Hi Matthew, On Thu, Apr 23, 2015 at 06:44:05PM +0100, Matthew Vernon wrote: > On 23/04/15 18:30, Salvatore Bonaccorso wrote: > > Hi Matthew, > > > > On Thu, Apr 23, 2015 at 06:21:27PM +0100, Matthew Vernon wrote: > >> Hi, > >> > >> On 03/04/15 10:30, Salvatore Bonaccorso wrote: > >> > >>> the following vulnerability was published for pcre3. > >>> > >>> CVE-2015-2325[0]: > >>> heap buffer overflow in compile_branch() > >> > >> Thanks for the bug report. > >> > >>> I was not able to reproduce the actual overflow with the reproducer, > >>> but comment #1 [1] in upstream bug report suggest that the bug is > >>> present. With the attached (backported) but only lightly tested patch > >>> the issue running the reproducer goes away. > >> > >> I've only just taken over maintaining pcre3; my feeling is that at this > >> point in the release cycle I shouldn't be trying to get a freeze > >> exception in a widely-depended-upon library for a severity:important bug. > > > > Yes defintively, the release is now really close and this can > > deferred. > > > > Btw, there is as well > > https://security-tracker.debian.org/tracker/CVE-2015-2326 (but for > > this one I have not started any investigation, so would be great if > > you can have a look at this as wel if possible). > > My version of pcregrep simply objects to the regexes supplied as POC in > that bug report: > > mcv21@pick:~$ pcregrep '/((?+1)(\1))/' foo.txt > pcregrep: Error while studying regex: internal error: missing capturing > bracket
So I'm able to reproduce an invalid read, compiled with DEB_BUILD_OPTIONS='hardening=-all noopt nostrip", so the bug seems to be present at least in unstable: ==15739== Memcheck, a memory error detector ==15739== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al. ==15739== Using Valgrind-3.10.1 and LibVEX; rerun with -h for copyright info ==15739== Command: .libs/pcretest ==15739== PCRE version 8.35 2014-04-04 re> /((?i)(?+1)a(a|b\1))\s+\1/ ==15739== Invalid read of size 1 ==15739== at 0x4E3863D: could_be_empty_branch (pcre_compile.c:2395) ==15739== by 0x4E388CA: could_be_empty_branch (pcre_compile.c:2468) ==15739== by 0x4E388CA: could_be_empty_branch (pcre_compile.c:2468) ==15739== by 0x4E4523C: pcre_compile2 (pcre_compile.c:9462) ==15739== by 0x4E439B3: pcre_compile (pcre_compile.c:8734) ==15739== by 0x10EC7B: main (pcretest.c:4023) ==15739== Address 0x58a39a2 is 32,898 bytes inside an unallocated block of size 4,093,632 in arena "client" ==15739== data> abc Error -26 (nested recursion at the same subject position) Will fill another but to track CVE-2015-2326 separately. It seems to be due to some refactoring happened between 8.33 and 8.36 if I see it correctly. Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
