Package: libpcre3
Version: 2:8.35-3.3+deb8u2
Severity: serious
Dear Maintainer,
When investigating a segmentation fault in suricata it was showing the
crash
is caused by libpcre3 when pcre_exec of a certain regex is called.
Further investigations have shown that also prcegrep using the regex
resulted
is a segfault.
pcregrep
'\/(?:(?:s(?:ystem\/(?:logs|engine)\/[^\x2f]+?|e(?:rv(?:au|er)|ct)|gau\/.*?|alam|ucks|can|ke)|p(?:lugins\/content\/vote\/\.ssl\/[a-z0-9]|(?:rogcicic|atr)ic|osts?\/[a-z0-9]+)|(?=[a-z]*[0-9])(?=[0-9]*[a-z])(?!setup\d+\.exe$)[a-z0-9]{5,10}|a(?:d(?:min\/images\/\w+|obe)|(?:sala|kee)m|live)|(?:i(?:mage\/flags|nvoice)|xml\/load)\/[^\x2f]+|d(?:o(?:c(?:\/[a-z0-9]+)?|ne)|bust)|m(?:edia\/files\/\w+|arch)|~.+?\/\.[^\x2f]+\/.+?|c(?:onfig|hris|alc)|u(?:swinz\w+|pdate)|Ozonecrytedserver|w(?:or[dk]|insys)|fa(?:cture|soo)|n(?:otepad|ach)|k(?:be|ey|is)|(?:tes|ve)t|ArfBtxz|office|yhaooo|[a-z]|etna|link|\d+)\.exe$|(?:(?=[a-z0-9]*?[3456789][a-z0-9]*?[3456789])(?=[a-z0-9]*?[h-z])[a-z0-9]{3,31}\+|PasswordRecovery|RemoveWAT|Dejdisc|Host\d+|Msword)\.exe)'
file
Segmentation fault
If the jit is disabled the crash does not happen
pcregrep --no-jit
'\/(?:(?:s(?:ystem\/(?:logs|engine)\/[^\x2f]+?|e(?:rv(?:au|er)|ct)|gau\/.*?|alam|ucks|can|ke)|p(?:lugins\/content\/vote\/\.ssl\/[a-z0-9]|(?:rogcicic|atr)ic|osts?\/[a-z0-9]+)|(?=[a-z]*[0-9])(?=[0-9]*[a-z])(?!setup\d+\.exe$)[a-z0-9]{5,10}|a(?:d(?:min\/images\/\w+|obe)|(?:sala|kee)m|live)|(?:i(?:mage\/flags|nvoice)|xml\/load)\/[^\x2f]+|d(?:o(?:c(?:\/[a-z0-9]+)?|ne)|bust)|m(?:edia\/files\/\w+|arch)|~.+?\/\.[^\x2f]+\/.+?|c(?:onfig|hris|alc)|u(?:swinz\w+|pdate)|Ozonecrytedserver|w(?:or[dk]|insys)|fa(?:cture|soo)|n(?:otepad|ach)|k(?:be|ey|is)|(?:tes|ve)t|ArfBtxz|office|yhaooo|[a-z]|etna|link|\d+)\.exe$|(?:(?=[a-z0-9]*?[3456789][a-z0-9]*?[3456789])(?=[a-z0-9]*?[h-z])[a-z0-9]{3,31}\+|PasswordRecovery|RemoveWAT|Dejdisc|Host\d+|Msword)\.exe)'
file
This can be used to remotely crash Suricata when used with the open
emergingthreats rules which contain the above regex.
The crash does no longer happen in stretch/sid which has a newer pcre
version.
-- System Information:
Debian Release: 8.3
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.16.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
