pcre3: CVE-2015-2326: heap buffer overflow in pcre_compile2()

Debian Bug report logs - #783285
pcre3: CVE-2015-2326: heap buffer overflow in pcre_compile2()

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: pcre3: CVE-2015-2326: heap buffer overflow in pcre_compile2()

Date: Sat, 25 Apr 2015 10:36:58 +0200

Source: pcre3
Version: 2:8.35-3.3
Severity: important
Tags: security upstream

Hi,

the following vulnerability was published for pcre3.

CVE-2015-2326[0]:
heap buffer overflow in pcre_compile2()

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

It seems to be caused as side effect from some refactoring between
8.33 and 8.35, and an invalid can be reproduced. Upstream report [1]
has a detailed explanation.

| ==15750== Memcheck, a memory error detector
| ==15750== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
| ==15750== Using Valgrind-3.10.1 and LibVEX; rerun with -h for copyright info
| ==15750== Command: .libs/pcretest
| ==15750==
| PCRE version 8.35 2014-04-04
| 
|   re> /((?+1)(\1))/
| ==15750== Invalid read of size 1
| ==15750==    at 0x4E3863D: could_be_empty_branch (pcre_compile.c:2395)
| ==15750==    by 0x4E388CA: could_be_empty_branch (pcre_compile.c:2468)
| ==15750==    by 0x4E388CA: could_be_empty_branch (pcre_compile.c:2468)
| ==15750==    by 0x4E4523C: pcre_compile2 (pcre_compile.c:9462)
| ==15750==    by 0x4E439B3: pcre_compile (pcre_compile.c:8734)
| ==15750==    by 0x10EC7B: main (pcretest.c:4023)
| ==15750==  Address 0x58a39a2 is 32,914 bytes inside an unallocated block of size 4,093,648 in arena "client"
| ==15750==
| data> abc
| No match
| data>
| ==15750==
| ==15750== HEAP SUMMARY:
| ==15750==     in use at exit: 0 bytes in 0 blocks
| ==15750==   total heap usage: 9 allocs, 9 frees, 133,767 bytes allocated
| ==15750==
| ==15750== All heap blocks were freed -- no leaks are possible
| ==15750==
| ==15750== For counts of detected and suppressed errors, rerun with: -v
| ==15750== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2015-2326
[1] http://bugs.exim.org/show_bug.cgi?id=1592

Regards,
Salvatore

Message #10 received at 783285@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Matthew Vernon <matthew@debian.org>

Cc: 781795@bugs.debian.org, 783285@bugs.debian.org, 787433@bugs.debian.org, 794589@bugs.debian.org, jmm@debian.org

Subject: NMU prepared for some of the pcre3 issues

Date: Thu, 10 Sep 2015 22:03:03 +0200

[Message part 1 (text/plain, inline)]

Hi Matthew,

I worked on doing a NMU for pcre3 since it has accumulated some CVEs
which we as well would like see fixed in jessie via pu (and so needs
to be fixed first in unstable).

Current debdiff is attached, but note that I have explicitly not
(yet?) addressed as well

- CVE-2015-3217 / #787641
- #795539
- #796762

Do you plan to update to at least 8.37 fixing some of them, some other
are scheduled for 8.38 which is not yet released.

Regards,
Salvatore

[pcre3_8.35-7.2.debdiff (text/plain, attachment)]

[signature.asc (application/pgp-signature, inline)]

Message #17 received at 783285-close@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 783285-close@bugs.debian.org

Subject: Bug#783285: fixed in pcre3 2:8.35-7.2

Date: Fri, 11 Sep 2015 18:36:33 +0000

Source: pcre3
Source-Version: 2:8.35-7.2

We believe that the bug you reported is fixed in the latest version of
pcre3, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 783285@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated pcre3 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 11 Sep 2015 20:04:19 +0200
Source: pcre3
Binary: libpcre3 libpcre3-udeb libpcrecpp0v5 libpcre3-dev libpcre3-dbg pcregrep libpcre16-3 libpcre32-3
Architecture: source
Version: 2:8.35-7.2
Distribution: unstable
Urgency: low
Maintainer: Matthew Vernon <matthew@debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 781795 783285 787433 794589
Description: 
 libpcre16-3 - Perl 5 Compatible Regular Expression Library - 16 bit runtime fil
 libpcre3   - Perl 5 Compatible Regular Expression Library - runtime files
 libpcre3-dbg - Perl 5 Compatible Regular Expression Library - debug symbols
 libpcre3-dev - Perl 5 Compatible Regular Expression Library - development files
 libpcre3-udeb - Perl 5 Compatible Regular Expression Library - runtime files (ude (udeb)
 libpcre32-3 - Perl 5 Compatible Regular Expression Library - 32 bit runtime fil
 libpcrecpp0v5 - Perl 5 Compatible Regular Expression Library - C++ runtime files
 pcregrep   - grep utility that uses perl 5 compatible regexes.
Changes:
 pcre3 (2:8.35-7.2) unstable; urgency=low
 .
   * Non-maintainer upload (with maintainer's permission).
   * Add Fix-compiler-crash-misbehaviour-for-zero-repeated-gr.patch.
     Fixes "PCRE Library Stack Overflow Vulnerability" (Upstream bug 1503)
   * Add Fix-compile-time-loop-for-recursive-reference-within.patch.
     Fixes "PCRE Call Stack Overflow Vulnerability" (Upstream bug 1515)
   * Add 794589-information-disclosure.patch.
     Fixes "pcre_exec does not fill offsets for certain regexps" leading to
     information disclosure. (Closes: #794589)
   * Add Fix-bad-compile-for-groups-like-2-0-1999.patch.
     CVE-2015-2325: heap buffer overflow in compile_branch(). (Closes: #781795)
   * Add Fix-bad-compilation-for-patterns-like-1-1-with-forwa.patch.
     CVE-2015-2326: heap buffer overflow in pcre_compile2(). (Closes: #783285)
   * Add Fix-buffer-overflow-for-named-recursive-back-referen.patch.
     CVE-2015-3210: heap buffer overflow in pcre_compile2() /
     compile_regex(). (Closes: #787433)
Checksums-Sha1: 
 d1afd74a080757a16f01c344b6d6195c6619f7a2 2074 pcre3_8.35-7.2.dsc
 dd16fc1fa3c85fa3f5a313470af51ccec487a8d9 29105 pcre3_8.35-7.2.debian.tar.gz
Checksums-Sha256: 
 cb15b92f85a894cade62cf59892d989ace89d9c7500edda7ec8866a9acaea2f3 2074 pcre3_8.35-7.2.dsc
 087754802f54f133a10576186ed4195d7cb39dfba0f2f9c94e20c31f13e25e9c 29105 pcre3_8.35-7.2.debian.tar.gz
Files: 
 7ce1fc5823e8125d4d8f1707a633dd1d 2074 libs optional pcre3_8.35-7.2.dsc
 8254b0c3a0e9399a7a093537674fd185 29105 libs optional pcre3_8.35-7.2.debian.tar.gz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJV8xmlAAoJEAVMuPMTQ89E1/YP/ix2ydDB9mMSm64KpcDWFAAe
vy8ojv2aEVM5h+S5eZv20Enx0oG9FORApm5J7R2FMjNNutAOc1zQxjoym8r6DkkD
vn2WK+OjOnEu7j78atM8QYoTG+kgC/thrT7Tn+hz+fjSHezvRXl4bGZ5x2oFvGmj
lgZTbc3dzY0WDXKZpy0WqsNshnyqcOqpZST81nT6XFwIyAqQryqHbM77j4VZ2vic
SsfETlOcxZCzYtzKh0pkVg7c9Xj0Tu+PWk5byUFynHdvPFnHqnADcy3Txnny46op
z427TSObS6cqhSAUkP1Mir7nGLS3eW1zSSiqPA/wDq9AjMvVPjKkgjrlRUCgNpQJ
haM8weHIIAlQblsv7zY67jBA0no/smVb4ig9d9PTWd0PDU26V28sHV2pS1AMvUOB
L0S+rhQw6EEX3C8sxcr3B0X6giPxiiqLFK8yqJbKyTsFKmCNNBh9maRBvW0BdWvX
Xn8B8kiD7kzVPLaxpt7xm85UtkeK9JWMCUEhrvN4ylAgt+CQAcfULNBeyZjC+S/v
xeJxYfITRB5WpwSVnzhf3Xx7XS4IBERLLXxWwqSyjDBun5XqPXyCzSPjAw1kvZ9X
G5QotasfCVPWgtkaGztKV5rYqJITNbnpSu87pVBdQ+EoL2L67F7qvI7bOydt9Xeu
pvl55R2tiFytxA0/axUf
=F5r0
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.