https://bugzilla.redhat.com/show_bug.cgi?id=1320995
Bug ID: 1320995 Summary: pcre: Segmentation fault on crafted regex when JIT is used Product: Security Response Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team@redhat.com Reporter: amaris@redhat.com CC: adam.stokes@gmail.com, andrew@beekhof.net, athmanem@gmail.com, csutherl@redhat.com, databases-maint@redhat.com, dknox@redhat.com, erik-fedora@vanpienbroek.nl, fedora-mingw@lists.fedoraproject.org, fidencio@redhat.com, jclere@redhat.com, jdornak@redhat.com, jdoyle@redhat.com, jgrulich@redhat.com, jmlich83@gmail.com, jorton@redhat.com, jtfas90@gmail.com, klember@redhat.com, lgao@redhat.com, lkundrak@v3.sk, marcandre.lureau@redhat.com, mbabacek@redhat.com, mclasen@redhat.com, mmaslano@redhat.com, myarboro@redhat.com, pmyers@valanet.net, ppisar@redhat.com, pslavice@redhat.com, rcollet@redhat.com, rjones@redhat.com, rmeggins@redhat.com, rsvoboda@redhat.com, sgrubb@redhat.com, t.sailer@alumni.ethz.ch, twalsh@redhat.com, walters@redhat.com, webstack-team@redhat.com, weli@redhat.com
It was reported that segmentation fault in surricata appeared when certain regex is processed by pcre_exec in libpcre3.
Bug report:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=819050
https://bugzilla.redhat.com/show_bug.cgi?id=1320995
Adam Mariš amaris@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1320996 Depends On| |1320997 Depends On| |1320998 Depends On| |1320999 Depends On| |1321000 Depends On| |1321001 Depends On| |1321002
--- Comment #1 from Adam Mariš amaris@redhat.com ---
Created pcre tracking bugs for this issue:
Affects: fedora-all [bug 1320996]
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1320996 [Bug 1320996] pcre: Segmentation fault on crafted regex when JIT is used [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1320997 [Bug 1320997] mingw-pcre: pcre: Segmentation fault on crafted regex when JIT is used [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1320998 [Bug 1320998] glib2: pcre: Segmentation fault on crafted regex when JIT is used [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1320999 [Bug 1320999] mingw-glib2: pcre: Segmentation fault on crafted regex when JIT is used [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1321000 [Bug 1321000] mingw-pcre: pcre: Segmentation fault on crafted regex when JIT is used [epel-7] https://bugzilla.redhat.com/show_bug.cgi?id=1321001 [Bug 1321001] mingw-glib2: pcre: Segmentation fault on crafted regex when JIT is used [epel-7] https://bugzilla.redhat.com/show_bug.cgi?id=1321002 [Bug 1321002] suricata: pcre: Segmentation fault on crafted regex when JIT is used [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1320995
Adam Mariš amaris@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1320996 Depends On| |1320997 Depends On| |1320998 Depends On| |1320999 Depends On| |1321000 Depends On| |1321001 Depends On| |1321002 Blocks| |1321003
--- Comment #1 from Adam Mariš amaris@redhat.com ---
Created pcre tracking bugs for this issue:
Affects: fedora-all [bug 1320996]
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1320996 [Bug 1320996] pcre: Segmentation fault on crafted regex when JIT is used [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1320997 [Bug 1320997] mingw-pcre: pcre: Segmentation fault on crafted regex when JIT is used [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1320998 [Bug 1320998] glib2: pcre: Segmentation fault on crafted regex when JIT is used [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1320999 [Bug 1320999] mingw-glib2: pcre: Segmentation fault on crafted regex when JIT is used [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1321000 [Bug 1321000] mingw-pcre: pcre: Segmentation fault on crafted regex when JIT is used [epel-7] https://bugzilla.redhat.com/show_bug.cgi?id=1321001 [Bug 1321001] mingw-glib2: pcre: Segmentation fault on crafted regex when JIT is used [epel-7] https://bugzilla.redhat.com/show_bug.cgi?id=1321002 [Bug 1321002] suricata: pcre: Segmentation fault on crafted regex when JIT is used [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1320995
Adam Mariš amaris@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1321003
--- Comment #2 from Adam Mariš amaris@redhat.com ---
Created suricata tracking bugs for this issue:
Affects: fedora-all [bug 1321002]
https://bugzilla.redhat.com/show_bug.cgi?id=1320995
--- Comment #3 from Adam Mariš amaris@redhat.com ---
Created glib2 tracking bugs for this issue:
Affects: fedora-all [bug 1320998]
https://bugzilla.redhat.com/show_bug.cgi?id=1320995
--- Comment #4 from Adam Mariš amaris@redhat.com ---
Created mingw-glib2 tracking bugs for this issue:
Affects: fedora-all [bug 1320999] Affects: epel-7 [bug 1321001]
https://bugzilla.redhat.com/show_bug.cgi?id=1320995
--- Comment #5 from Adam Mariš amaris@redhat.com ---
Created mingw-pcre tracking bugs for this issue:
Affects: fedora-all [bug 1320997] Affects: epel-7 [bug 1321000]
https://bugzilla.redhat.com/show_bug.cgi?id=1320995
--- Comment #6 from Petr Pisar ppisar@redhat.com --- Could you please provide reproducer? The debian bug report https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=819050 is missing the "file" file content.
Moreover, the reporter claimed it happens with pcre-8.35 but not with 8.38. We have 8.38 in all supported Fedoras.
https://bugzilla.redhat.com/show_bug.cgi?id=1320995
Andrej Nemec anemec@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Alias| |CVE-2014-9769
https://bugzilla.redhat.com/show_bug.cgi?id=1320995
Andrej Nemec anemec@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Summary|pcre: Segmentation fault on |CVE-2014-9769 pcre: |crafted regex when JIT is |Segmentation fault on |used |crafted regex when JIT is | |used
https://bugzilla.redhat.com/show_bug.cgi?id=1320995
Andrej Nemec anemec@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |anemec@redhat.com
--- Comment #7 from Andrej Nemec anemec@redhat.com --- CVE assignment:
http://seclists.org/oss-sec/2016/q1/704
https://bugzilla.redhat.com/show_bug.cgi?id=1320995
--- Comment #8 from Petr Pisar ppisar@redhat.com --- This was fixes with upstream commit:
commit 60f995fc2f823183783633d5eb8af2eceb0bb663 Author: zherczeg zherczeg@2f5784b3-3f2a-0410-8824-cb99058d5e15 Date: Fri Apr 25 11:59:19 2014 +0000
Fixed an issue with nested table jumps.
git-svn-id: svn://vcs.exim.org/pcre/code/trunk@1475 2f5784b3-3f2a-0410-8824-cb99058d5e15
and fixed in subsequent pcre-8.36 release.
Reproducer from the commit:
$ printf '%s\n%s\n' '/(?:x|(?:(xx|yy)+|x|x|x|x|x)|a|a|a)bc/' 'acb' | ./pcretest -s++ PCRE version 8.35 2014-04-04
re> Segmentation fault (core dumped)
https://bugzilla.redhat.com/show_bug.cgi?id=1320995 Bug 1320995 depends on bug 1320996, which changed state.
Bug 1320996 Summary: CVE-2014-9769 pcre: Segmentation fault on crafted regex when JIT is used [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1320996
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |CURRENTRELEASE
https://bugzilla.redhat.com/show_bug.cgi?id=1320995 Bug 1320995 depends on bug 1321002, which changed state.
Bug 1321002 Summary: CVE-2014-9769 suricata: pcre: Segmentation fault on crafted regex when JIT is used [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1321002
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |NOTABUG
https://bugzilla.redhat.com/show_bug.cgi?id=1320995
Tomas Hoger thoger@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Fixed In Version| |pcre 8.36 Resolution|--- |NOTABUG Summary|CVE-2014-9769 pcre: |CVE-2014-9769 pcre: |Segmentation fault on |incorrect nested table |crafted regex when JIT is |jumps when JIT is used |used |(8.36/6) Last Closed| |2016-04-01 08:05:44
--- Comment #9 from Tomas Hoger thoger@redhat.com --- The following post indicates that this issue was introduced in pcre version 8.35 via the following commit:
http://vcs.pcre.org/pcre?view=revision&revision=1434
and corrected in 8.36 using the following commit (the same one as pointed out in comment 8 above):
http://vcs.pcre.org/pcre?view=revision&revision=1475
Only upstream version 8.35 was affected by this issue. Red Hat products do not currently contain any package that includes pcre version 8.35.
https://bugzilla.redhat.com/show_bug.cgi?id=1320995 Bug 1320995 depends on bug 1321000, which changed state.
Bug 1321000 Summary: CVE-2014-9769 mingw-pcre: pcre: Segmentation fault on crafted regex when JIT is used [epel-7] https://bugzilla.redhat.com/show_bug.cgi?id=1321000
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |CURRENTRELEASE
https://bugzilla.redhat.com/show_bug.cgi?id=1320995 Bug 1320995 depends on bug 1320997, which changed state.
Bug 1320997 Summary: CVE-2014-9769 mingw-pcre: pcre: Segmentation fault on crafted regex when JIT is used [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1320997
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |CURRENTRELEASE
https://bugzilla.redhat.com/show_bug.cgi?id=1320995 Bug 1320995 depends on bug 1320998, which changed state.
Bug 1320998 Summary: CVE-2014-9769 glib2: pcre: Segmentation fault on crafted regex when JIT is used [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1320998
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |NOTABUG
https://bugzilla.redhat.com/show_bug.cgi?id=1320995 Bug 1320995 depends on bug 1320999, which changed state.
Bug 1320999 Summary: CVE-2014-9769 mingw-glib2: pcre: Segmentation fault on crafted regex when JIT is used [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1320999
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |NOTABUG
https://bugzilla.redhat.com/show_bug.cgi?id=1320995 Bug 1320995 depends on bug 1321001, which changed state.
Bug 1321001 Summary: CVE-2014-9769 mingw-glib2: pcre: Segmentation fault on crafted regex when JIT is used [epel-7] https://bugzilla.redhat.com/show_bug.cgi?id=1321001
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |NOTABUG
https://bugzilla.redhat.com/show_bug.cgi?id=1320995
Tomas Hoger thoger@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=moderate,public=2016 |impact=moderate,public=2016 |0323,reported=20160323,sour |0323,reported=20160323,sour |ce=debian,cvss2=4.3/AV:N/AC |ce=debian,cvss2=4.3/AV:N/AC |:M/Au:N/C:N/I:N/A:P,rhel-5/ |:M/Au:N/C:N/I:N/A:P,rhel-5/ |pcre=new,rhel-6/pcre=new,rh |pcre=notaffected,rhel-6/pcr |el-7/pcre=new,rhel-6/glib2= |e=notaffected,rhel-7/pcre=n |new,rhel-7/glib2=new,rhel-7 |otaffected,rhel-6/glib2=not |/virtuoso-opensource=new,rh |affected,rhel-7/glib2=notaf |scl-2/php54-php=new,rhscl-2 |fected,rhel-7/virtuoso-open |/php55-php=new,rhscl-2/rh-p |source=notaffected,rhscl-2/ |hp56-php=new,rhscl-2/rh-mar |php54-php=notaffected,rhscl |iadb100-mariadb=new,rhscl-2 |-2/php55-php=notaffected,rh |/rh-mariadb101-mariadb=new, |scl-2/rh-php56-php=notaffec |jbews-1/httpd=new,jbews-2/h |ted,rhscl-2/rh-mariadb100-m |ttpd=new,jbews-3/pcre=new,d |ariadb=notaffected,rhscl-2/ |irectory_server_8/pcre=new, |rh-mariadb101-mariadb=notaf |fedora-all/pcre=affected,fe |fected,jbews-1/httpd=notaff |dora-all/mingw-pcre=affecte |ected,jbews-2/httpd=notaffe |d,fedora-all/glib2=affected |cted,jbews-3/pcre=notaffect |,fedora-all/mingw-glib2=aff |ed,directory_server_8/pcre= |ected,epel-7/mingw-pcre=aff |notaffected,fedora-all/pcre |ected,epel-7/mingw-glib2=af |=affected,fedora-all/mingw- |fected,fedora-all/suricata= |pcre=affected,epel-7/mingw- |affected |pcre=affected,fedora-all/gl | |ib2=notaffected,fedora-all/ | |mingw-glib2=notaffected,epe | |l-7/mingw-glib2=notaffected
https://bugzilla.redhat.com/show_bug.cgi?id=1320995
Tomas Hoger thoger@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1285420