Debian Bug report logs -
#781795
pcre3: CVE-2015-2325: heap buffer overflow in compile_branch()
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Fri, 3 Apr 2015 09:33:02 UTC
Severity: important
Tags: fixed-upstream, patch, security, upstream
Found in version pcre3/1:8.30-5
Fixed in version pcre3/2:8.35-7.2
Done: Salvatore Bonaccorso <carnil@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Matthew Vernon <matthew@debian.org>:
Bug#781795; Package src:pcre3.
(Fri, 03 Apr 2015 09:33:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Matthew Vernon <matthew@debian.org>.
(Fri, 03 Apr 2015 09:33:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Source: pcre3
Version: 1:8.30-5
Severity: important
Tags: security upstream fixed-upstream
Hi,
the following vulnerability was published for pcre3.
CVE-2015-2325[0]:
heap buffer overflow in compile_branch()
I was not able to reproduce the actual overflow with the reproducer,
but comment #1 [1] in upstream bug report suggest that the bug is
present. With the attached (backported) but only lightly tested patch
the issue running the reproducer goes away.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2015-2325
[1] http://bugs.exim.org/show_bug.cgi?id=1591#c1
Regards,
Salvatore
[CVE-2015-2325.patch (text/x-diff, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#781795; Package src:pcre3.
(Thu, 23 Apr 2015 17:24:10 GMT) (full text, mbox, link).
Acknowledgement sent
to Matthew Vernon <matthew@debian.org>:
Extra info received and forwarded to list.
(Thu, 23 Apr 2015 17:24:10 GMT) (full text, mbox, link).
Message #10 received at 781795@bugs.debian.org (full text, mbox, reply):
Hi,
On 03/04/15 10:30, Salvatore Bonaccorso wrote:
> the following vulnerability was published for pcre3.
>
> CVE-2015-2325[0]:
> heap buffer overflow in compile_branch()
Thanks for the bug report.
> I was not able to reproduce the actual overflow with the reproducer,
> but comment #1 [1] in upstream bug report suggest that the bug is
> present. With the attached (backported) but only lightly tested patch
> the issue running the reproducer goes away.
I've only just taken over maintaining pcre3; my feeling is that at this
point in the release cycle I shouldn't be trying to get a freeze
exception in a widely-depended-upon library for a severity:important bug.
Regards,
Matthew
Information forwarded
to debian-bugs-dist@lists.debian.org, Matthew Vernon <matthew@debian.org>:
Bug#781795; Package src:pcre3.
(Thu, 23 Apr 2015 17:33:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Matthew Vernon <matthew@debian.org>.
(Thu, 23 Apr 2015 17:33:05 GMT) (full text, mbox, link).
Message #15 received at 781795@bugs.debian.org (full text, mbox, reply):
Hi Matthew,
On Thu, Apr 23, 2015 at 06:21:27PM +0100, Matthew Vernon wrote:
> Hi,
>
> On 03/04/15 10:30, Salvatore Bonaccorso wrote:
>
> > the following vulnerability was published for pcre3.
> >
> > CVE-2015-2325[0]:
> > heap buffer overflow in compile_branch()
>
> Thanks for the bug report.
>
> > I was not able to reproduce the actual overflow with the reproducer,
> > but comment #1 [1] in upstream bug report suggest that the bug is
> > present. With the attached (backported) but only lightly tested patch
> > the issue running the reproducer goes away.
>
> I've only just taken over maintaining pcre3; my feeling is that at this
> point in the release cycle I shouldn't be trying to get a freeze
> exception in a widely-depended-upon library for a severity:important bug.
Yes defintively, the release is now really close and this can
deferred.
Btw, there is as well
https://security-tracker.debian.org/tracker/CVE-2015-2326 (but for
this one I have not started any investigation, so would be great if
you can have a look at this as wel if possible).
Thanks for your work!
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#781795; Package src:pcre3.
(Thu, 23 Apr 2015 17:45:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Matthew Vernon <matthew@debian.org>:
Extra info received and forwarded to list.
(Thu, 23 Apr 2015 17:45:05 GMT) (full text, mbox, link).
Message #20 received at 781795@bugs.debian.org (full text, mbox, reply):
On 23/04/15 18:30, Salvatore Bonaccorso wrote:
> Hi Matthew,
>
> On Thu, Apr 23, 2015 at 06:21:27PM +0100, Matthew Vernon wrote:
>> Hi,
>>
>> On 03/04/15 10:30, Salvatore Bonaccorso wrote:
>>
>>> the following vulnerability was published for pcre3.
>>>
>>> CVE-2015-2325[0]:
>>> heap buffer overflow in compile_branch()
>>
>> Thanks for the bug report.
>>
>>> I was not able to reproduce the actual overflow with the reproducer,
>>> but comment #1 [1] in upstream bug report suggest that the bug is
>>> present. With the attached (backported) but only lightly tested patch
>>> the issue running the reproducer goes away.
>>
>> I've only just taken over maintaining pcre3; my feeling is that at this
>> point in the release cycle I shouldn't be trying to get a freeze
>> exception in a widely-depended-upon library for a severity:important bug.
>
> Yes defintively, the release is now really close and this can
> deferred.
>
> Btw, there is as well
> https://security-tracker.debian.org/tracker/CVE-2015-2326 (but for
> this one I have not started any investigation, so would be great if
> you can have a look at this as wel if possible).
My version of pcregrep simply objects to the regexes supplied as POC in
that bug report:
mcv21@pick:~$ pcregrep '/((?+1)(\1))/' foo.txt
pcregrep: Error while studying regex: internal error: missing capturing
bracket
Regards,
Matthew
Information forwarded
to debian-bugs-dist@lists.debian.org, Matthew Vernon <matthew@debian.org>:
Bug#781795; Package src:pcre3.
(Sat, 25 Apr 2015 07:00:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Matthew Vernon <matthew@debian.org>.
(Sat, 25 Apr 2015 07:00:05 GMT) (full text, mbox, link).
Message #25 received at 781795@bugs.debian.org (full text, mbox, reply):
Hi Matthew,
On Thu, Apr 23, 2015 at 06:44:05PM +0100, Matthew Vernon wrote:
> On 23/04/15 18:30, Salvatore Bonaccorso wrote:
> > Hi Matthew,
> >
> > On Thu, Apr 23, 2015 at 06:21:27PM +0100, Matthew Vernon wrote:
> >> Hi,
> >>
> >> On 03/04/15 10:30, Salvatore Bonaccorso wrote:
> >>
> >>> the following vulnerability was published for pcre3.
> >>>
> >>> CVE-2015-2325[0]:
> >>> heap buffer overflow in compile_branch()
> >>
> >> Thanks for the bug report.
> >>
> >>> I was not able to reproduce the actual overflow with the reproducer,
> >>> but comment #1 [1] in upstream bug report suggest that the bug is
> >>> present. With the attached (backported) but only lightly tested patch
> >>> the issue running the reproducer goes away.
> >>
> >> I've only just taken over maintaining pcre3; my feeling is that at this
> >> point in the release cycle I shouldn't be trying to get a freeze
> >> exception in a widely-depended-upon library for a severity:important bug.
> >
> > Yes defintively, the release is now really close and this can
> > deferred.
> >
> > Btw, there is as well
> > https://security-tracker.debian.org/tracker/CVE-2015-2326 (but for
> > this one I have not started any investigation, so would be great if
> > you can have a look at this as wel if possible).
>
> My version of pcregrep simply objects to the regexes supplied as POC in
> that bug report:
>
> mcv21@pick:~$ pcregrep '/((?+1)(\1))/' foo.txt
> pcregrep: Error while studying regex: internal error: missing capturing
> bracket
So I'm able to reproduce an invalid read, compiled with
DEB_BUILD_OPTIONS='hardening=-all noopt nostrip", so the bug seems to
be present at least in unstable:
==15739== Memcheck, a memory error detector
==15739== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==15739== Using Valgrind-3.10.1 and LibVEX; rerun with -h for copyright info
==15739== Command: .libs/pcretest
==15739==
PCRE version 8.35 2014-04-04
re> /((?i)(?+1)a(a|b\1))\s+\1/
==15739== Invalid read of size 1
==15739== at 0x4E3863D: could_be_empty_branch (pcre_compile.c:2395)
==15739== by 0x4E388CA: could_be_empty_branch (pcre_compile.c:2468)
==15739== by 0x4E388CA: could_be_empty_branch (pcre_compile.c:2468)
==15739== by 0x4E4523C: pcre_compile2 (pcre_compile.c:9462)
==15739== by 0x4E439B3: pcre_compile (pcre_compile.c:8734)
==15739== by 0x10EC7B: main (pcretest.c:4023)
==15739== Address 0x58a39a2 is 32,898 bytes inside an unallocated block of size 4,093,632 in arena "client"
==15739==
data> abc
Error -26 (nested recursion at the same subject position)
Will fill another but to track CVE-2015-2326 separately. It seems to
be due to some refactoring happened between 8.33 and 8.36 if I see it
correctly.
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Matthew Vernon <matthew@debian.org>:
Bug#781795; Package src:pcre3.
(Tue, 02 Jun 2015 14:57:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Zdeněk Bělehrádek <zdenek.belehradek@superhosting.cz>:
Extra info received and forwarded to list. Copy sent to Matthew Vernon <matthew@debian.org>.
(Tue, 02 Jun 2015 14:57:03 GMT) (full text, mbox, link).
Message #30 received at 781795@bugs.debian.org (full text, mbox, reply):
Is there any progress on this bug?
We have been hit by this in production (or at least by bug with similar
symptoms). For now we are using old version of libpcre, but we would like to
use current version.
Information forwarded
to debian-bugs-dist@lists.debian.org, Matthew Vernon <matthew@debian.org>:
Bug#781795; Package src:pcre3.
(Thu, 10 Sep 2015 20:06:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Matthew Vernon <matthew@debian.org>.
(Thu, 10 Sep 2015 20:06:03 GMT) (full text, mbox, link).
Message #35 received at 781795@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi Matthew,
I worked on doing a NMU for pcre3 since it has accumulated some CVEs
which we as well would like see fixed in jessie via pu (and so needs
to be fixed first in unstable).
Current debdiff is attached, but note that I have explicitly not
(yet?) addressed as well
- CVE-2015-3217 / #787641
- #795539
- #796762
Do you plan to update to at least 8.37 fixing some of them, some other
are scheduled for 8.38 which is not yet released.
Regards,
Salvatore
[pcre3_8.35-7.2.debdiff (text/plain, attachment)]
[signature.asc (application/pgp-signature, inline)]
Added tag(s) patch.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 10 Sep 2015 20:33:13 GMT) (full text, mbox, link).
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Fri, 11 Sep 2015 18:39:07 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Fri, 11 Sep 2015 18:39:07 GMT) (full text, mbox, link).
Message #42 received at 781795-close@bugs.debian.org (full text, mbox, reply):
Source: pcre3
Source-Version: 2:8.35-7.2
We believe that the bug you reported is fixed in the latest version of
pcre3, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 781795@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated pcre3 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 11 Sep 2015 20:04:19 +0200
Source: pcre3
Binary: libpcre3 libpcre3-udeb libpcrecpp0v5 libpcre3-dev libpcre3-dbg pcregrep libpcre16-3 libpcre32-3
Architecture: source
Version: 2:8.35-7.2
Distribution: unstable
Urgency: low
Maintainer: Matthew Vernon <matthew@debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 781795 783285 787433 794589
Description:
libpcre16-3 - Perl 5 Compatible Regular Expression Library - 16 bit runtime fil
libpcre3 - Perl 5 Compatible Regular Expression Library - runtime files
libpcre3-dbg - Perl 5 Compatible Regular Expression Library - debug symbols
libpcre3-dev - Perl 5 Compatible Regular Expression Library - development files
libpcre3-udeb - Perl 5 Compatible Regular Expression Library - runtime files (ude (udeb)
libpcre32-3 - Perl 5 Compatible Regular Expression Library - 32 bit runtime fil
libpcrecpp0v5 - Perl 5 Compatible Regular Expression Library - C++ runtime files
pcregrep - grep utility that uses perl 5 compatible regexes.
Changes:
pcre3 (2:8.35-7.2) unstable; urgency=low
.
* Non-maintainer upload (with maintainer's permission).
* Add Fix-compiler-crash-misbehaviour-for-zero-repeated-gr.patch.
Fixes "PCRE Library Stack Overflow Vulnerability" (Upstream bug 1503)
* Add Fix-compile-time-loop-for-recursive-reference-within.patch.
Fixes "PCRE Call Stack Overflow Vulnerability" (Upstream bug 1515)
* Add 794589-information-disclosure.patch.
Fixes "pcre_exec does not fill offsets for certain regexps" leading to
information disclosure. (Closes: #794589)
* Add Fix-bad-compile-for-groups-like-2-0-1999.patch.
CVE-2015-2325: heap buffer overflow in compile_branch(). (Closes: #781795)
* Add Fix-bad-compilation-for-patterns-like-1-1-with-forwa.patch.
CVE-2015-2326: heap buffer overflow in pcre_compile2(). (Closes: #783285)
* Add Fix-buffer-overflow-for-named-recursive-back-referen.patch.
CVE-2015-3210: heap buffer overflow in pcre_compile2() /
compile_regex(). (Closes: #787433)
Checksums-Sha1:
d1afd74a080757a16f01c344b6d6195c6619f7a2 2074 pcre3_8.35-7.2.dsc
dd16fc1fa3c85fa3f5a313470af51ccec487a8d9 29105 pcre3_8.35-7.2.debian.tar.gz
Checksums-Sha256:
cb15b92f85a894cade62cf59892d989ace89d9c7500edda7ec8866a9acaea2f3 2074 pcre3_8.35-7.2.dsc
087754802f54f133a10576186ed4195d7cb39dfba0f2f9c94e20c31f13e25e9c 29105 pcre3_8.35-7.2.debian.tar.gz
Files:
7ce1fc5823e8125d4d8f1707a633dd1d 2074 libs optional pcre3_8.35-7.2.dsc
8254b0c3a0e9399a7a093537674fd185 29105 libs optional pcre3_8.35-7.2.debian.tar.gz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJV8xmlAAoJEAVMuPMTQ89E1/YP/ix2ydDB9mMSm64KpcDWFAAe
vy8ojv2aEVM5h+S5eZv20Enx0oG9FORApm5J7R2FMjNNutAOc1zQxjoym8r6DkkD
vn2WK+OjOnEu7j78atM8QYoTG+kgC/thrT7Tn+hz+fjSHezvRXl4bGZ5x2oFvGmj
lgZTbc3dzY0WDXKZpy0WqsNshnyqcOqpZST81nT6XFwIyAqQryqHbM77j4VZ2vic
SsfETlOcxZCzYtzKh0pkVg7c9Xj0Tu+PWk5byUFynHdvPFnHqnADcy3Txnny46op
z427TSObS6cqhSAUkP1Mir7nGLS3eW1zSSiqPA/wDq9AjMvVPjKkgjrlRUCgNpQJ
haM8weHIIAlQblsv7zY67jBA0no/smVb4ig9d9PTWd0PDU26V28sHV2pS1AMvUOB
L0S+rhQw6EEX3C8sxcr3B0X6giPxiiqLFK8yqJbKyTsFKmCNNBh9maRBvW0BdWvX
Xn8B8kiD7kzVPLaxpt7xm85UtkeK9JWMCUEhrvN4ylAgt+CQAcfULNBeyZjC+S/v
xeJxYfITRB5WpwSVnzhf3Xx7XS4IBERLLXxWwqSyjDBun5XqPXyCzSPjAw1kvZ9X
G5QotasfCVPWgtkaGztKV5rYqJITNbnpSu87pVBdQ+EoL2L67F7qvI7bOydt9Xeu
pvl55R2tiFytxA0/axUf
=F5r0
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 30 Dec 2015 07:34:48 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:41:28 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon