprise Server 15-SP2-LTSS (src):    pcre2-10.31-150000.3.12.1
SUSE Linux Enterprise Server 15-SP2-BCL (src):    pcre2-10.31-150000.3.12.1
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    pcre2-10.31-150000.3.12.1
SUSE Linux Enterprise Server 15-SP1-BCL (src):    pcre2-10.31-150000.3.12.1
SUSE Linux Enterprise Server 15-LTSS (src):    pcre2-10.31-150000.3.12.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    pcre2-10.31-150000.3.12.1
SUSE Linux Enterprise Micro 5.2 (src):    pcre2-10.31-150000.3.12.1
SUSE Linux Enterprise Micro 5.1 (src):    pcre2-10.31-150000.3.12.1
SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src):    pcre2-10.31-150000.3.12.1
SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src):    pcre2-10.31-150000.3.12.1
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    pcre2-10.31-150000.3.12.1
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    pcre2-10.31-150000.3.12.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    pcre2-10.31-150000.3.12.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    pcre2-10.31-150000.3.12.1
SUSE Enterprise Storage 7 (src):    pcre2-10.31-150000.3.12.1
SUSE Enterprise Storage 6 (src):    pcre2-10.31-150000.3.12.1
SUSE CaaS Platform 4.0 (src):    pcre2-10.31-150000.3.12.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Jason Sikes 2022-08-26 04:21:53 UTC
Done. Assigning to Security Team.
Comment 13 Swamp Workflow Management 2022-09-01 14:08:53 UTC
openSUSE-SU-2022:2649-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1164384,1199235
CVE References: CVE-2019-20454,CVE-2022-1587
JIRA References: 
Sources used:
openSUSE Leap Micro 5.2 (src):    pcre2-10.31-150000.3.12.1