Bug 17438

Summary: pcre new security issues CVE-2016-1283 and CVE-2016-3191
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: oe, sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/678389/
Whiteboard: has_procedure MGA5-32-OK advisory
Source RPM: pcre-8.38-1.mga6.src.rpm CVE:
Status comment:

Description David Walser 2016-01-03 17:38:27 CET 
A security issue in pcre has been reported and assigned a CVE:
http://openwall.com/lists/oss-security/2016/01/02/3

As of right now it has not been fixed yet.

Reproducible: 

Steps to Reproduce:
Comment 1 Samuel Verschelde 2016-02-23 14:29:57 CET 
Assigning to maintainer.

Assignee: bugsquad => warrendiogenese

Comment 2 David Walser 2016-02-29 23:47:36 CET 
Another possible issue:
http://lwn.net/Vulnerabilities/677970/

I can't locate the patch.
Comment 3 David Walser 2016-03-02 20:02:40 CET 
Fedora has issued an advisory for this on March 1:
https://lists.fedoraproject.org/pipermail/package-announce/2016-March/178193.html

URL: (none) => http://lwn.net/Vulnerabilities/678389/

Comment 4 David Walser 2016-03-30 19:30:46 CEST 
(In reply to David Walser from comment #2)
> Another possible issue:
> http://lwn.net/Vulnerabilities/677970/
> 
> I can't locate the patch.

This is CVE-2016-3191:
http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-3191.html

Upstream patches are linked there (also affects pcre2 in Cauldron).

LWN reference:
http://lwn.net/Vulnerabilities/681755/

Ubuntu has issued an advisory for this on March 29:
http://www.ubuntu.com/usn/usn-2943-1/

It also includes the fix for CVE-2016-1283.

Summary: pcre new security issue CVE-2016-1283 => pcre new security issues CVE-2016-1283 and CVE-2016-3191

Comment 5 David Walser 2016-05-22 20:15:03 CEST 
Patched pcre2 package uploaded for Cauldron.

Updated pcre packages uploaded for Mageia 5 and Cauldron.

Advisory:
========================

Updated pcre packages fix security vulnerabilities:

The pcre_compile2 function in pcre_compile.c in PCRE 8.38 mishandles a
paricular pattern and related patterns with named subgroups, which allows
remote attackers to cause a denial of service (heap-based buffer overflow)
or possibly have unspecified other impact via a crafted regular expression
(CVE-2016-1283).

The compile_branch function in pcre_compile.c in PCRE 8.x before 8.39 
mishandles patterns containing an (*ACCEPT) substring in conjunction with
nested parentheses, which allows remote attackers to execute arbitrary
code or cause a denial of service (stack-based buffer overflow) via a
crafted regular expression (CVE-2016-3191).

The pcre package has been updated to the latest CVS as of May 21, 2016,
aka 8.39-RC1, which fixes these issues, as well as several other bugs,
and possible security issues.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1283
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3191
http://vcs.pcre.org/pcre/code/trunk/ChangeLog?revision=1649&view=markup
========================

Updated packages in core/updates_testing:
========================
pcre-8.38-1.mga5
libpcre1-8.38-1.mga5
libpcre16_0-8.38-1.mga5
libpcre32_0-8.38-1.mga5
libpcrecpp0-8.38-1.mga5
libpcreposix1-8.38-1.mga5
libpcreposix0-8.38-1.mga5
libpcre-devel-8.38-1.mga5
libpcrecpp-devel-8.38-1.mga5
libpcreposix-devel-8.38-1.mga5

from pcre-8.38-1.mga5.src.rpm

Version: Cauldron => 5
Assignee: warrendiogenese => qa-bugs
Severity: normal => critical

Comment 6 David Walser 2016-05-22 20:17:21 CEST 
PoC's from upstream bugs:
https://bugs.exim.org/show_bug.cgi?id=1767
https://bugs.exim.org/show_bug.cgi?id=1791

$ cat poc.php 
<?php
preg_match("/((?:F?+(?:^(?(R)a+\"){99}-))(?J)(?'R'(?'R'<((?'RR'(?'R'\){97)?J)?J)(?'R'(?'R'\){99|(:(?|(?'R')(\k'R')|((?'R')))H'R'R)(H'R))))))/","WenGuanxing");
?>
$ cat ZDI-CAN-3542.php 
<? preg_match('/([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00](*ACCEPT)/', 'abc'); ?>
$ php poc.php
*** Error in `php': double free or corruption (!prev): 0x093dd628 ***
======= Backtrace: =========
[...]
Aborted
$ php ZDI-CAN-3542.php
*** stack smashing detected ***: php terminated
======= Backtrace: =========
[...]
Aborted

Also note that the patches update the build-time test suites to test for these and many other issues new and old.
Comment 7 David Walser 2016-05-22 21:10:01 CEST 
After the update, Mageia 5 i586:

$ php poc.php 
$ php ZDI-CAN-3542.php
PHP Warning:  preg_match(): Compilation failed: missing ) at offset 509 in /tmp/ZDI-CAN-3542.php on line 1

Marking OK.

Whiteboard: (none) => has_procedure MGA5-32-OK

Comment 8 David Walser 2016-05-23 02:43:34 CEST 
Advisory added in SVN.  Perhaps someone could check the formatting.

Whiteboard: has_procedure MGA5-32-OK => has_procedure MGA5-32-OK advisory

Comment 9 claire robinson 2016-05-23 21:47:28 CEST 
Nice one David, thankyou. Validating.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Oden Eriksson 2016-05-23 21:51:04 CEST

CC: (none) => oe

Comment 11 Mageia Robot 2016-05-24 00:01:34 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0204.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED