CVEs have been requested for two stack overflow issues fixed last year in PCRE: http://openwall.com/lists/oss-security/2015/05/31/4 http://openwall.com/lists/oss-security/2015/05/31/5 The issues were in pcre_compile.c, the log for which is here: http://vcs.pcre.org/pcre/code/trunk/pcre_compile.c?view=log The exim#1503 issue was fixed in PCREr1495 and the exim#1515 issue was fixed in PCREr1498. Both of those fixes were included in 8.36, so Cauldron already has them. However, there are some other commits for overflow issues in that log. PCREr1537 and PCREr1542 say they also fix stack overflow bugs. Those commits were included in 8.37, so Cauldron also has those. PCREr1557-1560 say they fix buffer overflow bugs. Cauldron would be affected by those. Reproducible: Steps to Reproduce:
(In reply to David Walser from comment #0) > PCREr1557-1560 say they fix buffer overflow bugs. Cauldron would be > affected by those. There was an announcement alluding to this on oss-security, but it's completely unclear. CVE-2015-3210 has been allocated, but they didn't indicate which of those four commits it refers to. Apparently, though, the other commits are for similar issues.
Version: 4 => CauldronSummary: pcre new security issues fixed upstream => pcre new security issues fixed upstream (including CVE-2015-3210)Whiteboard: (none) => MGA5TOO, MGA4TOO
CVE-2015-3217 has also been reported: http://openwall.com/lists/oss-security/2015/06/03/7 I don't think there's a fix for that one yet.
(In reply to David Walser from comment #1) > (In reply to David Walser from comment #0) > > PCREr1557-1560 say they fix buffer overflow bugs. Cauldron would be > > affected by those. > > There was an announcement alluding to this on oss-security, but it's > completely unclear. CVE-2015-3210 has been allocated, but they didn't > indicate which of those four commits it refers to. Apparently, though, the > other commits are for similar issues. http://openwall.com/lists/oss-security/2015/06/01/7 That was the announcement I mentioned earlier, I forgot to post the link.
CC: (none) => mageiaAssignee: bugsquad => warrendiogenese
URL: (none) => http://lwn.net/Vulnerabilities/647305/
Needed in just mga4: http://vcs.pcre.org/pcre?view=revision&revision=1495 http://vcs.pcre.org/pcre?view=revision&revision=1498 http://vcs.pcre.org/pcre?view=revision&revision=1537 http://vcs.pcre.org/pcre?view=revision&revision=1542 Needed for both: http://vcs.pcre.org/pcre?view=revision&revision=1557 http://vcs.pcre.org/pcre?view=revision&revision=1558 http://vcs.pcre.org/pcre?view=revision&revision=1559 http://vcs.pcre.org/pcre?view=revision&revision=1560 http://vcs.pcre.org/pcre?view=revision&revision=1562 http://vcs.pcre.org/pcre?view=revision&revision=1563 http://vcs.pcre.org/pcre?view=revision&revision=1565 PCREr1562 and PCREr1563 are fixes for a buffer overflow and integer overflow also in pcre_compile.c. PCREr1565 is in pcre_exec.c. It's not entirely clear which CVEs or upstream bugs each commit corresponds to. 1565 might be this one: https://bugs.exim.org/show_bug.cgi?id=1638 (CVE-2015-3217) 1562 might be this one: https://bugs.exim.org/show_bug.cgi?id=1636 (CVE-2015-3210) Other older bugs only affecting Mageia 4 that I referenced in Comment 0 are here. All of these upstream bugs have PoCs: https://bugs.exim.org/show_bug.cgi?id=1503 https://bugs.exim.org/show_bug.cgi?id=1515
Summary: pcre new security issues fixed upstream (including CVE-2015-3210) => pcre new security issues fixed upstream (including CVE-2015-3210 and CVE-2015-3217)
Patch committed in Cauldron SVN. Freeze push requested.
Fixed in pcre-8.37-2.mga5 before the Mageia 5 release. Rediffing these patches for Mageia 4 appears to be non-trivial.
Version: Cauldron => 4Whiteboard: MGA5TOO, MGA4TOO => (none)
Another CVE has been issued for an issue fixed upstream in pcre_compile.c: http://openwall.com/lists/oss-security/2015/06/26/3 At least the patch for this one (pasted in the upstream bug linked in the message above and also checked into Mageia 5 and Cauldron) applies cleanly to the mga4 version, but we still have to sort out what to do with these other issues. The Mageia 5 update for this issue is in Bug 16217.
Summary: pcre new security issues fixed upstream (including CVE-2015-3210 and CVE-2015-3217) => pcre new security issues fixed upstream (including CVE-2015-3210, CVE-2015-3217, and CVE-2015-5073)
(In reply to David Walser from comment #7) > Another CVE has been issued for an issue fixed upstream in pcre_compile.c: > http://openwall.com/lists/oss-security/2015/06/26/3 > > At least the patch for this one (pasted in the upstream bug linked in the > message above and also checked into Mageia 5 and Cauldron) applies cleanly > to the mga4 version, but we still have to sort out what to do with these > other issues. > > The Mageia 5 update for this issue is in Bug 16217. Possibly not an issue on Mageia 4. PoC attachmed to https://bugs.exim.org/show_bug.cgi?id=1651 Can anyone verify that Mageia 4 is not affected on x86_64? I get this on i586: $ php poc.php PHP Warning: preg_match(): Compilation failed: lookbehind assertion is not fixed length at offset 125 in /tmp/poc.php on line 2
Some more playing with this, I don't think CVE-2015-3210 affects the Mageia 4 version either. I am also pretty sure that CVE-2015-3217 was not effectively fixed upstream at all. I have a patch that has I think all the relevant components of the upstream patches I cited earlier except for the overflow in PCREr1559 which is still a valid bug for us. The code has changed too much to figure out how to fix that one. http://vcs.pcre.org/pcre?view=revision&revision=1559 My patch definitely fixes upstream bugs 1503 and 1515 though, so that's nice. It's checked into SVN.
Which issues are still not fixed for mga4?
(In reply to Sander Lepik from comment #10) > Which issues are still not fixed for mga4? See Comment 9. Note that the fixes are only in SVN as of now.
I'm probably getting something wrong here :/ You mention PCREr1559 but changes there seem to be included in pcre-8.37-overflows.patch Something else we are missing that you didn't link in your comment?
Oh.. my bad, I checked out mga5 :(
I checked Fedora's updates and it seems that they didn't include this patch in their update. So maybe we should just release the update before mga4 reaches its EOL. Better fix some issues than nothing at all. WDYT?
So right now we have PCREr1559 not fixed in Mageia 4, CVE-2015-3217 not fixed in any version, and a CVE request for another issue in pcre_exec.c, which needs to be backported to Mageia 4 as well: http://openwall.com/lists/oss-security/2015/08/04/2
(In reply to David Walser from comment #15) > So right now we have PCREr1559 not fixed in Mageia 4, CVE-2015-3217 not > fixed in any version, and a CVE request for another issue in pcre_exec.c, > which needs to be backported to Mageia 4 as well: > http://openwall.com/lists/oss-security/2015/08/04/2 Fix for that one is here: http://vcs.pcre.org/pcre?view=revision&revision=1510 CVE request for yet another issue: http://openwall.com/lists/oss-security/2015/08/05/3 which is fixed here: http://vcs.pcre.org/pcre?view=revision&revision=1585 I also noticed a new buffer overflow fix: http://vcs.pcre.org/pcre?view=revision&revision=1571
(In reply to David Walser from comment #16) > CVE request for yet another issue: > http://openwall.com/lists/oss-security/2015/08/05/3 > > which is fixed here: > http://vcs.pcre.org/pcre?view=revision&revision=1585 Fedora has issued an advisory for this on August 13: https://lists.fedoraproject.org/pipermail/package-announce/2015-August/163731.html LWN reference: http://lwn.net/Vulnerabilities/654544/
CVE request for yet another issue: http://openwall.com/lists/oss-security/2015/08/24/1 which is fixed here: http://vcs.pcre.org/pcre?view=revision&revision=1594 I also noticed an integer overflow fix: http://vcs.pcre.org/pcre?view=revision&revision=1589
Changing the version since there are unresolved issues for current. Removing CVE-2015-3210 and CVE-2015-5073 from the bug title since they don't affect Mageia 4 and are fixed in Mageia 5.
Version: 4 => CauldronSummary: pcre new security issues fixed upstream (including CVE-2015-3210, CVE-2015-3217, and CVE-2015-5073) => pcre new security issues fixed upstream (including CVE-2015-3217)Whiteboard: (none) => MGA5TOO, MGA4TOO
We probably would be better off pulling the latest code from upstream CVS and checking if CVE-2015-3217 is fixed there. I wonder when they'll do a new release.
Test cases: $ pcretest PCRE version 8.38-RC1 2015-05-03 re> /^(?:(?(1)\\.|([^\\\\W_])?)+)+$/ data> abcd No match data> $ pcretest PCRE version 8.38-RC1 2015-05-03 re> /^(?P=B)((?P=B)(?J:(?P<B>c)(?P<B>a(?P=B)))>WGXCREDITS)/ data> ADLAB No match data> $ pcretest PCRE version 8.38-RC1 2015-05-03 re> /(((a\2)|(a*)\g<-1>))*a?/ data> abcd 0: a 1: 2: 3: <unset> 4: data> $ pcretest PCRE version 8.38-RC1 2015-05-03 re> /((?(R)a|(?1)))*/ data> abcd 0: a 1: a data> $ pcretest PCRE version 8.38-RC1 2015-05-03 re> /(?:((abcd))|(((?:(?:(?:(?:abc|(?:abcdef))))b)abcdefghi)abc)|((*ACCEPT)))/ data> 1234abcd 0: 1: <unset> 2: <unset> 3: <unset> 4: <unset> 5: data> $ pcretest PCRE version 8.38-RC1 2015-05-03 re> /(?J:(?|(:(?|(?'R')(\k'R')|((?'R')))H'Rk'Rf)|s(?'R'))))/ Failed: unmatched parentheses at offset 53 re> $ pcretest re> /(?J:(?|(:(?|(?'R')(\z(?|(?'R')(\k'R')|((?'R')))k'R')|((?'R')))H'Ak'Rf)|s(?'R')))/ data> abcd No match data> $ php poc.php # from https://bugs.exim.org/show_bug.cgi?id=1651 PHP Warning: preg_match(): Compilation failed: unmatched parentheses at offset 125 in /tmp/poc.php on line 2 The important thing, no stack traces or segmentation faults.
Whiteboard: MGA5TOO, MGA4TOO => MGA5TOO, MGA4TOO has_procedure
I updated to the current CVS (last modified 20150902), aka 8.38-RC1. See the test cases in Comment 21. Updated packages uploaded for Mageia 4, Mageia 5, and Cauldron. Advisory: ======================== Updated pcre packages fix security vulnerabilities: The pcre package has been updated to the latest CVS as of September 2, 2015, aka 8.38-RC1, which fixes several bugs, including many buffer, stack, and integer overflows. References: http://vcs.pcre.org/pcre/code/trunk/ChangeLog?revision=1600&view=markup ======================== Updated packages in core/updates_testing: ======================== pcre-8.37-1.mga4 libpcre1-8.37-1.mga4 libpcre16_0-8.37-1.mga4 libpcre32_0-8.37-1.mga4 libpcrecpp0-8.37-1.mga4 libpcreposix1-8.37-1.mga4 libpcreposix0-8.37-1.mga4 libpcre-devel-8.37-1.mga4 libpcrecpp-devel-8.37-1.mga4 libpcreposix-devel-8.37-1.mga4 pcre-8.37-2.2.mga5 libpcre1-8.37-2.2.mga5 libpcre16_0-8.37-2.2.mga5 libpcre32_0-8.37-2.2.mga5 libpcrecpp0-8.37-2.2.mga5 libpcreposix1-8.37-2.2.mga5 libpcreposix0-8.37-2.2.mga5 libpcre-devel-8.37-2.2.mga5 libpcrecpp-devel-8.37-2.2.mga5 libpcreposix-devel-8.37-2.2.mga5 from SRPMS: pcre-8.37-1.mga4.src.rpm pcre-8.37-2.2.mga5.src.rpm
Version: Cauldron => 5Assignee: warrendiogenese => qa-bugsWhiteboard: MGA5TOO, MGA4TOO has_procedure => MGA4TOO has_procedure
mga4 x86_64 (VM) : ================== Installed : lib64pcre-devel-8.37-1.mga4 pcre-8.37-1.mga4 lib64pcreposix1-8.37-1.mga4 lib64pcre32_0-8.37-1.mga4 lib64pcre16_0-8.37-1.mga4 lib64pcre1-8.37-1.mga4 All test OK ; php.poc OK mga5 x86_64 (VM) : ================== Installed : lib64pcre16_0-8.37-2.2.mga5 lib64pcre1-8.37-2.2.mga5 lib64pcre32_0-8.37-2.2.mga5 lib64pcre-devel-8.37-2.2.mga5 pcre-8.37-2.2.mga5 lib64pcreposix1-8.37-2.1.mga5 All test OK ; php.poc OK ========= Update OK.
CC: (none) => yann.cantinWhiteboard: MGA4TOO has_procedure => MGA4TOO has_procedure MGA4-64-OK MGA5-64-OK
Tested successfully Mageia 4 i586 and Mageia 5 i586.
Whiteboard: MGA4TOO has_procedure MGA4-64-OK MGA5-64-OK => MGA4TOO has_procedure MGA4-32-OK MGA4-64-OK MGA5-32-OK MGA5-64-OK
Validating.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Advisory uploaded.
Whiteboard: MGA4TOO has_procedure MGA4-32-OK MGA4-64-OK MGA5-32-OK MGA5-64-OK => MGA4TOO has_procedure advisory MGA4-32-OK MGA4-64-OK MGA5-32-OK MGA5-64-OK
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0343.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
(In reply to David Walser from comment #4) > http://vcs.pcre.org/pcre?view=revision&revision=1565 > > PCREr1565 is in pcre_exec.c. > > 1565 might be this one: > https://bugs.exim.org/show_bug.cgi?id=1638 (CVE-2015-3217) RedHat says that PCREr1565 was https://bugs.exim.org/show_bug.cgi?id=1637 https://bugzilla.redhat.com/show_bug.cgi?id=1285413 LWN reference: http://lwn.net/Vulnerabilities/665977/
Several CVEs have been assigned: http://openwall.com/lists/oss-security/2015/12/02/3 (In reply to David Walser from comment #4) > Other older bugs only affecting Mageia 4 that I referenced in Comment 0 are > here. All of these upstream bugs have PoCs: > https://bugs.exim.org/show_bug.cgi?id=1503 > https://bugs.exim.org/show_bug.cgi?id=1515 These are now CVE-2015-2327 and CVE-2015-2328 respectively. (In reply to David Walser from comment #28) > (In reply to David Walser from comment #4) > > http://vcs.pcre.org/pcre?view=revision&revision=1565 > > > > PCREr1565 is in pcre_exec.c. > > > > 1565 might be this one: > > https://bugs.exim.org/show_bug.cgi?id=1638 (CVE-2015-3217) > > RedHat says that PCREr1565 was https://bugs.exim.org/show_bug.cgi?id=1637 > > https://bugzilla.redhat.com/show_bug.cgi?id=1285413 > > LWN reference: > http://lwn.net/Vulnerabilities/665977/ This is now CVE-2015-8380.
(In reply to David Walser from comment #17) > (In reply to David Walser from comment #16) > > CVE request for yet another issue: > > http://openwall.com/lists/oss-security/2015/08/05/3 > > > > which is fixed here: > > http://vcs.pcre.org/pcre?view=revision&revision=1585 > > Fedora has issued an advisory for this on August 13: > https://lists.fedoraproject.org/pipermail/package-announce/2015-August/ > 163731.html > > LWN reference: > http://lwn.net/Vulnerabilities/654544/ This is CVE-2015-8381: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8381
(In reply to David Walser from comment #16) > (In reply to David Walser from comment #15) > > CVE request for another issue in pcre_exec.c, > > http://openwall.com/lists/oss-security/2015/08/04/2 > > Fix for that one is here: > http://vcs.pcre.org/pcre?view=revision&revision=1510 CVE-2015-8382: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8382
The other issues fixed between PCRE 8.37 and 8.38-RC1 (which this update was) are CVE-2015-8383 through CVE-2015-8395.
Summary: pcre new security issues fixed upstream (including CVE-2015-3217) => pcre new security issues fixed upstream (including CVE-2015-232[78], CVE-2015-3217, CVE-2015-838[0-9], CVE-2015-839[0-5])
(In reply to David Walser from comment #4) > 1562 might be this one: > https://bugs.exim.org/show_bug.cgi?id=1636 (CVE-2015-3210) Or not :o( RedHat thinks that 1558 was CVE-2015-3210 (which also corresponds to CVE-2015-8384 apparently): http://openwall.com/lists/oss-security/2015/12/02/8
(In reply to David Walser from comment #32) > The other issues fixed between PCRE 8.37 and 8.38-RC1 (which this update > was) are CVE-2015-8383 through CVE-2015-8395. LWN reference for all of those except for 8395: http://lwn.net/Vulnerabilities/670250/
LWN reference for the remaining CVEs: http://lwn.net/Vulnerabilities/676094/
LWN reference for CVE-2015-2327 CVE-2015-2328 CVE-2015-8382: http://lwn.net/Vulnerabilities/681755/
LWN reference for CVE-2015-3217: http://lwn.net/Vulnerabilities/687040/