A security issue fixed upstream in re2c has been announced today (April 27): https://www.openwall.com/lists/oss-security/2020/04/27/2 The upstream commits that fixed the issue are referenced in the message above. I'm not sure if Mageia 7 is affected, but there is information on the upstream bug (also referenced in the message above) on how to reproduce the issue, so this could be determined.
This has been assigned CVE-2018-21232: https://www.openwall.com/lists/oss-security/2020/05/14/4
Whiteboard: (none) => MGA7TOOSummary: re2c new infinite loop security issue => re2c new infinite loop security issue (CVE-2018-21232)Status comment: (none) => Patches available upstream
Fixed in Cauldron in re2c-1.3-2.mga8 by David Geiger.
Whiteboard: MGA7TOO => (none)Version: Cauldron => 7
Done for mga7 updating to latest upstream release 2.0.3!
Advisory: ======================== Updated re2c package fixes security vulnerability: re2c before 2.0 has uncontrolled recursion that causes stack consumption in find_fixed_tags (CVE-2018-21232). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-21232 https://github.com/skvadrik/re2c/issues/219 ======================== Updated packages in core/updates_testing: ======================== re2c-2.0.3-1.mga7 from re2c-2.0.3-1.mga7.src.rpm
Status comment: Patches available upstream => (none)CC: (none) => geiger.david68210Assignee: geiger.david68210 => qa-bugs
Created attachment 11880 [details] Small stack reproducer input for re2c $ ulimit -s 256; re2c -o overflow-1.c --no-version --no-generation-date -W overflow-1.re Expect segmentation fault.
CC: (none) => tarazed25
Created attachment 11881 [details] Basic test of the lexer $ re2c 01_basic.re -o basic.c -i
mga7, x86_64 CVE-2018-21232 The report for the stack overflow issue at https://github.com/skvadrik/re2c/issues/219 indicates that it can be reproduced using overflow-1.re as input to re2c but the unfortunate thing is that there is no link to that file. After a bit of digging it turned up on GitHub in this folder https://github.com/skvadrik/re2c/tree/master/test/overflow-1.re $ re2c -o overflow-1.c --no-version --no-generation-date -W overflow-1.re Segmentation fault (core dumped) Updated the package. $ rpm -q re2c re2c-2.0.3-1.mga7 $ ulimit -s 256; re2c -o overflow-1.c --no-version --no-generation-date -W overflow-1.re Segmentation fault (core dumped) So, Mageia 7 was affected and still is. Downloaded an example from svadrik's files. $ re2c 01_basic.re -o basic_01.c -i The output is C code with several gotoes (!). $ cat basic_01.c /* Generated by re2c 2.0.3 on Sun Sep 13 16:00:01 2020 */ // re2c $INPUT -o $OUTPUT -i #include <assert.h> // // C/C++ code int lex(const char *YYCURSOR) // { { char yych; yych = *YYCURSOR; switch (yych) { case 'A' ... 'Z': case '_': case 'a' ... 'z': goto yy4; default: goto yy2; } yy2: ++YYCURSOR; { return 1; } yy4: yych = *++YYCURSOR; switch (yych) { case '0' ... '9': case 'A' ... 'Z': case '_': case 'a' ... 'z': goto yy4; default: goto yy6; } yy6: { return 0; } } } // // int main() // { // C/C++ code assert(lex("_Zer0") == 0); // return 0; // } // Leaving things there. Need advice on releasing this given that the bug does not appear to be fixed.
I guess he thought he fixed it enough for the test case to pass, but not so much. The upstream issue hasn't been closed yet either.
Status comment: (none) => Apparently not fully fixed upstream as of 2.0.3Assignee: qa-bugs => pkg-bugsWhiteboard: (none) => MGA7TOOVersion: 7 => CauldronCC: (none) => qa-bugs
re2c 1.3 has a heap-based buffer overflow in Scanner::fill in parse/scanner.cc via a long lexeme.
URL: (none) => https://nvd.nist.gov/vuln/detail/CVE-2020-11958CC: (none) => zombie_ryushuCVE: (none) => CVE-2020-11958
Whiteboard: MGA7TOO => MGA8TOO, MGA7TOO
can someone add comments in https://github.com/skvadrik/re2c/commit/c4603ba5ce229db83a2a4fb93e6d4b4e3ec3776a ? cf: https://security-tracker.debian.org/tracker/CVE-2020-11958
CC: (none) => mageia
Hi, re2c developer here. The original buffer overflow was fixed in https://github.com/skvadrik/re2c/commit/c4603ba5ce229db83a2a4fb93e6d4b4e3ec3776a, and the reproducer in comment #7 limits stack size to 256 bytes, so there is a segfault due to a stack overflow in one of the recursive tree-walking functions. It is unrelated to buffer overflow. There is another bug to get rid of recursion (https://github.com/skvadrik/re2c/issues/219), but it's somewhat low-priority as re2c is not required to work on systems with 256-byte stack.
CC: (none) => skvadrik
(In reply to Ulya Trofimovich from comment #11) > Hi, re2c developer here. > > The original buffer overflow was fixed in > https://github.com/skvadrik/re2c/commit/ > c4603ba5ce229db83a2a4fb93e6d4b4e3ec3776a, and the reproducer in comment #7 > limits stack size to 256 bytes, so there is a segfault due to a stack > overflow in one of the recursive tree-walking functions. It is unrelated to > buffer overflow. > > There is another bug to get rid of recursion > (https://github.com/skvadrik/re2c/issues/219), but it's somewhat > low-priority as re2c is not required to work on systems with 256-byte stack. Thank you i really appreciate your answer :-) we can then validate this bugreport and follow the other one to add it in mageia when fixed.
Assignee: pkg-bugs => qa-bugs
mga7, x86_64 Checked this in mga8 first to confirm that the short stack test continues to segfault. In mga7 with the default stack the poc yields: $ re2c -o overflow-1.c --no-version --no-generation-date -W overflow-1.re overflow-1.re:4:2: warning: control flow is undefined for strings that match '\x30 \x30 \x30 \x30 \x30 \x5F \x61 \x61 \x61 \x61 \x61 \x61 \x61 \x61 \x61 \x5F [...] \x64 \x5F \x68 \x65 \x72 \x65 \x5F \x69 \x73 \x5F \x74 \x68 \x65 \x5F \x6F \x76 \x65 \x72 \x66 \x6C \x66 \x6F \x77 [\x0-\x3E\x40-\xFF]' ... and a few more, use default rule '*' [-Wundefined-control-flow] The overflow-1.c file contains ~8218 labelled switch statements. ... which looks like the original buffer overflow issue handled better. Current version is re2c-2.0.3-1 here In mga7, with the short stack this still segfaults. $ ulimit -s 256 $ re2c -o overflow-1.c --no-version --no-generation-date -W overflow-1.re Segmentation fault (core dumped) Is there an update in the wings?
there is no updates for this one yet, but i will take a look and provide one asap. But i prefer this in a new bugreport, if you don't have any opposition.
Of course not. Go ahead.
Version: Cauldron => 8CC: (none) => ouaurelienWhiteboard: MGA8TOO, MGA7TOO => MGA7TOO
Referring to comment 14 it looks like we should close this and wait for a new bug to be posted. Giving this an OK for Mageia 7. Shall run it past Mageia 8 later with a view to validating it.
Whiteboard: MGA7TOO => MGA7TOO MGA7-64-OK
Found that it had been checked for Mageia 8 but tried it again. re2c-2.0.3-1.mga8 CVE-2018-21232 $ re2c -o overflow-1.c --no-version --no-generation-date -W overflow-1.re overflow-1.re:4:2: warning: control flow is undefined for strings that match '\x30 \x30 \x30 \x30 \x30 \x5F \x61 \x61 \x61 \x61 \x61 \x61 \x61 \x61 \x61 \x5F ..... 76 \x65 \x72 \x66 \x6C \x66 \x6F \x77 [\x0-\x3E\x40-\xFF]' ... and a few more, use default rule '*' [-Wundefined-control-flow] Skipped the short-stack test in view of the remark in comment 11. Ran the test used previously, comment 7. $ re2c 01_basic.re -o basic_01.c -i That produced valid C code as before. So, we let this go pending a further update.
CC: (none) => sysadmin-bugsWhiteboard: MGA7TOO MGA7-64-OK => MGA7TOO MGA7-64-OK MGA8-64-OKKeywords: (none) => validated_update
(In reply to Nicolas Lécureuil from comment #10) > can someone add comments in > https://github.com/skvadrik/re2c/commit/ > c4603ba5ce229db83a2a4fb93e6d4b4e3ec3776a ? > > cf: https://security-tracker.debian.org/tracker/CVE-2020-11958 Is this landed in the SRPM for Mageia 7? Or it is an other Bug Report? (In reply to Len Lawrence from comment #17) > Found that it had been checked for Mageia 8 but tried it again. > re2c-2.0.3-1.mga8 > > CVE-2018-21232 <snip> > > So, we let this go pending a further update. This is already in 8/core/release repository. Assigning back to Mageia 7, adding NEEDINFO Status.
Whiteboard: MGA7TOO MGA7-64-OK MGA8-64-OK => (none)Keywords: validated_update => (none)Status: NEW => NEEDINFOSource RPM: re2c-1.2.1-3.mga8.src.rpm => re2c-1.1.1-1.mga7.src.rpmVersion: 8 => 7CVE: CVE-2020-11958 => CVE-2018-21232
(In reply to Aurelien Oudelet from comment #18) > (In reply to Nicolas Lécureuil from comment #10) > > can someone add comments in > > https://github.com/skvadrik/re2c/commit/ > > c4603ba5ce229db83a2a4fb93e6d4b4e3ec3776a ? > > > > cf: https://security-tracker.debian.org/tracker/CVE-2020-11958 > > Is this landed in the SRPM for Mageia 7? > Or it is an other Bug Report? Yes, the vulnerability was introduced in 1.2 and fixed in 2.0.
Status: NEEDINFO => ASSIGNEDStatus comment: Apparently not fully fixed upstream as of 2.0.3 => (none)Whiteboard: (none) => MGA7-64-OK
Well, if David W. says it's now OK, who am I to argue? Validating once again.
CC: (none) => andrewsfarmKeywords: (none) => validated_update
Advisory from comment 4.
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0299.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED