A security issue in pcre has been reported and assigned a CVE: http://openwall.com/lists/oss-security/2016/01/02/3 As of right now it has not been fixed yet. Reproducible: Steps to Reproduce:
Assigning to maintainer.
Assignee: bugsquad => warrendiogenese
Another possible issue: http://lwn.net/Vulnerabilities/677970/ I can't locate the patch.
Fedora has issued an advisory for this on March 1: https://lists.fedoraproject.org/pipermail/package-announce/2016-March/178193.html
URL: (none) => http://lwn.net/Vulnerabilities/678389/
(In reply to David Walser from comment #2) > Another possible issue: > http://lwn.net/Vulnerabilities/677970/ > > I can't locate the patch. This is CVE-2016-3191: http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-3191.html Upstream patches are linked there (also affects pcre2 in Cauldron). LWN reference: http://lwn.net/Vulnerabilities/681755/ Ubuntu has issued an advisory for this on March 29: http://www.ubuntu.com/usn/usn-2943-1/ It also includes the fix for CVE-2016-1283.
Summary: pcre new security issue CVE-2016-1283 => pcre new security issues CVE-2016-1283 and CVE-2016-3191
Patched pcre2 package uploaded for Cauldron. Updated pcre packages uploaded for Mageia 5 and Cauldron. Advisory: ======================== Updated pcre packages fix security vulnerabilities: The pcre_compile2 function in pcre_compile.c in PCRE 8.38 mishandles a paricular pattern and related patterns with named subgroups, which allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression (CVE-2016-1283). The compile_branch function in pcre_compile.c in PCRE 8.x before 8.39 mishandles patterns containing an (*ACCEPT) substring in conjunction with nested parentheses, which allows remote attackers to execute arbitrary code or cause a denial of service (stack-based buffer overflow) via a crafted regular expression (CVE-2016-3191). The pcre package has been updated to the latest CVS as of May 21, 2016, aka 8.39-RC1, which fixes these issues, as well as several other bugs, and possible security issues. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1283 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3191 http://vcs.pcre.org/pcre/code/trunk/ChangeLog?revision=1649&view=markup ======================== Updated packages in core/updates_testing: ======================== pcre-8.38-1.mga5 libpcre1-8.38-1.mga5 libpcre16_0-8.38-1.mga5 libpcre32_0-8.38-1.mga5 libpcrecpp0-8.38-1.mga5 libpcreposix1-8.38-1.mga5 libpcreposix0-8.38-1.mga5 libpcre-devel-8.38-1.mga5 libpcrecpp-devel-8.38-1.mga5 libpcreposix-devel-8.38-1.mga5 from pcre-8.38-1.mga5.src.rpm
Version: Cauldron => 5Assignee: warrendiogenese => qa-bugsSeverity: normal => critical
PoC's from upstream bugs: https://bugs.exim.org/show_bug.cgi?id=1767 https://bugs.exim.org/show_bug.cgi?id=1791 $ cat poc.php <?php preg_match("/((?:F?+(?:^(?(R)a+\"){99}-))(?J)(?'R'(?'R'<((?'RR'(?'R'\){97)?J)?J)(?'R'(?'R'\){99|(:(?|(?'R')(\k'R')|((?'R')))H'R'R)(H'R))))))/","WenGuanxing"); ?> $ cat ZDI-CAN-3542.php <? preg_match('/([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00](*ACCEPT)/', 'abc'); ?> $ php poc.php *** Error in `php': double free or corruption (!prev): 0x093dd628 *** ======= Backtrace: ========= [...] Aborted $ php ZDI-CAN-3542.php *** stack smashing detected ***: php terminated ======= Backtrace: ========= [...] Aborted Also note that the patches update the build-time test suites to test for these and many other issues new and old.
After the update, Mageia 5 i586: $ php poc.php $ php ZDI-CAN-3542.php PHP Warning: preg_match(): Compilation failed: missing ) at offset 509 in /tmp/ZDI-CAN-3542.php on line 1 Marking OK.
Whiteboard: (none) => has_procedure MGA5-32-OK
Advisory added in SVN. Perhaps someone could check the formatting.
Whiteboard: has_procedure MGA5-32-OK => has_procedure MGA5-32-OK advisory
Nice one David, thankyou. Validating.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
CC: (none) => oe
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0204.html
Status: NEW => RESOLVEDResolution: (none) => FIXED