pcre3: CVE-2017-7245

Debian Bug report logs - #858678
pcre3: CVE-2017-7245

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: pcre3: CVE-2017-7245

Date: Sat, 25 Mar 2017 08:17:09 +0100

Source: pcre3
Version: 2:8.39-2.1
Severity: important
Tags: security patch upstream

Hi,

the following vulnerability was published for pcre3.

CVE-2017-7245[0]:
| Stack-based buffer overflow in the pcre32_copy_substring function in
| pcre_get.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a
| denial of service (WRITE of size 4) or possibly have unspecified other
| impact via a crafted file.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-7245
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7245

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #12 received at 858678@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 858678@bugs.debian.org

Subject: Re: Bug#858678: pcre3: CVE-2017-7245

Date: Sat, 25 Mar 2017 21:47:32 +0100

Control: found -1 2:8.39-3

This one is still present in 2:8.39-3.

Regards,
Salvatore

Message #19 received at 858678@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 858678@bugs.debian.org

Cc: Matthew Vernon <matthew@debian.org>, ph40@hermes.cam.ac.uk

Subject: Issue CVE-2017-7245 persist on current upstream r1689

Date: Sun, 26 Mar 2017 10:22:20 +0200

Hi Matthew, hi Philip

I tried to follow the status for CVE-2017-7245 (#858678), and it looks
they fail still on "current" revision from upstrema VCS.

I'm on r1689 ("Fix DFA match handling of possessive repeated character
class (Bugzilla 2086).") and compiling locally wit ASAN:

(basically only CFLAGS="-g -O0 -fsanitize=address"
LDFLAGS="-fsanitize=address" and I'm explicitly calling configure with
--enable-pcre32 --disable-shared to explicitly catch the issues):

CVE-2017-7245:

$ ./pcretest -32 -d ~/poc/00207-pcre-stackoverflow-pcre32_copy_substring

PCRE version 8.41-RC1 2017-02-01


\v+S+5
------------------------------------------------------------------
  0   4 Bra
  2     \v++
  4   4 Ket
  6     End
------------------------------------------------------------------
Capturing subpattern count = 0
No options
No first char
No need char
Subject length lower bound = 1
Starting chars: \x0a \x0b \x0c \x0d \x85 \xff 
JIT support is not available in this version of PCRE
ïnn{ÿê|:)rÿ/;˜  /=>D
No match
  	ßïnn{ÿê|:)>	““+
No match
Š>
No match
999
No match
>/;((((((((((((((((___ÃDD
 
No match
 >:$$$€€€ÿ  	ù 999
No match
7NXe  c
No match
9
No match
>
No match
 W+
No match

No match
˜
No match
  t
No match
8 <b
No match
W+
No match
t
No match

\S+\d+W+
=================================================================
==29699==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffc66c02600 at pc 0x5618f712d5bd bp 0x7ffc66c01950 sp 0x7ffc66c01948
WRITE of size 4 at 0x7ffc66c02600 thread T0
    #0 0x5618f712d5bc in pcre32_copy_substring /root/pcre/pcre_get.c:358
    #1 0x5618f6face1b in main /root/pcre/pcretest.c:5342
    #2 0x7f5ce5d2a2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
    #3 0x5618f6f9ade9 in _start (/root/pcre/pcretest+0x1bde9)

Address 0x7ffc66c02600 is located in stack of thread T0 at offset 2336 in frame
    #0 0x5618f6fa0fa5 in main /root/pcre/pcretest.c:2987

  This frame has 35 object(s):
    [32, 36) 'erroroffset'
    [96, 100) 'first_char'
    [160, 164) 'need_char'
    [224, 228) 'match_limit'
    [288, 292) 'recursion_limit'
    [352, 356) 'count'
    [416, 420) 'backrefmax'
    [480, 484) 'first_char_set'
    [544, 548) 'need_char_set'
    [608, 612) 'okpartial'
    [672, 676) 'jchanged'
    [736, 740) 'hascrorlf'
    [800, 804) 'maxlookbehind'
    [864, 868) 'match_empty'
    [928, 932) 'callout_data'
    [992, 996) 'count'
    [1056, 1060) 'd'
    [1120, 1128) 'cn32ptr'
    [1184, 1192) 'gn32ptr'
    [1248, 1256) 'cn16ptr'
    [1312, 1320) 'gn16ptr'
    [1376, 1384) 'cn8ptr'
    [1440, 1448) 'gn8ptr'
    [1504, 1512) 'error'
    [1568, 1576) 'markptr'
    [1632, 1640) 'get_options'
    [1696, 1704) 'size'
    [1760, 1768) 'nametable'
    [1824, 1832) 'sbuf'
    [1888, 1904) 'rlim'
    [1952, 1976) 'lockout'
    [2016, 2040) 'preg'
    [2080, 2336) 'copybuffer' <== Memory access at offset 2336 overflows this variable
    [2368, 6464) 'copynames'
    [6496, 10592) 'getnames'
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /root/pcre/pcre_get.c:358 in pcre32_copy_substring
Shadow bytes around the buggy address:
  0x10000cd78470: 00 f4 f4 f4 f2 f2 f2 f2 00 f4 f4 f4 f2 f2 f2 f2
  0x10000cd78480: 00 f4 f4 f4 f2 f2 f2 f2 00 00 f4 f4 f2 f2 f2 f2
  0x10000cd78490: 00 00 00 f4 f2 f2 f2 f2 00 00 00 f4 f2 f2 f2 f2
  0x10000cd784a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10000cd784b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10000cd784c0:[f2]f2 f2 f2 00 00 00 00 00 00 00 00 00 00 00 00
  0x10000cd784d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10000cd784e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10000cd784f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10000cd78500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10000cd78510: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==29699==ABORTING

(the reproducer files are from Agostino Sarubbo git repository).

Regards,
Salvatore

Message #24 received at 858678@bugs.debian.org (full text, mbox, reply):

From: ph40@hermes.cam.ac.uk

To: Salvatore Bonaccorso <carnil@debian.org>

Cc: 858678@bugs.debian.org, Matthew Vernon <matthew@debian.org>

Subject: Re: Issue CVE-2017-7245 persist on current upstream r1689

Date: Sun, 26 Mar 2017 16:24:17 +0100 (BST)

On Sun, 26 Mar 2017, Salvatore Bonaccorso wrote:

> I tried to follow the status for CVE-2017-7245 (#858678), and it looks
> they fail still on "current" revision from upstrema VCS.
> 
> I'm on r1689 ("Fix DFA match handling of possessive repeated character
> class (Bugzilla 2086).") and compiling locally wit ASAN:
> 
> (basically only CFLAGS="-g -O0 -fsanitize=address"
> LDFLAGS="-fsanitize=address" and I'm explicitly calling configure with
> --enable-pcre32 --disable-shared to explicitly catch the issues):
> 
> CVE-2017-7245:
> 
> $ ./pcretest -32 -d ~/poc/00207-pcre-stackoverflow-pcre32_copy_substring

I'm afraid I cannot reproduce this bug from the data in your email. I 
suspect some of the characters are getting mangled somehow on their way 
through the mail system.

> (the reproducer files are from Agostino Sarubbo git repository).

Please remind me where this is so that I can try to get the failing 
file.

Regards,
Philip

-- 
Philip Hazel

Message #29 received at 858678@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: ph40@hermes.cam.ac.uk

Cc: 858678@bugs.debian.org, Matthew Vernon <matthew@debian.org>

Subject: Re: Issue CVE-2017-7245 persist on current upstream r1689

Date: Sun, 26 Mar 2017 19:06:58 +0200

Hi Philip,

Thanks for the quick reply!

On Sun, Mar 26, 2017 at 04:24:17PM +0100, ph40@hermes.cam.ac.uk wrote:
> On Sun, 26 Mar 2017, Salvatore Bonaccorso wrote:
> 
> > I tried to follow the status for CVE-2017-7245 (#858678), and it looks
> > they fail still on "current" revision from upstrema VCS.
> > 
> > I'm on r1689 ("Fix DFA match handling of possessive repeated character
> > class (Bugzilla 2086).") and compiling locally wit ASAN:
> > 
> > (basically only CFLAGS="-g -O0 -fsanitize=address"
> > LDFLAGS="-fsanitize=address" and I'm explicitly calling configure with
> > --enable-pcre32 --disable-shared to explicitly catch the issues):
> > 
> > CVE-2017-7245:
> > 
> > $ ./pcretest -32 -d ~/poc/00207-pcre-stackoverflow-pcre32_copy_substring
> 
> I'm afraid I cannot reproduce this bug from the data in your email. I 
> suspect some of the characters are getting mangled somehow on their way 
> through the mail system.
> 
> > (the reproducer files are from Agostino Sarubbo git repository).
> 
> Please remind me where this is so that I can try to get the failing 
> file.

Sure, apolgies if this was too terse. So the CVE-2017-7245 issue, some
references are here:

https://security-tracker.debian.org/tracker/CVE-2017-7245

the reporter blog is at
https://blogs.gentoo.org/ago/2017/03/20/libpcre-two-stack-based-buffer-overflow-write-in-pcre32_copy_substring-pcre_get-c/
and the file to reproduce thie issue is located in his git repository
at
https://github.com/asarubbo/poc/blob/master/00207-pcre-stackoverflow-pcre32_copy_substring

I was able to reproduce the issue with an ASAN build of pcre3 from the
VCS checkout at revision r1689.

Does this help? Or do you need any further information from me?

Regards,
Salvatore

Message #34 received at 858678@bugs.debian.org (full text, mbox, reply):

From: ph40@hermes.cam.ac.uk

To: Salvatore Bonaccorso <carnil@debian.org>

Cc: 858678@bugs.debian.org, Matthew Vernon <matthew@debian.org>

Subject: Re: Issue CVE-2017-7245 persist on current upstream r1689

Date: Sun, 26 Mar 2017 19:11:20 +0100 (BST)

On Sun, 26 Mar 2017, Salvatore Bonaccorso wrote:

> Sure, apolgies if this was too terse. So the CVE-2017-7245 issue, some
> references are here:
> 
> https://security-tracker.debian.org/tracker/CVE-2017-7245
> 
> the reporter blog is at
> https://blogs.gentoo.org/ago/2017/03/20/libpcre-two-stack-based-buffer-overflow-write-in-pcre32_copy_substring-pcre_get-c/
> and the file to reproduce thie issue is located in his git repository
> at
> https://github.com/asarubbo/poc/blob/master/00207-pcre-stackoverflow-pcre32_copy_substring
> 
> I was able to reproduce the issue with an ASAN build of pcre3 from the
> VCS checkout at revision r1689.
> 
> Does this help? Or do you need any further information from me?

I'm still having a problem reproducing this. Using

CFLAGS="-g -O0 -fsanitize=address" LDFLAGS="-fsanitize=address" ./configure --enable-pcre32 --disable-shared

(that is, compiling with gcc), I get no crash. I don't seem to be able 
to compile with clang at the moment because I'm getting a linker error:

/source/pcre/.libs/libpcre.a(libpcre_la-pcre_compile.o): In function `asan.module_ctor':
pcre_compile.c:(.text+0x361e7): undefined reference to `__asan_version_mismatch_check_v8'

I can compile and link "Hello World" with clang, no problem, so I am a
bit mystified. However, I have to stop for the day now and won't get
back to this for at least 24 hours.

Oh! STOP PRESS. I have managed to get an error out of valgrind. It might 
be the same thing as you are seeing, but it looks a bit different. 
However, I haven't the time to look now. (If it turns out to be a bug in 
pcretest, as opposed to the library, I have to say I am less interested 
in trying to fix it.)

Incidentally, you are, I hope, aware that the 8.xx PCRE releases have 
been in "maintenance only" mode for over 2 years now. I am rapidly 
forgetting details of the PCRE1 code. I know Debian takes its time, but 
I do hope there is a plan to move to PCRE2 in due course.

Regards,
Philip

-- 
Philip Hazel

Message #39 received at 858678@bugs.debian.org (full text, mbox, reply):

From: ph40@hermes.cam.ac.uk

To: Salvatore Bonaccorso <carnil@debian.org>

Cc: 858678@bugs.debian.org, Matthew Vernon <matthew@debian.org>

Subject: Re: Issue CVE-2017-7245 persist on current upstream r1689

Date: Mon, 27 Mar 2017 17:03:58 +0100 (BST)

On Sun, 26 Mar 2017, Salvatore Bonaccorso wrote:

> I tried to follow the status for CVE-2017-7245 (#858678), and it looks
> they fail still on "current" revision from upstrema VCS.

I believe I have fixed this at r1691. It was a one-character typo in
pcretest, causing an incorrect buffer length to be passed to
pcre_copy_substring() in 32-bit mode. In other words, a "user" error,
not a bug in the library.

Regards,
Philip

-- 
Philip Hazel

Message #44 received at 858678@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: ph40@hermes.cam.ac.uk

Cc: 858678@bugs.debian.org, 858679@bugs.debian.org, Matthew Vernon <matthew@debian.org>

Subject: Re: Issue CVE-2017-7245 persist on current upstream r1689

Date: Mon, 27 Mar 2017 18:53:15 +0200

Hi

On Mon, Mar 27, 2017 at 05:03:58PM +0100, ph40@hermes.cam.ac.uk wrote:
> On Sun, 26 Mar 2017, Salvatore Bonaccorso wrote:
> 
> > I tried to follow the status for CVE-2017-7245 (#858678), and it looks
> > they fail still on "current" revision from upstrema VCS.
> 
> I believe I have fixed this at r1691. It was a one-character typo in
> pcretest, causing an incorrect buffer length to be passed to
> pcre_copy_substring() in 32-bit mode. In other words, a "user" error,
> not a bug in the library.

Thanks! Confirmed for both #858678 and #858679 that
http://vcs.pcre.org/pcre?view=revision&revision=1691 addressed the
issue.

Thanks a lot for your work and looking even at our downstream
bugreports.

To add a n ote on your previous comment: yes I think we are all aware
that one should switch to pcre2, for Debian we are somehow in the
process but the Stretch release at least still will have both and
various packages depend on the 1.x version.

Regards,
Salvatore

Send a report that this bug log contains spam.