Bug 20355

(In reply to David Walser from comment #0)
> Fedora has issued an advisory on February 22:
> https://lists.fedoraproject.org/archives/list/package-announce@lists.
> fedoraproject.org/thread/ESZV6GLV63XBXTZQOAJPOWLRIG35TEV7/
> 
> and an additional bugfix advisory on February 25:
> https://lists.fedoraproject.org/archives/list/package-announce@lists.
> fedoraproject.org/thread/53LTF7HISA4JJLMTQKJVACHXP57XBB72/
> 
> Fixed are a couple of crashes, a buffer overflow, and a couple of other bugs.
> 
> Patched package uploaded for Cauldron.  Patches added in Mageia 5 SVN.

Assigning to all packagers collectively, since the registered maintainer for this package is currently unavailable.

We miss you, diogenese.

CC: (none) => marja11, warrendiogenese
Assignee: bugsquad => pkg-bugs

More issues will be fixed in 8.41:
http://openwall.com/lists/oss-security/2017/03/20/2
http://openwall.com/lists/oss-security/2017/03/20/3
http://openwall.com/lists/oss-security/2017/03/20/4 (CVE-2017-7186)
http://openwall.com/lists/oss-security/2017/03/20/5
http://openwall.com/lists/oss-security/2017/03/20/7

and one will not be:
http://openwall.com/lists/oss-security/2017/03/20/6

Summary: pcre new security issue CVE-2017-6004 => pcre new security issues CVE-2017-6004 and CVE-2017-7186

(In reply to David Walser from comment #2)
> http://openwall.com/lists/oss-security/2017/03/20/5 (CVE-2017-724[56])
> http://openwall.com/lists/oss-security/2017/03/20/7 (CVE-2017-7244)

CVEs noted above for a couple more of these, from:
http://openwall.com/lists/oss-security/2017/03/24/1
http://openwall.com/lists/oss-security/2017/03/24/2

Fedora has issued an advisory for CVE-2017-7186 on April 21:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/TQ6PIE4TXTZQP7KMWCXA4KI6BZQOGEPM/

Fedora has fixed CVE-2017-7186 in pcre on May 1 (previous one was for pcre2):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/XEYMUTVQAMYFGYH7ZE6RJD34GJMBZRMS/

*** Bug 22210 has been marked as a duplicate of this bug. ***

I have uploaded a patched/updated package for Mageia 5/6.

You can test the patch by calling "pcretest -m -C".
Before the patch it reports "Match recursion uses stack: approximate frame size = 4 bytes"
After it will report a correct size for the stack.

Suggested advisory:
========================

Updated pcre packages fix many security vulnerabilities:
http://openwall.com/lists/oss-security/2017/03/20/2
http://openwall.com/lists/oss-security/2017/03/20/3
http://openwall.com/lists/oss-security/2017/03/20/4 (CVE-2017-7186)
http://openwall.com/lists/oss-security/2017/03/20/5 (CVE-2017-724[56])
http://openwall.com/lists/oss-security/2017/03/20/7 (CVE-2017-7244)

========================

Updated packages in core/updates_testing:
========================
MGA5:
lib64pcre16_0-8.41-1-1.mga5.x86_64.rpm
lib64pcre1-8.41-1-1.mga5.x86_64.rpm
lib64pcre32_0-8.41-1-1.mga5.x86_64.rpm
lib64pcrecpp0-8.41-1-1.mga5.x86_64.rpm
lib64pcrecpp-devel-8.41-1-1.mga5.x86_64.rpm
lib64pcre-devel-8.41-1-1.mga5.x86_64.rpm
lib64pcreposix0-8.41-1-1.mga5.x86_64.rpm
lib64pcreposix1-8.41-1-1.mga5.x86_64.rpm
lib64pcreposix-devel-8.41-1-1.mga5.x86_64.rpm
pcre-8.41-1-1.mga5.x86_64.rpm
pcre-debuginfo-8.41-1-1.mga5.x86_64.rpm

MGA6:
ib64pcre16_0-8.41-1.mga6.x86_64.rpm
lib64pcre1-8.41-1.mga6.x86_64.rpm
lib64pcre32_0-8.41-1.mga6.x86_64.rpm
lib64pcrecpp0-8.41-1.mga6.x86_64.rpm
lib64pcrecpp-devel-8.41-1.mga6.x86_64.rpm
lib64pcre-devel-8.41-1.mga6.x86_64.rpm
lib64pcreposix0-8.41-1.mga6.x86_64.rpm
lib64pcreposix1-8.41-1.mga6.x86_64.rpm
lib64pcreposix-devel-8.41-1.mga6.x86_64.rpm
lib64pcre-static-devel-8.41-1.mga6.x86_64.rpm
pcre-8.41-1.mga6.x86_64.rpm
pcre-debuginfo-8.41-1.mga6.x86_64.rpm


Source RPMs: 
pcre-8.41-1-1.mga5.src.rpm
pcre-8.41-1.mga6.src.rpm

Sorry, this wont work....

You need to keep upgrade path working...

You now have:
mga5: pcre-8.41-1.1.mga5
mga6: pcre-8.41-1.mga6

So upgrade from mga5 to mga6 wont work.

mga6 needs to be atleast at same subrel level to keep it working

Keywords: (none) => feedback
CC: (none) => tmb

That's why I told Marc on IRC to remove the subrel first.  Thomas, please remove the mga5 build from updates_testing so we can do this correctly.

mga5 rpms removed... wait a while for hdlists to update

Thanks Thomas.  subrel removed in SVN:
http://svnweb.mageia.org/packages?view=revision&revision=1182977

Sorry, it was intentional from me to add subrel here, but it was a misunderstanding from the build system that made me do it. I've resubmitted the pcre-package for mga5.

No worries... its a learning process... :)

Advisory:
========================

Updated pcre packages fix security vulnerabilities:

The compile_bracket_matchingpath function in pcre_jit_compile.c in PCRE through
8.x before revision 1680 (e.g., the PHP 7.1.1 bundled version) allows remote
attackers to cause a denial of service (out-of-bounds read and application
crash) via a crafted regular expression (CVE-2017-6004).

A vulnerability was found in pcre caused by trying to find a Unicode property
for a code value greater than 0x10ffff, the Unicode maximum, when running in
non-UTF mode (where character values can be up to 0xffffffff) (CVE-2017-7186).

The _pcre32_xclass function in pcre_xclass.c in libpcre1 in PCRE 8.40 allows
remote attackers to cause a denial of service (invalid memory read) via a
crafted file (CVE-2017-7244).

Stack-based buffer overflow in the pcre32_copy_substring function in
pcre_get.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial
of service (WRITE of size 4) or possibly have unspecified other impact via a
crafted file (CVE-2017-7245).

Stack-based buffer overflow in the pcre32_copy_substring function in
pcre_get.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial
of service (WRITE of size 268) or possibly have unspecified other impact via a
crafted file (CVE-2017-7246).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7244
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7245
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7246
http://openwall.com/lists/oss-security/2017/03/24/1
http://openwall.com/lists/oss-security/2017/03/24/2
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ESZV6GLV63XBXTZQOAJPOWLRIG35TEV7/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/XEYMUTVQAMYFGYH7ZE6RJD34GJMBZRMS/
========================

Updated packages in core/updates_testing:
========================
pcre-8.41-1.mga5
libpcre1-8.41-1.mga5
libpcre16_0-8.41-1.mga5
libpcre32_0-8.41-1.mga5
libpcrecpp0-8.41-1.mga5
libpcreposix1-8.41-1.mga5
libpcreposix0-8.41-1.mga5
libpcre-devel-8.41-1.mga5
libpcrecpp-devel-8.41-1.mga5
libpcreposix-devel-8.41-1.mga5
pcre-8.41-1.mga6
libpcre1-8.41-1.mga6
libpcre16_0-8.41-1.mga6
libpcre32_0-8.41-1.mga6
libpcrecpp0-8.41-1.mga6
libpcreposix1-8.41-1.mga6
libpcreposix0-8.41-1.mga6
libpcre-devel-8.41-1.mga6
libpcrecpp-devel-8.41-1.mga6
libpcreposix-devel-8.41-1.mga6
libpcre-static-devel-8.41-1.mga6

from SRPMS:
pcre-8.41-1.mga5.src.rpm
pcre-8.41-1.mga6.src.rpm

Keywords: feedback => (none)

Testing M5/64

Two binaries: pcregrep, pcretest. Found some test files:

CVE-2017-6004: https://bugs.exim.org/show_bug.cgi?id=2035
<?php
$pattern = "/(((?(?!))0(?1))(?''))/";
preg_match($pattern, "helloworld");
?>
Should segfault.

CVE-2017-7186: https://github.com/asarubbo/poc/blob/master/00204-pcre-invalidread1-pcre_exec
# pcretest -32 -d $FILE

CVE-2017-7244-6: https://github.com/asarubbo/poc/blob/master/00206-pcre-invalidread-_pcre32_xclass
# pcretest -32 -d $FILE

CVE-2017-7245/6: https://github.com/asarubbo/poc/blob/master/00207-pcre-stackoverflow-pcre32_copy_substring
# pcretest -32 -d $FILE
--------------------------------------------------------------------
 BEFORE update:
lib64pcre1-8.38-1.mga5
lib64pcreposix1-8.38-1.mga5
lib64pcre-devel-8.38-1.mga5
lib64pcre16_0-8.38-1.mga5
lib64pcre32_0-8.38-1.mga5
pcre-8.38-1.mga5

 $ pcretest -m -C                [comment 7]
 PCRE version 8.39-RC1 2015-11-23
 Compiled with
  ...
  Match recursion uses stack: approximate frame size = 172 bytes

# pcretest -32 -d Desktop/00204-pcre-invalidread1-pcre_exec
PCRE version 8.39-RC1 2015-11-23
... lots os O/P
Segmentation fault

# pcretest -32 -d Desktop/00206-pcre-invalidread-_pcre32_xclass
PCRE version 8.39-RC1 2015-11-23
...lots of O/P
Segmentation fault

# pcretest -32 -d Desktop/00207-pcre-stackoverflow-pcre32_copy_substring
PCRE version 8.39-RC1 2015-11-23
... lots os O/P
*** stack smashing detected ***: pcretest terminated
Segmentation fault
--------------------------------------------------------------------
AFTER update:
- lib64pcre-devel-8.41-1.mga5.x86_64
- lib64pcre1-8.41-1.mga5.x86_64
- lib64pcre16_0-8.41-1.mga5.x86_64
- lib64pcre32_0-8.41-1.mga5.x86_64
- lib64pcreposix1-8.41-1.mga5.x86_64
- pcre-8.41-1.mga5.x86_64

 $ pcretest -m -C
 PCRE version 8.41 2017-07-05
 Compiled with
  ...
  Match recursion uses stack: approximate frame size = 512 bytes
which shows something.

# pcretest -32 -d Desktop/00204-pcre-invalidread1-pcre_exec
PCRE version 8.41 2017-07-05
...lots of O/P
** Delimiter must not be alphanumeric or \                 GOOD

# pcretest -32 -d Desktop/00206-pcre-invalidread-_pcre32_xclass
PCRE version 8.41 2017-07-05
...lots of O/P
No match                     GOOD

# pcretest -32 -d Desktop/00207-pcre-stackoverflow-pcre32_copy_substring
PCRE version 8.41 2017-07-05
...lots of O/P
T�** Unexpected EOF          GOOD

So giving this the thumbs up. Will attach the 3 test files to the bug.

CC: (none) => lewyssmith
Whiteboard: MGA5TOO => MGA5TOO MGA5-64-OK

Created attachment 9839 [details]
PoC_0024

1/3 PoCs for various CVEs. Run with
 $ pcretest -32 -d <filename>
Crashes before update, not after.

Created attachment 9840 [details]
PoC0_00206

2/3 PoCs for various CVEs. Run with
 $ pcretest -32 -d <filename>
Crashes before update, not after.

Created attachment 9841 [details]
PoC_00207

3/3 PoCs for various CVEs. Run with
 $ pcretest -32 -d <filename>
Crashes before update, not after.

Re the mini-script given in comment 15 re CVE-2017-6004, it did not for M6/64 segfault at all. It may be a 32-bit only crash (one of the faults is), hence to test thus.

Keywords: (none) => advisory

BEFORE update, all pkgs at versdion -8.40-2.mga6

1. Ex C7
 $ pcretest -m -C
PCRE version 8.40 2017-01-11
...
 Match recursion uses stack: approximate frame size = 4 bytes

2. mini-script in C15
 $ php pcretest.php
No segfault as expected; just for 32-bit?

3.
 $ pcretest -32 -d 00204-pcre-invalidread1-pcre_exec
...
Segmentation fault (core dumped)

4.
 $ pcretest -32 -d 00206-pcre-invalidread-_pcre32_xclass
...
Segmentation fault (core dumped)

5.
 $ pcretest -32 -d 00207-pcre-stackoverflow-pcre32_copy_substring
...
Segmentation fault (core dumped)
------------------------------------
AFTER update:
- lib64pcre-devel-8.41-1.mga6.x86_64
- lib64pcre1-8.41-1.mga6.x86_64
- lib64pcre16_0-8.41-1.mga6.x86_64
- lib64pcre32_0-8.41-1.mga6.x86_64
- lib64pcreposix1-8.41-1.mga6.x86_64
- pcre-8.41-1.mga6.x86_64

1.
 $ pcretest -m -C
PCRE version 8.41 2017-07-05
...
  Match recursion uses stack: approximate frame size = 512 bytes
Good result.

2.
 $ php pcretest.php
Again no segfault, shows nothing.

3.
 $ pcretest -32 -d 00204-pcre-invalidread1-pcre_exec
...
** Delimiter must not be alphanumeric or \
 $
Good result.

4.
 $ pcretest -32 -d 00206-pcre-invalidread-_pcre32_xclass
...
No match
 $
Good result.

5.
 $ pcretest -32 -d 00207-pcre-stackoverflow-pcre32_copy_substring
...
T�** Unexpected EOF
 $
Good result.
------------------
OKing & validating.

CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update
Whiteboard: MGA5TOO MGA5-64-OK => MGA5TOO MGA5-64-OK MGA6-64-OK

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2017-0454.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED