On Sun, 26 Mar 2017, Salvatore Bonaccorso wrote: > Sure, apolgies if this was too terse. So the CVE-2017-7245 issue, some > references are here: > > https://security-tracker.debian.org/tracker/CVE-2017-7245 > > the reporter blog is at > https://blogs.gentoo.org/ago/2017/03/20/libpcre-two-stack-based-buffer-overflow-write-in-pcre32_copy_substring-pcre_get-c/ > and the file to reproduce thie issue is located in his git repository > at > https://github.com/asarubbo/poc/blob/master/00207-pcre-stackoverflow-pcre32_copy_substring > > I was able to reproduce the issue with an ASAN build of pcre3 from the > VCS checkout at revision r1689. > > Does this help? Or do you need any further information from me?
I'm still having a problem reproducing this. Using CFLAGS="-g -O0 -fsanitize=address" LDFLAGS="-fsanitize=address" ./configure --enable-pcre32 --disable-shared (that is, compiling with gcc), I get no crash. I don't seem to be able to compile with clang at the moment because I'm getting a linker error: /source/pcre/.libs/libpcre.a(libpcre_la-pcre_compile.o): In function `asan.module_ctor': pcre_compile.c:(.text+0x361e7): undefined reference to `__asan_version_mismatch_check_v8' I can compile and link "Hello World" with clang, no problem, so I am a bit mystified. However, I have to stop for the day now and won't get back to this for at least 24 hours. Oh! STOP PRESS. I have managed to get an error out of valgrind. It might be the same thing as you are seeing, but it looks a bit different. However, I haven't the time to look now. (If it turns out to be a bug in pcretest, as opposed to the library, I have to say I am less interested in trying to fix it.) Incidentally, you are, I hope, aware that the 8.xx PCRE releases have been in "maintenance only" mode for over 2 years now. I am rapidly forgetting details of the PCRE1 code. I know Debian takes its time, but I do hope there is a plan to move to PCRE2 in due course. Regards, Philip -- Philip Hazel
