pcre3: CVE-2014-9769: Segmentation fault on certain input to regular expressions with nested alternatives when JIT is used

Debian Bug report logs - #819050
pcre3: CVE-2014-9769: Segmentation fault on certain input to regular expressions with nested alternatives when JIT is used

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: deb@zagge.de

To: submit@bugs.debian.org

Subject: libpcre3 segfaults on certain regex when jit is used

Date: Wed, 23 Mar 2016 10:07:35 +0100

Package: libpcre3
Version: 2:8.35-3.3+deb8u2
Severity: serious

Dear Maintainer,

When investigating a segmentation fault in suricata it was showing the 
crash
is caused by libpcre3 when pcre_exec of a certain regex is called.
Further investigations have shown that also prcegrep using the regex 
resulted
is a segfault.

pcregrep 
'\/(?:(?:s(?:ystem\/(?:logs|engine)\/[^\x2f]+?|e(?:rv(?:au|er)|ct)|gau\/.*?|alam|ucks|can|ke)|p(?:lugins\/content\/vote\/\.ssl\/[a-z0-9]|(?:rogcicic|atr)ic|osts?\/[a-z0-9]+)|(?=[a-z]*[0-9])(?=[0-9]*[a-z])(?!setup\d+\.exe$)[a-z0-9]{5,10}|a(?:d(?:min\/images\/\w+|obe)|(?:sala|kee)m|live)|(?:i(?:mage\/flags|nvoice)|xml\/load)\/[^\x2f]+|d(?:o(?:c(?:\/[a-z0-9]+)?|ne)|bust)|m(?:edia\/files\/\w+|arch)|~.+?\/\.[^\x2f]+\/.+?|c(?:onfig|hris|alc)|u(?:swinz\w+|pdate)|Ozonecrytedserver|w(?:or[dk]|insys)|fa(?:cture|soo)|n(?:otepad|ach)|k(?:be|ey|is)|(?:tes|ve)t|ArfBtxz|office|yhaooo|[a-z]|etna|link|\d+)\.exe$|(?:(?=[a-z0-9]*?[3456789][a-z0-9]*?[3456789])(?=[a-z0-9]*?[h-z])[a-z0-9]{3,31}\+|PasswordRecovery|RemoveWAT|Dejdisc|Host\d+|Msword)\.exe)' 
file
Segmentation fault

If the jit is disabled the crash does not happen

pcregrep --no-jit 
'\/(?:(?:s(?:ystem\/(?:logs|engine)\/[^\x2f]+?|e(?:rv(?:au|er)|ct)|gau\/.*?|alam|ucks|can|ke)|p(?:lugins\/content\/vote\/\.ssl\/[a-z0-9]|(?:rogcicic|atr)ic|osts?\/[a-z0-9]+)|(?=[a-z]*[0-9])(?=[0-9]*[a-z])(?!setup\d+\.exe$)[a-z0-9]{5,10}|a(?:d(?:min\/images\/\w+|obe)|(?:sala|kee)m|live)|(?:i(?:mage\/flags|nvoice)|xml\/load)\/[^\x2f]+|d(?:o(?:c(?:\/[a-z0-9]+)?|ne)|bust)|m(?:edia\/files\/\w+|arch)|~.+?\/\.[^\x2f]+\/.+?|c(?:onfig|hris|alc)|u(?:swinz\w+|pdate)|Ozonecrytedserver|w(?:or[dk]|insys)|fa(?:cture|soo)|n(?:otepad|ach)|k(?:be|ey|is)|(?:tes|ve)t|ArfBtxz|office|yhaooo|[a-z]|etna|link|\d+)\.exe$|(?:(?=[a-z0-9]*?[3456789][a-z0-9]*?[3456789])(?=[a-z0-9]*?[h-z])[a-z0-9]{3,31}\+|PasswordRecovery|RemoveWAT|Dejdisc|Host\d+|Msword)\.exe)' 
file

This can be used to remotely crash Suricata when used with the open 
emergingthreats rules which contain the above regex.

The crash does no longer happen in stretch/sid which has a newer pcre 
version.

-- System Information:
Debian Release: 8.3
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Message #10 received at 819050@bugs.debian.org (full text, mbox, reply):

From: Matthew Vernon <matthew@debian.org>

To: deb@zagge.de, 819050@bugs.debian.org, control@bugs.debian.org

Subject: Re: Bug#819050: libpcre3 segfaults on certain regex when jit is used

Date: Wed, 23 Mar 2016 10:18:52 +0000

fixed 819050 2:8.38-3
severity 819050 important
tags 819050 fixed-upstream upstream help
quit

Hi,

> When investigating a segmentation fault in suricata it was showing
> the crash is caused by libpcre3 when pcre_exec of a certain regex is
> called. Further investigations have shown that also prcegrep using
> the regex resulted is a segfault.

Thanks for the report. There have been a substantial number of upstream
bug-fixes between jessie and stretch's versions of PCRE3.

> If the jit is disabled the crash does not happen

> The crash does no longer happen in stretch/sid which has a newer
> pcre version.

If the relevant upstream bugfix were found and was straightforwardly
back-portable, I'd be happy to accept the patch. I'm aware this isn't an
ideal response, but it's not entirely straightforward to look at your
(quite complex) regex and work out which of the many upstream issues it
corresponds to!

Regards,

Matthew

Message #23 received at 819050@bugs.debian.org (full text, mbox, reply):

From: Hilko Bengen <bengen@debian.org>

To: 819050@bugs.debian.org

Cc: team@security.debian.org

Subject: Please leave the severity at serious, this bug is a security issue.

Date: Wed, 23 Mar 2016 11:49:05 +0100

control: tag -1 security
control: severity -1 serious

Hi Matthew,

the original report may not have been 100% clear on this, but the bug is
the main cause of a vulnerability in Suricata (a network IDS/IPS) that
allows for remote denial of service, possibly remote code execution by
simply passing crafted packets by a Suricata installation.

Cheers,
-Hilko

Message #32 received at 819050@bugs.debian.org (full text, mbox, reply):

From: Florian Weimer <fw@deneb.enyo.de>

To: Hilko Bengen <bengen@debian.org>

Cc: 819050@bugs.debian.org, team@security.debian.org

Subject: Re: Please leave the severity at serious, this bug is a security issue.

Date: Thu, 24 Mar 2016 07:20:37 +0100

* Hilko Bengen:

> the original report may not have been 100% clear on this, but the bug is
> the main cause of a vulnerability in Suricata (a network IDS/IPS) that
> allows for remote denial of service, possibly remote code execution by
> simply passing crafted packets by a Suricata installation.

Without the complete test case, that's hard to tell.

If we cannot reproduce this, perhaps Suricata (at least in stable)
should not explicitly enable the PCRE JIT compiler?

I'm not sure if we can keep rebasing PCRE just to fix JIT compiler
issues.

Message #37 received at 819050@bugs.debian.org (full text, mbox, reply):

From: Yves-Alexis Perez <corsac@debian.org>

To: Florian Weimer <fw@deneb.enyo.de>, Hilko Bengen <bengen@debian.org>, Pierre Chifflier <pollux@debian.org>

Cc: 819050@bugs.debian.org, team@security.debian.org

Subject: Re: Please leave the severity at serious, this bug is a security issue.

Date: Thu, 24 Mar 2016 09:38:07 +0100

[Message part 1 (text/plain, inline)]

control: affects -1 suricata
On jeu., 2016-03-24 at 07:20 +0100, Florian Weimer wrote:
> * Hilko Bengen:
> 
> > 
> > the original report may not have been 100% clear on this, but the bug is
> > the main cause of a vulnerability in Suricata (a network IDS/IPS) that
> > allows for remote denial of service, possibly remote code execution by
> > simply passing crafted packets by a Suricata installation.
> Without the complete test case, that's hard to tell.
> 
> If we cannot reproduce this, perhaps Suricata (at least in stable)
> should not explicitly enable the PCRE JIT compiler?

Adding Pierre (Suricata maintainer) to the loop then.

Regards,
-- 
Yves-Alexis

[signature.asc (application/pgp-signature, inline)]

Message #44 received at 819050@bugs.debian.org (full text, mbox, reply):

From: Pierre Chifflier <pollux@debian.org>

To: Yves-Alexis Perez <corsac@debian.org>, Florian Weimer <fw@deneb.enyo.de>, Hilko Bengen <bengen@debian.org>

Cc: 819050@bugs.debian.org, team@security.debian.org

Subject: Re: Please leave the severity at serious, this bug is a security issue.

Date: Fri, 25 Mar 2016 08:18:34 +0100

On 03/24/2016 09:38 AM, Yves-Alexis Perez wrote:
> control: affects -1 suricata
> On jeu., 2016-03-24 at 07:20 +0100, Florian Weimer wrote:
>> * Hilko Bengen:
>>
>>>
>>> the original report may not have been 100% clear on this, but the bug is
>>> the main cause of a vulnerability in Suricata (a network IDS/IPS) that
>>> allows for remote denial of service, possibly remote code execution by
>>> simply passing crafted packets by a Suricata installation.
>> Without the complete test case, that's hard to tell.
>>
>> If we cannot reproduce this, perhaps Suricata (at least in stable)
>> should not explicitly enable the PCRE JIT compiler?
> 
> Adding Pierre (Suricata maintainer) to the loop then.
> 

Hi,

Is it the same bug on PCRE that was reported last year ? If so, I have
confirmed that it is reproducible in a mail to security@
(<564C6DE1.9000600@debian.org>)
The bug is in libpcre, see
https://lists.exim.org/lurker/message/20140425.115921.793bec64.en.html
for details, and
http://vcs.pcre.org/pcre?view=revision&revision=1475
for the upstream fix.

It indeed affects programs using the JIT feature, that includes suricata.

Cheers,
Pierre

Message #49 received at 819050@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Pierre Chifflier <pollux@debian.org>, 819050-submitter@bugs.debian.org

Cc: Yves-Alexis Perez <corsac@debian.org>, Florian Weimer <fw@deneb.enyo.de>, Hilko Bengen <bengen@debian.org>, team@security.debian.org, 819050@bugs.debian.org

Subject: Re: Bug#819050: Please leave the severity at serious, this bug is a security issue.

Date: Fri, 25 Mar 2016 11:05:24 +0100

[Message part 1 (text/plain, inline)]

Hi all,

On Fri, Mar 25, 2016 at 08:18:34AM +0100, Pierre Chifflier wrote:
> On 03/24/2016 09:38 AM, Yves-Alexis Perez wrote:
> > control: affects -1 suricata
> > On jeu., 2016-03-24 at 07:20 +0100, Florian Weimer wrote:
> >> * Hilko Bengen:
> >>
> >>>
> >>> the original report may not have been 100% clear on this, but the bug is
> >>> the main cause of a vulnerability in Suricata (a network IDS/IPS) that
> >>> allows for remote denial of service, possibly remote code execution by
> >>> simply passing crafted packets by a Suricata installation.
> >> Without the complete test case, that's hard to tell.
> >>
> >> If we cannot reproduce this, perhaps Suricata (at least in stable)
> >> should not explicitly enable the PCRE JIT compiler?
> > 
> > Adding Pierre (Suricata maintainer) to the loop then.
> > 
> 
> Hi,
> 
> Is it the same bug on PCRE that was reported last year ? If so, I have
> confirmed that it is reproducible in a mail to security@
> (<564C6DE1.9000600@debian.org>)
> The bug is in libpcre, see
> https://lists.exim.org/lurker/message/20140425.115921.793bec64.en.html
> for details, and
> http://vcs.pcre.org/pcre?view=revision&revision=1475
> for the upstream fix.
> 
> It indeed affects programs using the JIT feature, that includes suricata.

Can you confirm that the packages at
https://people.debian.org/~carnil/tmp/pcre3/jessie/ fix as well the
case reported in #819050? The package at above link contain the
proposed fixes which I submitted for the next Jessie point release and
on top of it r1475 commit from upstream.

Can you otherwise provide a complete test case for #819050?

Regards,
Salvatore

[signature.asc (application/pgp-signature, inline)]

Message #57 received at 819050@bugs.debian.org (full text, mbox, reply):

From: Hilko Bengen <bengen@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>

Cc: Pierre Chifflier <pollux@debian.org>, 819050-submitter@bugs.debian.org, Yves-Alexis Perez <corsac@debian.org>, Florian Weimer <fw@deneb.enyo.de>, team@security.debian.org, 819050@bugs.debian.org

Subject: Re: Bug#819050: Please leave the severity at serious, this bug is a security issue.

Date: Fri, 25 Mar 2016 19:48:42 +0100

* Salvatore Bonaccorso:

> Can you confirm that the packages at
> https://people.debian.org/~carnil/tmp/pcre3/jessie/ fix as well the
> case reported in #819050? The package at above link contain the
> proposed fixes which I submitted for the next Jessie point release and
> on top of it r1475 commit from upstream.

After installing libpcre3_8.35-3.3+deb8u3_amd64.deb, pcregrep no longer
crashes. Thank you very much.

> Can you otherwise provide a complete test case for #819050?

It turns out that this regex does not crash pcre on just any input. The
following line reproduces the bug for me using an with unpatched
libpcre3. Is this good enough?

echo /a/eaa  |  pcregrep '\/(?:(?:s(?:ystem\/(?:logs|engine)\/[^\x2f]+?|e(?:rv(?:au|er)|ct)|gau\/.*?|alam|ucks|can|ke)|p(?:lugins\/content\/vote\/\.ssl\/[a-z0-9]|(?:rogcicic|atr)ic|osts?\/[a-z0-9]+)|(?=[a-z]*[0-9])(?=[0-9]*[a-z])(?!setup\d+\.exe$)[a-z0-9]{5,10}|a(?:d(?:min\/images\/\w+|obe)|(?:sala|kee)m|live)|(?:i(?:mage\/flags|nvoice)|xml\/load)\/[^\x2f]+|d(?:o(?:c(?:\/[a-z0-9]+)?|ne)|bust)|m(?:edia\/files\/\w+|arch)|~.+?\/\.[^\x2f]+\/.+?|c(?:onfig|hris|alc)|u(?:swinz\w+|pdate)|Ozonecrytedserver|w(?:or[dk]|insys)|fa(?:cture|soo)|n(?:otepad|ach)|k(?:be|ey|is)|(?:tes|ve)t|ArfBtxz|office|yhaooo|[a-z]|etna|link|\d+)\.exe$|(?:(?=[a-z0-9]*?[3456789][a-z0-9]*?[3456789])(?=[a-z0-9]*?[h-z])[a-z0-9]{3,31}\+|PasswordRecovery|RemoveWAT|Dejdisc|Host\d+|Msword)\.exe)'


Cheers,
-Hilko

Message #65 received at 819050@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Hilko Bengen <bengen@debian.org>, 819050@bugs.debian.org

Cc: Pierre Chifflier <pollux@debian.org>, 819050-submitter@bugs.debian.org, Yves-Alexis Perez <corsac@debian.org>, Florian Weimer <fw@deneb.enyo.de>, team@security.debian.org

Subject: Re: Bug#819050: Please leave the severity at serious, this bug is a security issue.

Date: Fri, 25 Mar 2016 20:24:08 +0100

[Message part 1 (text/plain, inline)]

Hi Hilko,

On Fri, Mar 25, 2016 at 07:48:42PM +0100, Hilko Bengen wrote:
> * Salvatore Bonaccorso:
> 
> > Can you confirm that the packages at
> > https://people.debian.org/~carnil/tmp/pcre3/jessie/ fix as well the
> > case reported in #819050? The package at above link contain the
> > proposed fixes which I submitted for the next Jessie point release and
> > on top of it r1475 commit from upstream.
> 
> After installing libpcre3_8.35-3.3+deb8u3_amd64.deb, pcregrep no longer
> crashes. Thank you very much.
> 
> > Can you otherwise provide a complete test case for #819050?
> 
> It turns out that this regex does not crash pcre on just any input. The
> following line reproduces the bug for me using an with unpatched
> libpcre3. Is this good enough?
> 
> echo /a/eaa  |  pcregrep '\/(?:(?:s(?:ystem\/(?:logs|engine)\/[^\x2f]+?|e(?:rv(?:au|er)|ct)|gau\/.*?|alam|ucks|can|ke)|p(?:lugins\/content\/vote\/\.ssl\/[a-z0-9]|(?:rogcicic|atr)ic|osts?\/[a-z0-9]+)|(?=[a-z]*[0-9])(?=[0-9]*[a-z])(?!setup\d+\.exe$)[a-z0-9]{5,10}|a(?:d(?:min\/images\/\w+|obe)|(?:sala|kee)m|live)|(?:i(?:mage\/flags|nvoice)|xml\/load)\/[^\x2f]+|d(?:o(?:c(?:\/[a-z0-9]+)?|ne)|bust)|m(?:edia\/files\/\w+|arch)|~.+?\/\.[^\x2f]+\/.+?|c(?:onfig|hris|alc)|u(?:swinz\w+|pdate)|Ozonecrytedserver|w(?:or[dk]|insys)|fa(?:cture|soo)|n(?:otepad|ach)|k(?:be|ey|is)|(?:tes|ve)t|ArfBtxz|office|yhaooo|[a-z]|etna|link|\d+)\.exe$|(?:(?=[a-z0-9]*?[3456789][a-z0-9]*?[3456789])(?=[a-z0-9]*?[h-z])[a-z0-9]{3,31}\+|PasswordRecovery|RemoveWAT|Dejdisc|Host\d+|Msword)\.exe)'

Thanks for the testcase, this helps!

I think I will propose the attached debdiff for the SRM, to fix this
case (separate debdiff, since +deb8u3 was already acceted by Adam just
some minutes ago).

But I suspect there is more. Florian suggested/mentioned in his first
reply, if possibly suricata should not explicitly enable the PCRE JIT
compiler at least in jessie.

Regards,
Salvatore

[pcre3_8.35-3.3+deb8u4.debdiff (text/plain, attachment)]

[signature.asc (application/pgp-signature, inline)]

Message #73 received at 819050-close@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 819050-close@bugs.debian.org

Subject: Bug#819050: fixed in pcre3 2:8.35-3.3+deb8u4

Date: Sat, 26 Mar 2016 17:47:08 +0000

Source: pcre3
Source-Version: 2:8.35-3.3+deb8u4

We believe that the bug you reported is fixed in the latest version of
pcre3, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 819050@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated pcre3 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 25 Mar 2016 19:58:10 +0100
Source: pcre3
Binary: libpcre3 libpcre3-udeb libpcrecpp0 libpcre3-dev libpcre3-dbg pcregrep
Architecture: source
Version: 2:8.35-3.3+deb8u4
Distribution: jessie
Urgency: medium
Maintainer: Mark Baker <mark@mnb.org.uk>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 819050
Description: 
 libpcre3   - Perl 5 Compatible Regular Expression Library - runtime files
 libpcre3-dbg - Perl 5 Compatible Regular Expression Library - debug symbols
 libpcre3-dev - Perl 5 Compatible Regular Expression Library - development files
 libpcre3-udeb - Perl 5 Compatible Regular Expression Library - runtime files (ude (udeb)
 libpcrecpp0 - Perl 5 Compatible Regular Expression Library - C++ runtime files
 pcregrep   - grep utility that uses perl 5 compatible regexes.
Changes:
 pcre3 (2:8.35-3.3+deb8u4) jessie; urgency=medium
 .
   * Non-maintainer upload.
   * Add 0001-Fixed-an-issue-with-nested-table-jumps.patch.
     Fixes issue with nested table jumps. (Closes: #819050)
Checksums-Sha1: 
 ed005c75cd39580467bbb60e16e6c2ade029e30c 1985 pcre3_8.35-3.3+deb8u4.dsc
 4fc739987e165b16693de34c36a4ba59fff57b0f 38081 pcre3_8.35-3.3+deb8u4.debian.tar.gz
Checksums-Sha256: 
 862ee7365c8cc9916f58856617701e2e2f3dcd384a34375379ddfa52b642c649 1985 pcre3_8.35-3.3+deb8u4.dsc
 93e38ad38d4cdb21d346226eebc7e2ad419cbfe0261b27d2910e8e5c3a946fb9 38081 pcre3_8.35-3.3+deb8u4.debian.tar.gz
Files: 
 92aad733f262f92a6d47f908a40d1b5e 1985 libs optional pcre3_8.35-3.3+deb8u4.dsc
 ea36f15f106f19cfad8ea0896606c11c 38081 libs optional pcre3_8.35-3.3+deb8u4.debian.tar.gz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJW9pM+AAoJEAVMuPMTQ89EAxkQAIBI8L/jCPJgBHfP3DzNTMpI
DgyTZ0LSs71wHN9ydlSM18nAdQP8TQZc4L34HvuQz714qCPqmi/nydQX4yG1CvPt
SBMhCwO47czMRdWMPrdbUcGMzCfvs7eZdll2O1HZtHWMNz473BusDYhspgOHCTCJ
qZh44dC/0TDhgs6r8EZHfUw6mH3Jq3p+J4Sfk+gzafq2A7vVfmQ/u+CO5009wt8D
Ol2G1JzNjESDy6EiAr+BTxyrSsqIlHX5dqIzP12LyXejX3Es41CoODhlW/Luj1+B
rS6oFJX5mo/TfcasU02CIBkBx9MbohoQl8AKVvp3xTTIHnRHrr+T5e4x2ZsNbiR1
uxyRPUJJzlFg8IxVUgLbFHdjM9Y2uHbtCMc8VoauGIqCNfzwDO+z8BoIjdLggiV6
AMK3tnHWDAWXO0CVvfDvKSwUTAsgUOD4HT+140poPZjvcNcGT98iDK8VZPWJ38Ou
xE6H4CkgfxOA8G3lutzmz6lEAwvR5ZvGLc7lxf+oS7L0/hssLWk6DMPghmca6Iqg
QN73lCngLerAAHOn/KkPuWxyjfcQIMLMolVfNn6CN1mMqeQTENv2/xfAZ9RcCxNl
1f4ppr4g/AP9QJeq9TW7OXTSWbYIBQPK1R5BeAqIbpFOLM8YGJCJIuPkFP3XZrQH
81JY6KW9DlffD2mTOe6E
=YdBO
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.