Bug 26549 - re2c new infinite loop security issue (CVE-2018-21232)
Summary: re2c new infinite loop security issue (CVE-2018-21232)
Status: NEEDINFO
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: https://nvd.nist.gov/vuln/detail/CVE-...
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-04-27 23:10 CEST by David Walser
Modified: 2021-04-12 15:48 CEST (History)
8 users (show)

See Also:
Source RPM: re2c-1.1.1-1.mga7.src.rpm
CVE: CVE-2018-21232
Status comment: Apparently not fully fixed upstream as of 2.0.3


Attachments
Small stack reproducer input for re2c (8.08 KB, text/x-csrc)
2020-09-13 16:47 CEST, Len Lawrence
Details
Basic test of the lexer (904 bytes, text/x-csrc)
2020-09-13 17:09 CEST, Len Lawrence
Details

Description David Walser 2020-04-27 23:10:50 CEST
A security issue fixed upstream in re2c has been announced today (April 27):
https://www.openwall.com/lists/oss-security/2020/04/27/2

The upstream commits that fixed the issue are referenced in the message above.

I'm not sure if Mageia 7 is affected, but there is information on the upstream bug (also referenced in the message above) on how to reproduce the issue, so this could be determined.
Comment 1 David Walser 2020-05-14 16:51:50 CEST
This has been assigned CVE-2018-21232:
https://www.openwall.com/lists/oss-security/2020/05/14/4

Whiteboard: (none) => MGA7TOO
Summary: re2c new infinite loop security issue => re2c new infinite loop security issue (CVE-2018-21232)
Status comment: (none) => Patches available upstream

Comment 2 David Walser 2020-05-14 17:44:45 CEST
Fixed in Cauldron in re2c-1.3-2.mga8 by David Geiger.

Whiteboard: MGA7TOO => (none)
Version: Cauldron => 7

Comment 3 David GEIGER 2020-09-10 07:23:16 CEST
Done for mga7 updating to latest upstream release 2.0.3!
Comment 4 David Walser 2020-09-10 20:14:55 CEST
Advisory:
========================

Updated re2c package fixes security vulnerability:

re2c before 2.0 has uncontrolled recursion that causes stack consumption in
find_fixed_tags (CVE-2018-21232).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-21232
https://github.com/skvadrik/re2c/issues/219
========================

Updated packages in core/updates_testing:
========================
re2c-2.0.3-1.mga7

from re2c-2.0.3-1.mga7.src.rpm

Status comment: Patches available upstream => (none)
CC: (none) => geiger.david68210
Assignee: geiger.david68210 => qa-bugs

Comment 5 Len Lawrence 2020-09-13 16:47:46 CEST
Created attachment 11880 [details]
Small stack reproducer input for re2c

$ ulimit -s 256; re2c -o overflow-1.c --no-version --no-generation-date -W overflow-1.re
Expect segmentation fault.

CC: (none) => tarazed25

Comment 6 Len Lawrence 2020-09-13 17:09:55 CEST
Created attachment 11881 [details]
Basic test of the lexer

$ re2c 01_basic.re -o basic.c -i
Comment 7 Len Lawrence 2020-09-13 17:10:57 CEST
mga7, x86_64

CVE-2018-21232
The report for the stack overflow issue at https://github.com/skvadrik/re2c/issues/219
indicates that it can be reproduced using overflow-1.re as input to re2c but the unfortunate thing is that there is no link to that file.
After a bit of digging it turned up on GitHub in this folder https://github.com/skvadrik/re2c/tree/master/test/overflow-1.re
$ re2c -o overflow-1.c --no-version --no-generation-date -W overflow-1.re
Segmentation fault (core dumped)

Updated the package.
$ rpm -q re2c
re2c-2.0.3-1.mga7
$ ulimit -s 256; re2c -o overflow-1.c --no-version --no-generation-date -W overflow-1.re
Segmentation fault (core dumped)

So, Mageia 7 was affected and still is.

Downloaded an example from svadrik's files.

$ re2c 01_basic.re -o basic_01.c -i

The output is C code with several gotoes (!).
$ cat basic_01.c
/* Generated by re2c 2.0.3 on Sun Sep 13 16:00:01 2020 */
// re2c $INPUT -o $OUTPUT -i
#include <assert.h>                 //
                                    // C/C++ code
int lex(const char *YYCURSOR)       //
{
    
{
	char yych;
	yych = *YYCURSOR;
	switch (yych) {
	case 'A' ... 'Z':
	case '_':
	case 'a' ... 'z': goto yy4;
	default: goto yy2;
	}
yy2:
	++YYCURSOR;
	{ return 1; }
yy4:
	yych = *++YYCURSOR;
	switch (yych) {
	case '0' ... '9':
	case 'A' ... 'Z':
	case '_':
	case 'a' ... 'z': goto yy4;
	default: goto yy6;
	}
yy6:
	{ return 0; }
}

}                                   //
                                    //
int main()                          //
{                                   // C/C++ code
    assert(lex("_Zer0") == 0);      //
    return 0;                       //
}                                   //

Leaving things there.  Need advice on releasing this given that the bug does not appear to be fixed.
Comment 8 David Walser 2020-09-13 17:51:24 CEST
I guess he thought he fixed it enough for the test case to pass, but not so much.  The upstream issue hasn't been closed yet either.

Status comment: (none) => Apparently not fully fixed upstream as of 2.0.3
Assignee: qa-bugs => pkg-bugs
Whiteboard: (none) => MGA7TOO
Version: 7 => Cauldron
CC: (none) => qa-bugs

Comment 9 Zombie Ryushu 2020-12-19 20:40:38 CET
re2c 1.3 has a heap-based buffer overflow in Scanner::fill in parse/scanner.cc via a long lexeme.

URL: (none) => https://nvd.nist.gov/vuln/detail/CVE-2020-11958
CVE: (none) => CVE-2020-11958
CC: (none) => zombie_ryushu

David Walser 2020-12-28 17:09:58 CET

Whiteboard: MGA7TOO => MGA8TOO, MGA7TOO

Comment 10 Nicolas Lécureuil 2021-03-09 21:15:54 CET
can someone add comments in https://github.com/skvadrik/re2c/commit/c4603ba5ce229db83a2a4fb93e6d4b4e3ec3776a ?

cf: https://security-tracker.debian.org/tracker/CVE-2020-11958

CC: (none) => mageia

Comment 11 Ulya Trofimovich 2021-03-12 23:23:05 CET
Hi, re2c developer here.

The original buffer overflow was fixed in https://github.com/skvadrik/re2c/commit/c4603ba5ce229db83a2a4fb93e6d4b4e3ec3776a, and the reproducer in comment #7 limits stack size to 256 bytes, so there is a segfault due to a stack overflow in one of the recursive tree-walking functions. It is unrelated to buffer overflow.

There is another bug to get rid of recursion (https://github.com/skvadrik/re2c/issues/219), but it's somewhat low-priority as re2c is not required to work on systems with 256-byte stack.

CC: (none) => skvadrik

Comment 12 Nicolas Lécureuil 2021-03-13 09:40:26 CET
(In reply to Ulya Trofimovich from comment #11)
> Hi, re2c developer here.
> 
> The original buffer overflow was fixed in
> https://github.com/skvadrik/re2c/commit/
> c4603ba5ce229db83a2a4fb93e6d4b4e3ec3776a, and the reproducer in comment #7
> limits stack size to 256 bytes, so there is a segfault due to a stack
> overflow in one of the recursive tree-walking functions. It is unrelated to
> buffer overflow.
> 
> There is another bug to get rid of recursion
> (https://github.com/skvadrik/re2c/issues/219), but it's somewhat
> low-priority as re2c is not required to work on systems with 256-byte stack.

Thank you i really appreciate your answer :-)


we can then validate this bugreport and follow the other one to add it in mageia when fixed.

Assignee: pkg-bugs => qa-bugs

Comment 13 Len Lawrence 2021-03-13 16:46:50 CET
mga7, x86_64

Checked this in mga8 first to confirm that the short stack test continues to segfault.
In mga7 with the default stack the poc yields:
$ re2c -o overflow-1.c --no-version --no-generation-date -W overflow-1.re
overflow-1.re:4:2: warning: control flow is undefined for strings that match '\x30 \x30 \x30 \x30 \x30 \x5F \x61 \x61 \x61 \x61 \x61 \x61 \x61 \x61 \x61 \x5F
[...]
\x64 \x5F \x68 \x65 \x72 \x65 \x5F \x69 \x73 \x5F \x74 \x68 \x65 \x5F \x6F \x76 \x65 \x72 \x66 \x6C \x66 \x6F \x77 [\x0-\x3E\x40-\xFF]' ... and a few more, use default rule '*' [-Wundefined-control-flow]

The overflow-1.c file contains ~8218 labelled switch statements.

... which looks like the original buffer overflow issue handled better.  

Current version is re2c-2.0.3-1 here

In mga7, with the short stack this still segfaults.
$ ulimit -s 256
$ re2c -o overflow-1.c --no-version --no-generation-date -W overflow-1.re
Segmentation fault (core dumped)

Is there an update in the wings?
Comment 14 Nicolas Lécureuil 2021-03-13 20:39:15 CET
there is no updates for this one yet, but i will take a look and provide one asap.

But i prefer this in a new bugreport, if you don't have any opposition.
Comment 15 Len Lawrence 2021-03-13 21:18:29 CET
Of course not.  Go ahead.
Aurelien Oudelet 2021-03-14 16:29:46 CET

Version: Cauldron => 8
CC: (none) => ouaurelien
Whiteboard: MGA8TOO, MGA7TOO => MGA7TOO

Comment 16 Len Lawrence 2021-04-11 16:32:29 CEST
Referring to comment 14 it looks like we should close this and wait for a new bug to be posted.
Giving this an OK for Mageia 7.  Shall run it past Mageia 8 later with a view to validating it.

Whiteboard: MGA7TOO => MGA7TOO MGA7-64-OK

Comment 17 Len Lawrence 2021-04-11 18:09:15 CEST
Found that it had been checked for Mageia 8 but tried it again.
re2c-2.0.3-1.mga8

CVE-2018-21232
$ re2c -o overflow-1.c --no-version --no-generation-date -W overflow-1.re
overflow-1.re:4:2: warning: control flow is undefined for strings that match '\x30 \x30 \x30 \x30 \x30 \x5F \x61 \x61 \x61 \x61 \x61 \x61 \x61 \x61 \x61 \x5F
.....
76 \x65 \x72 \x66 \x6C \x66 \x6F \x77 [\x0-\x3E\x40-\xFF]' ... and a few more, use default rule '*' [-Wundefined-control-flow]

Skipped the short-stack test in view of the remark in comment 11.
Ran the test used previously, comment 7.
$ re2c 01_basic.re -o basic_01.c -i
That produced valid C code as before.

So, we let this go pending a further update.

CC: (none) => sysadmin-bugs
Whiteboard: MGA7TOO MGA7-64-OK => MGA7TOO MGA7-64-OK MGA8-64-OK
Keywords: (none) => validated_update

Comment 18 Aurelien Oudelet 2021-04-12 15:48:34 CEST
(In reply to Nicolas Lécureuil from comment #10)
> can someone add comments in
> https://github.com/skvadrik/re2c/commit/
> c4603ba5ce229db83a2a4fb93e6d4b4e3ec3776a ?
> 
> cf: https://security-tracker.debian.org/tracker/CVE-2020-11958

Is this landed in the SRPM for Mageia 7?
Or it is an other Bug Report?


(In reply to Len Lawrence from comment #17)
> Found that it had been checked for Mageia 8 but tried it again.
> re2c-2.0.3-1.mga8
> 
> CVE-2018-21232
<snip>
> 
> So, we let this go pending a further update.

This is already in 8/core/release repository.


Assigning back to Mageia 7, adding NEEDINFO Status.

Source RPM: re2c-1.2.1-3.mga8.src.rpm => re2c-1.1.1-1.mga7.src.rpm
Whiteboard: MGA7TOO MGA7-64-OK MGA8-64-OK => (none)
CVE: CVE-2020-11958 => CVE-2018-21232
Version: 8 => 7
Keywords: validated_update => (none)
Status: NEW => NEEDINFO


Note You need to log in before you can comment on or make changes to this bug.