Bug 26274 - pcre new security issues fixed upstream in 8.44 (including CVE-2020-14155)
Summary: pcre new security issues fixed upstream in 8.44 (including CVE-2020-14155)
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Reported: 2020-02-29 04:15 CET by David Walser
Modified: 2022-05-18 20:14 CEST (History)
5 users (show)

See Also:
Source RPM: pcre-8.43-1.mga7.src.rpm
Status comment:

Demo script from the pcre man pages (14.12 KB, text/plain)
2020-03-01 20:50 CET, Len Lawrence
Demonstration regex parser using the libpcre library (14.12 KB, text/plain)
2020-03-01 21:21 CET, Len Lawrence

Description David Walser 2020-02-29 04:15:55 CET
PCRE 8.44 has been released on February 12:

The changelog (above) lists two security issues fixed (as usual).
Comment 1 David GEIGER 2020-02-29 10:14:44 CET
Done for mga7!

CC: (none) => geiger.david68210

Comment 2 David Walser 2020-02-29 17:24:41 CET

Updated pcre packages fix security vulnerabilities:

The pcre package has been updated to version 8.44, fixing an integer overflow
and NULL pointer dereference, as well as other bugs.  See the upstream
changelog for details.


Updated packages in core/updates_testing:

from pcre-8.44-1.mga7.src.rpm

Assignee: bugsquad => qa-bugs

Comment 3 Len Lawrence 2020-02-29 21:31:18 CET
About to start this one for mga7 x86_64

CC: (none) => tarazed25

Comment 4 Len Lawrence 2020-02-29 23:26:30 CET
Installed all the files and updated them.

Resources: man pages and https://learnxinyminutes.com/docs/pcre/

This should have been a simple one to test.  The man pages list a pcredemo C script which the user is supposed to copy and compile.  Copying from the man pages results in a text file which looks OK but contains hidden characters which prevent it compiling.  At a guess these are the nroff characters referred to elsewhere in the man pages because they mention a script called CleanTxt which does just that for man page extracts but it is nowhere to be found.  Also mentioned are .txt files which contain demonstration source code including that for utilities like pcregrep.  Again, not available.  It would take a couple of hours to copy pcredemo.c out by hand.

$ pcre-config --version
$ pcre-config --libs
-L/usr/lib64 -lpcre

One or two commands respond but this tester does not really know what to do with them.
$ pcretest
PCRE version 8.43 2019-02-23


Pre-built tests like RunTest can be supplied here.  Looks like RunTest expects as arguments numbered files.  Giving it three random integers raised an error because there are no corresponding files so it behaves correctly at that level.

$ urpmq --whatrequires-recursive pcre | sort -u
returns a long list, notably:
alien, erlang, magpie, nginx, enki, mgarepo and bm.
No handy deb packages so it is a local build.

$ strace -o mgarepo.trace mgarepo co -d 7 glmark2
Using the svn mirror.
$ grep pcre mgarepo.trace
$ cd glmark2
$ strace -o bm.trace bm -ls
creating package list
processing package glmark2-2017.07-%mkrel %rel%{?gitdate:.%{gitdate}}
building source package
Wrote: /home/lcl/dev/glmark2/glmark2/SRPMS/glmark2-2017.07-4.20190327.mga7.src.rpm
$ grep pcre bm.trace
$ strace -o glmark2.trace bm -l
+ /usr/bin/rm -rf /home/lcl/dev/glmark2/glmark2/BUILDROOT/glmark2-2017.07-4.20190327.mga7.x86_64
+ exit 0
$ grep pcre glmark2.trace

At one timeyoutube-dl was a perl script IIRCC.
$ urpmq --requires-recursive youtube-dl

Tried youtube-dl on a couple of music videos - failed.
Third one worked but no sign of libpcre.
$ strace -o vom.trace youtube-dl https://www.youtube.com/watch?v=-6N73y822dU
$ grep pcre vom.trace

Have to give up and pass this on the basis of a clean install.

Whiteboard: (none) => MGA7-64-OK

Comment 5 Len Lawrence 2020-03-01 20:50:14 CET
Created attachment 11527 [details]
Demo script from the pcre man pages

$ gcc -o pcredemo -lpcre pcredemo.c

AFAIK this is a utility for manipulating regular expressions - requires two arguments, presumably an expression and something to be matched.
Comment 6 Len Lawrence 2020-03-01 21:21:55 CET
Created attachment 11528 [details]
Demonstration regex parser using the libpcre library

$ gcc -o pcredemo -lpcre pcredemo.c

$ ./pcredemo 'regular expression' 'subject string'

Attachment 11527 is obsolete: 0 => 1

Comment 7 Len Lawrence 2020-03-01 21:30:21 CET
After discovering an error in the copy-pasted program after removing all the hidden characters (which involved a bit of research in ruby for a way to eliminate them and then some extra editing) and rediscovering that C expects quotes on strings, the test finally succeeded.  Used the simplest example from the link in comment 4.

$ ./pcredemo '\d+.\d+.' ' - - [18/Sep/2004:11:07:48 +1000] "GET /robots.txt HTTP/1.0" 200 468 "-" "Googlebot/2.1"'

Match succeeded at offset 0
 0: 66.249.
No named substrings
So this justifies the OK.
Comment 8 Thomas Andrews 2020-03-02 20:24:06 CET
Thank you for your diligence, Len. Validating. Advisory in Comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2020-03-06 16:23:46 CET

CC: (none) => tmb
Keywords: (none) => advisory

Comment 9 Mageia Robot 2020-03-06 17:15:56 CET
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

Comment 10 David Walser 2022-05-18 20:14:05 CEST
CVE-2019-20838 was fixed in 8.43, which we already had.

CVE-2020-14155 was fixed in 8.44, i.e., in this update:

Summary: pcre new security issues fixed upstream in 8.44 => pcre new security issues fixed upstream in 8.44 (including CVE-2020-14155)

Note You need to log in before you can comment on or make changes to this bug.