Bug 26274 - pcre new security issues fixed upstream in 8.44 (including CVE-2020-14155)
Summary: pcre new security issues fixed upstream in 8.44 (including CVE-2020-14155)
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2020-02-29 04:15 CET by David Walser
Modified: 2022-05-18 20:14 CEST (History)
5 users (show)

See Also:
Source RPM: pcre-8.43-1.mga7.src.rpm
CVE:
Status comment:


Attachments
Demo script from the pcre man pages (14.12 KB, text/plain)
2020-03-01 20:50 CET, Len Lawrence
Details
Demonstration regex parser using the libpcre library (14.12 KB, text/plain)
2020-03-01 21:21 CET, Len Lawrence
Details

Description David Walser 2020-02-29 04:15:55 CET
PCRE 8.44 has been released on February 12:
http://www.pcre.org/original/changelog.txt

The changelog (above) lists two security issues fixed (as usual).
Comment 1 David GEIGER 2020-02-29 10:14:44 CET
Done for mga7!

CC: (none) => geiger.david68210

Comment 2 David Walser 2020-02-29 17:24:41 CET
Advisory:
========================

Updated pcre packages fix security vulnerabilities:

The pcre package has been updated to version 8.44, fixing an integer overflow
and NULL pointer dereference, as well as other bugs.  See the upstream
changelog for details.

References:
http://www.pcre.org/original/changelog.txt
========================

Updated packages in core/updates_testing:
========================
pcre-8.44-1.mga7
libpcre1-8.44-1.mga7
libpcre16_0-8.44-1.mga7
libpcre32_0-8.44-1.mga7
libpcrecpp0-8.44-1.mga7
libpcreposix1-8.44-1.mga7
libpcreposix0-8.44-1.mga7
libpcre-devel-8.44-1.mga7
libpcrecpp-devel-8.44-1.mga7
libpcreposix-devel-8.44-1.mga7
libpcre-static-devel-8.44-1.mga7

from pcre-8.44-1.mga7.src.rpm

Assignee: bugsquad => qa-bugs

Comment 3 Len Lawrence 2020-02-29 21:31:18 CET
About to start this one for mga7 x86_64

CC: (none) => tarazed25

Comment 4 Len Lawrence 2020-02-29 23:26:30 CET
Installed all the files and updated them.

Resources: man pages and https://learnxinyminutes.com/docs/pcre/

This should have been a simple one to test.  The man pages list a pcredemo C script which the user is supposed to copy and compile.  Copying from the man pages results in a text file which looks OK but contains hidden characters which prevent it compiling.  At a guess these are the nroff characters referred to elsewhere in the man pages because they mention a script called CleanTxt which does just that for man page extracts but it is nowhere to be found.  Also mentioned are .txt files which contain demonstration source code including that for utilities like pcregrep.  Again, not available.  It would take a couple of hours to copy pcredemo.c out by hand.

$ pcre-config --version
8.43
$ pcre-config --libs
-L/usr/lib64 -lpcre

One or two commands respond but this tester does not really know what to do with them.
$ pcretest
PCRE version 8.43 2019-02-23

  re>

Pre-built tests like RunTest can be supplied here.  Looks like RunTest expects as arguments numbered files.  Giving it three random integers raised an error because there are no corresponding files so it behaves correctly at that level.

$ urpmq --whatrequires-recursive pcre | sort -u
returns a long list, notably:
alien, erlang, magpie, nginx, enki, mgarepo and bm.
No handy deb packages so it is a local build.

$ strace -o mgarepo.trace mgarepo co -d 7 glmark2
Using the svn mirror.
.....
$ grep pcre mgarepo.trace
$ cd glmark2
$ strace -o bm.trace bm -ls
creating package list
processing package glmark2-2017.07-%mkrel %rel%{?gitdate:.%{gitdate}}
building source package
Wrote: /home/lcl/dev/glmark2/glmark2/SRPMS/glmark2-2017.07-4.20190327.mga7.src.rpm
succeeded!
$ grep pcre bm.trace
$ strace -o glmark2.trace bm -l
.....
+ /usr/bin/rm -rf /home/lcl/dev/glmark2/glmark2/BUILDROOT/glmark2-2017.07-4.20190327.mga7.x86_64
+ exit 0
succeeded!
$ grep pcre glmark2.trace
$

Hmm!
At one timeyoutube-dl was a perl script IIRCC.
$ urpmq --requires-recursive youtube-dl
....
lib64pcre1

Tried youtube-dl on a couple of music videos - failed.
Third one worked but no sign of libpcre.
$ strace -o vom.trace youtube-dl https://www.youtube.com/watch?v=-6N73y822dU
$ grep pcre vom.trace
$

Have to give up and pass this on the basis of a clean install.

Whiteboard: (none) => MGA7-64-OK

Comment 5 Len Lawrence 2020-03-01 20:50:14 CET
Created attachment 11527 [details]
Demo script from the pcre man pages

$ gcc -o pcredemo -lpcre pcredemo.c

AFAIK this is a utility for manipulating regular expressions - requires two arguments, presumably an expression and something to be matched.
Comment 6 Len Lawrence 2020-03-01 21:21:55 CET
Created attachment 11528 [details]
Demonstration regex parser using the libpcre library

$ gcc -o pcredemo -lpcre pcredemo.c

$ ./pcredemo 'regular expression' 'subject string'

Attachment 11527 is obsolete: 0 => 1

Comment 7 Len Lawrence 2020-03-01 21:30:21 CET
After discovering an error in the copy-pasted program after removing all the hidden characters (which involved a bit of research in ruby for a way to eliminate them and then some extra editing) and rediscovering that C expects quotes on strings, the test finally succeeded.  Used the simplest example from the link in comment 4.

$ ./pcredemo '\d+.\d+.' '66.249.64.13 - - [18/Sep/2004:11:07:48 +1000] "GET /robots.txt HTTP/1.0" 200 468 "-" "Googlebot/2.1"'

Match succeeded at offset 0
 0: 66.249.
No named substrings
 
So this justifies the OK.
Comment 8 Thomas Andrews 2020-03-02 20:24:06 CET
Thank you for your diligence, Len. Validating. Advisory in Comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2020-03-06 16:23:46 CET

CC: (none) => tmb
Keywords: (none) => advisory

Comment 9 Mageia Robot 2020-03-06 17:15:56 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0124.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 10 David Walser 2022-05-18 20:14:05 CEST
CVE-2019-20838 was fixed in 8.43, which we already had.

CVE-2020-14155 was fixed in 8.44, i.e., in this update:
https://ubuntu.com/security/notices/USN-5425-1

Summary: pcre new security issues fixed upstream in 8.44 => pcre new security issues fixed upstream in 8.44 (including CVE-2020-14155)


Note You need to log in before you can comment on or make changes to this bug.