Fedora has issued an advisory on February 22: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ESZV6GLV63XBXTZQOAJPOWLRIG35TEV7/ and an additional bugfix advisory on February 25: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/53LTF7HISA4JJLMTQKJVACHXP57XBB72/ Fixed are a couple of crashes, a buffer overflow, and a couple of other bugs. Patched package uploaded for Cauldron. Patches added in Mageia 5 SVN.
(In reply to David Walser from comment #0) > Fedora has issued an advisory on February 22: > https://lists.fedoraproject.org/archives/list/package-announce@lists. > fedoraproject.org/thread/ESZV6GLV63XBXTZQOAJPOWLRIG35TEV7/ > > and an additional bugfix advisory on February 25: > https://lists.fedoraproject.org/archives/list/package-announce@lists. > fedoraproject.org/thread/53LTF7HISA4JJLMTQKJVACHXP57XBB72/ > > Fixed are a couple of crashes, a buffer overflow, and a couple of other bugs. > > Patched package uploaded for Cauldron. Patches added in Mageia 5 SVN. Assigning to all packagers collectively, since the registered maintainer for this package is currently unavailable. We miss you, diogenese.
CC: (none) => marja11, warrendiogeneseAssignee: bugsquad => pkg-bugs
More issues will be fixed in 8.41: http://openwall.com/lists/oss-security/2017/03/20/2 http://openwall.com/lists/oss-security/2017/03/20/3 http://openwall.com/lists/oss-security/2017/03/20/4 (CVE-2017-7186) http://openwall.com/lists/oss-security/2017/03/20/5 http://openwall.com/lists/oss-security/2017/03/20/7 and one will not be: http://openwall.com/lists/oss-security/2017/03/20/6
Summary: pcre new security issue CVE-2017-6004 => pcre new security issues CVE-2017-6004 and CVE-2017-7186
(In reply to David Walser from comment #2) > http://openwall.com/lists/oss-security/2017/03/20/5 (CVE-2017-724[56]) > http://openwall.com/lists/oss-security/2017/03/20/7 (CVE-2017-7244) CVEs noted above for a couple more of these, from: http://openwall.com/lists/oss-security/2017/03/24/1 http://openwall.com/lists/oss-security/2017/03/24/2
Fedora has issued an advisory for CVE-2017-7186 on April 21: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/TQ6PIE4TXTZQP7KMWCXA4KI6BZQOGEPM/
Fedora has fixed CVE-2017-7186 in pcre on May 1 (previous one was for pcre2): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/XEYMUTVQAMYFGYH7ZE6RJD34GJMBZRMS/
Version: 5 => 6CC: (none) => mageiaWhiteboard: (none) => MGA5TOOBlocks: (none) => 22206
*** Bug 22210 has been marked as a duplicate of this bug. ***
I have uploaded a patched/updated package for Mageia 5/6. You can test the patch by calling "pcretest -m -C". Before the patch it reports "Match recursion uses stack: approximate frame size = 4 bytes" After it will report a correct size for the stack. Suggested advisory: ======================== Updated pcre packages fix many security vulnerabilities: http://openwall.com/lists/oss-security/2017/03/20/2 http://openwall.com/lists/oss-security/2017/03/20/3 http://openwall.com/lists/oss-security/2017/03/20/4 (CVE-2017-7186) http://openwall.com/lists/oss-security/2017/03/20/5 (CVE-2017-724[56]) http://openwall.com/lists/oss-security/2017/03/20/7 (CVE-2017-7244) ======================== Updated packages in core/updates_testing: ======================== MGA5: lib64pcre16_0-8.41-1-1.mga5.x86_64.rpm lib64pcre1-8.41-1-1.mga5.x86_64.rpm lib64pcre32_0-8.41-1-1.mga5.x86_64.rpm lib64pcrecpp0-8.41-1-1.mga5.x86_64.rpm lib64pcrecpp-devel-8.41-1-1.mga5.x86_64.rpm lib64pcre-devel-8.41-1-1.mga5.x86_64.rpm lib64pcreposix0-8.41-1-1.mga5.x86_64.rpm lib64pcreposix1-8.41-1-1.mga5.x86_64.rpm lib64pcreposix-devel-8.41-1-1.mga5.x86_64.rpm pcre-8.41-1-1.mga5.x86_64.rpm pcre-debuginfo-8.41-1-1.mga5.x86_64.rpm MGA6: ib64pcre16_0-8.41-1.mga6.x86_64.rpm lib64pcre1-8.41-1.mga6.x86_64.rpm lib64pcre32_0-8.41-1.mga6.x86_64.rpm lib64pcrecpp0-8.41-1.mga6.x86_64.rpm lib64pcrecpp-devel-8.41-1.mga6.x86_64.rpm lib64pcre-devel-8.41-1.mga6.x86_64.rpm lib64pcreposix0-8.41-1.mga6.x86_64.rpm lib64pcreposix1-8.41-1.mga6.x86_64.rpm lib64pcreposix-devel-8.41-1.mga6.x86_64.rpm lib64pcre-static-devel-8.41-1.mga6.x86_64.rpm pcre-8.41-1.mga6.x86_64.rpm pcre-debuginfo-8.41-1.mga6.x86_64.rpm Source RPMs: pcre-8.41-1-1.mga5.src.rpm pcre-8.41-1.mga6.src.rpm
Assignee: pkg-bugs => qa-bugs
Sorry, this wont work.... You need to keep upgrade path working... You now have: mga5: pcre-8.41-1.1.mga5 mga6: pcre-8.41-1.mga6 So upgrade from mga5 to mga6 wont work. mga6 needs to be atleast at same subrel level to keep it working
Keywords: (none) => feedbackCC: (none) => tmb
That's why I told Marc on IRC to remove the subrel first. Thomas, please remove the mga5 build from updates_testing so we can do this correctly.
mga5 rpms removed... wait a while for hdlists to update
Thanks Thomas. subrel removed in SVN: http://svnweb.mageia.org/packages?view=revision&revision=1182977
Sorry, it was intentional from me to add subrel here, but it was a misunderstanding from the build system that made me do it. I've resubmitted the pcre-package for mga5.
No worries... its a learning process... :)
Advisory: ======================== Updated pcre packages fix security vulnerabilities: The compile_bracket_matchingpath function in pcre_jit_compile.c in PCRE through 8.x before revision 1680 (e.g., the PHP 7.1.1 bundled version) allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted regular expression (CVE-2017-6004). A vulnerability was found in pcre caused by trying to find a Unicode property for a code value greater than 0x10ffff, the Unicode maximum, when running in non-UTF mode (where character values can be up to 0xffffffff) (CVE-2017-7186). The _pcre32_xclass function in pcre_xclass.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (invalid memory read) via a crafted file (CVE-2017-7244). Stack-based buffer overflow in the pcre32_copy_substring function in pcre_get.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (WRITE of size 4) or possibly have unspecified other impact via a crafted file (CVE-2017-7245). Stack-based buffer overflow in the pcre32_copy_substring function in pcre_get.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (WRITE of size 268) or possibly have unspecified other impact via a crafted file (CVE-2017-7246). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7244 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7245 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7246 http://openwall.com/lists/oss-security/2017/03/24/1 http://openwall.com/lists/oss-security/2017/03/24/2 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ESZV6GLV63XBXTZQOAJPOWLRIG35TEV7/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/XEYMUTVQAMYFGYH7ZE6RJD34GJMBZRMS/ ======================== Updated packages in core/updates_testing: ======================== pcre-8.41-1.mga5 libpcre1-8.41-1.mga5 libpcre16_0-8.41-1.mga5 libpcre32_0-8.41-1.mga5 libpcrecpp0-8.41-1.mga5 libpcreposix1-8.41-1.mga5 libpcreposix0-8.41-1.mga5 libpcre-devel-8.41-1.mga5 libpcrecpp-devel-8.41-1.mga5 libpcreposix-devel-8.41-1.mga5 pcre-8.41-1.mga6 libpcre1-8.41-1.mga6 libpcre16_0-8.41-1.mga6 libpcre32_0-8.41-1.mga6 libpcrecpp0-8.41-1.mga6 libpcreposix1-8.41-1.mga6 libpcreposix0-8.41-1.mga6 libpcre-devel-8.41-1.mga6 libpcrecpp-devel-8.41-1.mga6 libpcreposix-devel-8.41-1.mga6 libpcre-static-devel-8.41-1.mga6 from SRPMS: pcre-8.41-1.mga5.src.rpm pcre-8.41-1.mga6.src.rpm
Keywords: feedback => (none)
Testing M5/64 Two binaries: pcregrep, pcretest. Found some test files: CVE-2017-6004: https://bugs.exim.org/show_bug.cgi?id=2035 <?php $pattern = "/(((?(?!))0(?1))(?''))/"; preg_match($pattern, "helloworld"); ?> Should segfault. CVE-2017-7186: https://github.com/asarubbo/poc/blob/master/00204-pcre-invalidread1-pcre_exec # pcretest -32 -d $FILE CVE-2017-7244-6: https://github.com/asarubbo/poc/blob/master/00206-pcre-invalidread-_pcre32_xclass # pcretest -32 -d $FILE CVE-2017-7245/6: https://github.com/asarubbo/poc/blob/master/00207-pcre-stackoverflow-pcre32_copy_substring # pcretest -32 -d $FILE -------------------------------------------------------------------- BEFORE update: lib64pcre1-8.38-1.mga5 lib64pcreposix1-8.38-1.mga5 lib64pcre-devel-8.38-1.mga5 lib64pcre16_0-8.38-1.mga5 lib64pcre32_0-8.38-1.mga5 pcre-8.38-1.mga5 $ pcretest -m -C [comment 7] PCRE version 8.39-RC1 2015-11-23 Compiled with ... Match recursion uses stack: approximate frame size = 172 bytes # pcretest -32 -d Desktop/00204-pcre-invalidread1-pcre_exec PCRE version 8.39-RC1 2015-11-23 ... lots os O/P Segmentation fault # pcretest -32 -d Desktop/00206-pcre-invalidread-_pcre32_xclass PCRE version 8.39-RC1 2015-11-23 ...lots of O/P Segmentation fault # pcretest -32 -d Desktop/00207-pcre-stackoverflow-pcre32_copy_substring PCRE version 8.39-RC1 2015-11-23 ... lots os O/P *** stack smashing detected ***: pcretest terminated Segmentation fault -------------------------------------------------------------------- AFTER update: - lib64pcre-devel-8.41-1.mga5.x86_64 - lib64pcre1-8.41-1.mga5.x86_64 - lib64pcre16_0-8.41-1.mga5.x86_64 - lib64pcre32_0-8.41-1.mga5.x86_64 - lib64pcreposix1-8.41-1.mga5.x86_64 - pcre-8.41-1.mga5.x86_64 $ pcretest -m -C PCRE version 8.41 2017-07-05 Compiled with ... Match recursion uses stack: approximate frame size = 512 bytes which shows something. # pcretest -32 -d Desktop/00204-pcre-invalidread1-pcre_exec PCRE version 8.41 2017-07-05 ...lots of O/P ** Delimiter must not be alphanumeric or \ GOOD # pcretest -32 -d Desktop/00206-pcre-invalidread-_pcre32_xclass PCRE version 8.41 2017-07-05 ...lots of O/P No match GOOD # pcretest -32 -d Desktop/00207-pcre-stackoverflow-pcre32_copy_substring PCRE version 8.41 2017-07-05 ...lots of O/P T�** Unexpected EOF GOOD So giving this the thumbs up. Will attach the 3 test files to the bug.
CC: (none) => lewyssmithWhiteboard: MGA5TOO => MGA5TOO MGA5-64-OK
Created attachment 9839 [details] PoC_0024 1/3 PoCs for various CVEs. Run with $ pcretest -32 -d <filename> Crashes before update, not after.
Created attachment 9840 [details] PoC0_00206 2/3 PoCs for various CVEs. Run with $ pcretest -32 -d <filename> Crashes before update, not after.
Created attachment 9841 [details] PoC_00207 3/3 PoCs for various CVEs. Run with $ pcretest -32 -d <filename> Crashes before update, not after.
Re the mini-script given in comment 15 re CVE-2017-6004, it did not for M6/64 segfault at all. It may be a 32-bit only crash (one of the faults is), hence to test thus.
Keywords: (none) => advisory
BEFORE update, all pkgs at versdion -8.40-2.mga6 1. Ex C7 $ pcretest -m -C PCRE version 8.40 2017-01-11 ... Match recursion uses stack: approximate frame size = 4 bytes 2. mini-script in C15 $ php pcretest.php No segfault as expected; just for 32-bit? 3. $ pcretest -32 -d 00204-pcre-invalidread1-pcre_exec ... Segmentation fault (core dumped) 4. $ pcretest -32 -d 00206-pcre-invalidread-_pcre32_xclass ... Segmentation fault (core dumped) 5. $ pcretest -32 -d 00207-pcre-stackoverflow-pcre32_copy_substring ... Segmentation fault (core dumped) ------------------------------------ AFTER update: - lib64pcre-devel-8.41-1.mga6.x86_64 - lib64pcre1-8.41-1.mga6.x86_64 - lib64pcre16_0-8.41-1.mga6.x86_64 - lib64pcre32_0-8.41-1.mga6.x86_64 - lib64pcreposix1-8.41-1.mga6.x86_64 - pcre-8.41-1.mga6.x86_64 1. $ pcretest -m -C PCRE version 8.41 2017-07-05 ... Match recursion uses stack: approximate frame size = 512 bytes Good result. 2. $ php pcretest.php Again no segfault, shows nothing. 3. $ pcretest -32 -d 00204-pcre-invalidread1-pcre_exec ... ** Delimiter must not be alphanumeric or \ $ Good result. 4. $ pcretest -32 -d 00206-pcre-invalidread-_pcre32_xclass ... No match $ Good result. 5. $ pcretest -32 -d 00207-pcre-stackoverflow-pcre32_copy_substring ... T�** Unexpected EOF $ Good result. ------------------ OKing & validating.
CC: (none) => sysadmin-bugsKeywords: (none) => validated_updateWhiteboard: MGA5TOO MGA5-64-OK => MGA5TOO MGA5-64-OK MGA6-64-OK
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2017-0454.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED