Bug 26549

Summary: re2c new infinite loop security issue (CVE-2018-21232)
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, geiger.david68210, mageia, ouaurelien, qa-bugs, skvadrik, sysadmin-bugs, tarazed25, zombie_ryushu
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: https://nvd.nist.gov/vuln/detail/CVE-2020-11958
Whiteboard: MGA7-64-OK
Source RPM: re2c-1.1.1-1.mga7.src.rpm CVE: CVE-2018-21232
Status comment:
Attachments: Small stack reproducer input for re2c
Basic test of the lexer

Description David Walser 2020-04-27 23:10:50 CEST 
A security issue fixed upstream in re2c has been announced today (April 27):
https://www.openwall.com/lists/oss-security/2020/04/27/2

The upstream commits that fixed the issue are referenced in the message above.

I'm not sure if Mageia 7 is affected, but there is information on the upstream bug (also referenced in the message above) on how to reproduce the issue, so this could be determined.
Comment 1 David Walser 2020-05-14 16:51:50 CEST 
This has been assigned CVE-2018-21232:
https://www.openwall.com/lists/oss-security/2020/05/14/4

Whiteboard: (none) => MGA7TOO
Summary: re2c new infinite loop security issue => re2c new infinite loop security issue (CVE-2018-21232)
Status comment: (none) => Patches available upstream

Comment 2 David Walser 2020-05-14 17:44:45 CEST 
Fixed in Cauldron in re2c-1.3-2.mga8 by David Geiger.

Whiteboard: MGA7TOO => (none)
Version: Cauldron => 7

Comment 3 David GEIGER 2020-09-10 07:23:16 CEST 
Done for mga7 updating to latest upstream release 2.0.3!
Comment 4 David Walser 2020-09-10 20:14:55 CEST 
Advisory:
========================

Updated re2c package fixes security vulnerability:

re2c before 2.0 has uncontrolled recursion that causes stack consumption in
find_fixed_tags (CVE-2018-21232).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-21232
https://github.com/skvadrik/re2c/issues/219
========================

Updated packages in core/updates_testing:
========================
re2c-2.0.3-1.mga7

from re2c-2.0.3-1.mga7.src.rpm

Status comment: Patches available upstream => (none)
CC: (none) => geiger.david68210
Assignee: geiger.david68210 => qa-bugs

Comment 5 Len Lawrence 2020-09-13 16:47:46 CEST 
Created attachment 11880 [details]
Small stack reproducer input for re2c

$ ulimit -s 256; re2c -o overflow-1.c --no-version --no-generation-date -W overflow-1.re
Expect segmentation fault.

CC: (none) => tarazed25

Comment 6 Len Lawrence 2020-09-13 17:09:55 CEST 
Created attachment 11881 [details]
Basic test of the lexer

$ re2c 01_basic.re -o basic.c -i
Comment 7 Len Lawrence 2020-09-13 17:10:57 CEST 
mga7, x86_64

CVE-2018-21232
The report for the stack overflow issue at https://github.com/skvadrik/re2c/issues/219
indicates that it can be reproduced using overflow-1.re as input to re2c but the unfortunate thing is that there is no link to that file.
After a bit of digging it turned up on GitHub in this folder https://github.com/skvadrik/re2c/tree/master/test/overflow-1.re
$ re2c -o overflow-1.c --no-version --no-generation-date -W overflow-1.re
Segmentation fault (core dumped)

Updated the package.
$ rpm -q re2c
re2c-2.0.3-1.mga7
$ ulimit -s 256; re2c -o overflow-1.c --no-version --no-generation-date -W overflow-1.re
Segmentation fault (core dumped)

So, Mageia 7 was affected and still is.

Downloaded an example from svadrik's files.

$ re2c 01_basic.re -o basic_01.c -i

The output is C code with several gotoes (!).
$ cat basic_01.c
/* Generated by re2c 2.0.3 on Sun Sep 13 16:00:01 2020 */
// re2c $INPUT -o $OUTPUT -i
#include <assert.h>                 //
                                    // C/C++ code
int lex(const char *YYCURSOR)       //
{
    
{
	char yych;
	yych = *YYCURSOR;
	switch (yych) {
	case 'A' ... 'Z':
	case '_':
	case 'a' ... 'z': goto yy4;
	default: goto yy2;
	}
yy2:
	++YYCURSOR;
	{ return 1; }
yy4:
	yych = *++YYCURSOR;
	switch (yych) {
	case '0' ... '9':
	case 'A' ... 'Z':
	case '_':
	case 'a' ... 'z': goto yy4;
	default: goto yy6;
	}
yy6:
	{ return 0; }
}

}                                   //
                                    //
int main()                          //
{                                   // C/C++ code
    assert(lex("_Zer0") == 0);      //
    return 0;                       //
}                                   //

Leaving things there.  Need advice on releasing this given that the bug does not appear to be fixed.
Comment 8 David Walser 2020-09-13 17:51:24 CEST 
I guess he thought he fixed it enough for the test case to pass, but not so much.  The upstream issue hasn't been closed yet either.

Status comment: (none) => Apparently not fully fixed upstream as of 2.0.3
Assignee: qa-bugs => pkg-bugs
Whiteboard: (none) => MGA7TOO
Version: 7 => Cauldron
CC: (none) => qa-bugs

Comment 9 Zombie Ryushu 2020-12-19 20:40:38 CET 
re2c 1.3 has a heap-based buffer overflow in Scanner::fill in parse/scanner.cc via a long lexeme.

URL: (none) => https://nvd.nist.gov/vuln/detail/CVE-2020-11958
CC: (none) => zombie_ryushu
CVE: (none) => CVE-2020-11958

David Walser 2020-12-28 17:09:58 CET

Whiteboard: MGA7TOO => MGA8TOO, MGA7TOO

Comment 10 Nicolas Lécureuil 2021-03-09 21:15:54 CET 
can someone add comments in https://github.com/skvadrik/re2c/commit/c4603ba5ce229db83a2a4fb93e6d4b4e3ec3776a ?

cf: https://security-tracker.debian.org/tracker/CVE-2020-11958

CC: (none) => mageia

Comment 11 Ulya Trofimovich 2021-03-12 23:23:05 CET 
Hi, re2c developer here.

The original buffer overflow was fixed in https://github.com/skvadrik/re2c/commit/c4603ba5ce229db83a2a4fb93e6d4b4e3ec3776a, and the reproducer in comment #7 limits stack size to 256 bytes, so there is a segfault due to a stack overflow in one of the recursive tree-walking functions. It is unrelated to buffer overflow.

There is another bug to get rid of recursion (https://github.com/skvadrik/re2c/issues/219), but it's somewhat low-priority as re2c is not required to work on systems with 256-byte stack.

CC: (none) => skvadrik

Comment 12 Nicolas Lécureuil 2021-03-13 09:40:26 CET 
(In reply to Ulya Trofimovich from comment #11)
> Hi, re2c developer here.
> 
> The original buffer overflow was fixed in
> https://github.com/skvadrik/re2c/commit/
> c4603ba5ce229db83a2a4fb93e6d4b4e3ec3776a, and the reproducer in comment #7
> limits stack size to 256 bytes, so there is a segfault due to a stack
> overflow in one of the recursive tree-walking functions. It is unrelated to
> buffer overflow.
> 
> There is another bug to get rid of recursion
> (https://github.com/skvadrik/re2c/issues/219), but it's somewhat
> low-priority as re2c is not required to work on systems with 256-byte stack.

Thank you i really appreciate your answer :-)


we can then validate this bugreport and follow the other one to add it in mageia when fixed.

Assignee: pkg-bugs => qa-bugs

Comment 13 Len Lawrence 2021-03-13 16:46:50 CET 
mga7, x86_64

Checked this in mga8 first to confirm that the short stack test continues to segfault.
In mga7 with the default stack the poc yields:
$ re2c -o overflow-1.c --no-version --no-generation-date -W overflow-1.re
overflow-1.re:4:2: warning: control flow is undefined for strings that match '\x30 \x30 \x30 \x30 \x30 \x5F \x61 \x61 \x61 \x61 \x61 \x61 \x61 \x61 \x61 \x5F
[...]
\x64 \x5F \x68 \x65 \x72 \x65 \x5F \x69 \x73 \x5F \x74 \x68 \x65 \x5F \x6F \x76 \x65 \x72 \x66 \x6C \x66 \x6F \x77 [\x0-\x3E\x40-\xFF]' ... and a few more, use default rule '*' [-Wundefined-control-flow]

The overflow-1.c file contains ~8218 labelled switch statements.

... which looks like the original buffer overflow issue handled better.  

Current version is re2c-2.0.3-1 here

In mga7, with the short stack this still segfaults.
$ ulimit -s 256
$ re2c -o overflow-1.c --no-version --no-generation-date -W overflow-1.re
Segmentation fault (core dumped)

Is there an update in the wings?
Comment 14 Nicolas Lécureuil 2021-03-13 20:39:15 CET 
there is no updates for this one yet, but i will take a look and provide one asap.

But i prefer this in a new bugreport, if you don't have any opposition.
Comment 15 Len Lawrence 2021-03-13 21:18:29 CET 
Of course not.  Go ahead.
Aurelien Oudelet 2021-03-14 16:29:46 CET

Version: Cauldron => 8
CC: (none) => ouaurelien
Whiteboard: MGA8TOO, MGA7TOO => MGA7TOO

Comment 16 Len Lawrence 2021-04-11 16:32:29 CEST 
Referring to comment 14 it looks like we should close this and wait for a new bug to be posted.
Giving this an OK for Mageia 7.  Shall run it past Mageia 8 later with a view to validating it.

Whiteboard: MGA7TOO => MGA7TOO MGA7-64-OK

Comment 17 Len Lawrence 2021-04-11 18:09:15 CEST 
Found that it had been checked for Mageia 8 but tried it again.
re2c-2.0.3-1.mga8

CVE-2018-21232
$ re2c -o overflow-1.c --no-version --no-generation-date -W overflow-1.re
overflow-1.re:4:2: warning: control flow is undefined for strings that match '\x30 \x30 \x30 \x30 \x30 \x5F \x61 \x61 \x61 \x61 \x61 \x61 \x61 \x61 \x61 \x5F
.....
76 \x65 \x72 \x66 \x6C \x66 \x6F \x77 [\x0-\x3E\x40-\xFF]' ... and a few more, use default rule '*' [-Wundefined-control-flow]

Skipped the short-stack test in view of the remark in comment 11.
Ran the test used previously, comment 7.
$ re2c 01_basic.re -o basic_01.c -i
That produced valid C code as before.

So, we let this go pending a further update.

CC: (none) => sysadmin-bugs
Whiteboard: MGA7TOO MGA7-64-OK => MGA7TOO MGA7-64-OK MGA8-64-OK
Keywords: (none) => validated_update

Comment 18 Aurelien Oudelet 2021-04-12 15:48:34 CEST 
(In reply to Nicolas Lécureuil from comment #10)
> can someone add comments in
> https://github.com/skvadrik/re2c/commit/
> c4603ba5ce229db83a2a4fb93e6d4b4e3ec3776a ?
> 
> cf: https://security-tracker.debian.org/tracker/CVE-2020-11958

Is this landed in the SRPM for Mageia 7?
Or it is an other Bug Report?


(In reply to Len Lawrence from comment #17)
> Found that it had been checked for Mageia 8 but tried it again.
> re2c-2.0.3-1.mga8
> 
> CVE-2018-21232
<snip>
> 
> So, we let this go pending a further update.

This is already in 8/core/release repository.


Assigning back to Mageia 7, adding NEEDINFO Status.

Whiteboard: MGA7TOO MGA7-64-OK MGA8-64-OK => (none)
Keywords: validated_update => (none)
Status: NEW => NEEDINFO
Source RPM: re2c-1.2.1-3.mga8.src.rpm => re2c-1.1.1-1.mga7.src.rpm
Version: 8 => 7
CVE: CVE-2020-11958 => CVE-2018-21232

Comment 19 David Walser 2021-06-29 01:20:43 CEST 
(In reply to Aurelien Oudelet from comment #18)
> (In reply to Nicolas Lécureuil from comment #10)
> > can someone add comments in
> > https://github.com/skvadrik/re2c/commit/
> > c4603ba5ce229db83a2a4fb93e6d4b4e3ec3776a ?
> > 
> > cf: https://security-tracker.debian.org/tracker/CVE-2020-11958
> 
> Is this landed in the SRPM for Mageia 7?
> Or it is an other Bug Report?

Yes, the vulnerability was introduced in 1.2 and fixed in 2.0.

Status: NEEDINFO => ASSIGNED
Status comment: Apparently not fully fixed upstream as of 2.0.3 => (none)
Whiteboard: (none) => MGA7-64-OK

Comment 20 Thomas Andrews 2021-06-29 14:29:40 CEST 
Well, if David W. says it's now OK, who am I to argue? Validating once again.

CC: (none) => andrewsfarm
Keywords: (none) => validated_update

Comment 21 Aurelien Oudelet 2021-06-29 15:53:55 CEST 
Advisory from comment 4.

Keywords: (none) => advisory

Comment 22 Mageia Robot 2021-06-29 19:32:54 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0299.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED