https://bugzilla.redhat.com/show_bug.cgi?id=1311503
Bug ID: 1311503 Summary: pcre: workspace overflow for (*ACCEPT) with deeply nested parentheses (8.39/13, 10.22/12) Product: Security Response Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team@redhat.com Reporter: thoger@redhat.com CC: adam.stokes@gmail.com, andrew@beekhof.net, csutherl@redhat.com, databases-maint@redhat.com, dknox@redhat.com, erik-fedora@vanpienbroek.nl, fedora-mingw@lists.fedoraproject.org, fidencio@redhat.com, jclere@redhat.com, jdornak@redhat.com, jdoyle@redhat.com, jgrulich@redhat.com, jorton@redhat.com, klember@redhat.com, lgao@redhat.com, lkundrak@v3.sk, marcandre.lureau@redhat.com, mbabacek@redhat.com, mclasen@redhat.com, mmaslano@redhat.com, myarboro@redhat.com, pmyers@valanet.net, ppisar@redhat.com, pslavice@redhat.com, rcollet@redhat.com, rjones@redhat.com, rmeggins@redhat.com, rsvoboda@redhat.com, t.sailer@alumni.ethz.ch, twalsh@redhat.com, walters@redhat.com, webstack-team@redhat.com, weli@redhat.com
ZDI reported a stack-based buffer overflow in pcre and pcre2. ZDI-CAN-3542 id is used to identify the issue.
https://bugs.exim.org/show_bug.cgi?id=1791
PCRE does not validate that handling the (*ACCEPT) verb will occur within the bounds of the cworkspace stack buffer, leading to a stack buffer overflow.
Fixed upstream in pcre and pcre2 via the following commits:
http://vcs.pcre.org/pcre?view=revision&revision=1631 http://vcs.pcre.org/pcre2?view=revision&revision=489
Issue is triggered by the following pattern:
/([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00](*ACCEPT)/
PCRE 8.00 seems to be the first affected version.
https://bugzilla.redhat.com/show_bug.cgi?id=1311503
Tomas Hoger thoger@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1295388
Hello,
Ok, I am unfortunately unsubscribing from fedora-mingw as there is too much emails from bugzilla. I suggested to not send the security emails, but it seems nobody cares.
Thanks, Nerijus
On Wed, 24 Feb 2016 11:42:30 +0000 bugzilla@redhat.com wrote:
https://bugzilla.redhat.com/show_bug.cgi?id=1311503
Tomas Hoger thoger@redhat.com changed:
What |Removed |Added
https://bugzilla.redhat.com/show_bug.cgi?id=1311503
--- Comment #1 from Tomas Hoger thoger@redhat.com --- The above fix was already applied to Fedora pcre and pcre2 packages.
https://bugzilla.redhat.com/show_bug.cgi?id=1311503
Andrej Nemec anemec@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Alias| |CVE-2016-3191
https://bugzilla.redhat.com/show_bug.cgi?id=1311503
Andrej Nemec anemec@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Summary|pcre: workspace overflow |CVE-2016-3191 pcre: |for (*ACCEPT) with deeply |workspace overflow for |nested parentheses |(*ACCEPT) with deeply |(8.39/13, 10.22/12) |nested parentheses | |(8.39/13, 10.22/12)
https://bugzilla.redhat.com/show_bug.cgi?id=1311503
--- Comment #2 from Andrej Nemec anemec@redhat.com --- CVE assigned by Mitre today, via CVENEW.
https://bugzilla.redhat.com/show_bug.cgi?id=1311503
Tomas Hoger thoger@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Priority|medium |high Whiteboard|impact=moderate,public=2016 |impact=important,public=201 |0209,reported=20160224,sour |60209,reported=20160224,sou |ce=internet,cwe=CWE-121,rhe |rce=internet,cvss2=6.8/AV:N |l-5/pcre=notaffected,rhel-6 |/AC:M/Au:N/C:P/I:P/A:P,cwe= |/pcre=notaffected,rhel-7/pc |CWE-121,rhel-5/pcre=notaffe |re=affected,fedora-all/pcre |cted,rhel-6/pcre=notaffecte |=affected,fedora-all/mingw- |d,rhel-7/pcre=affected,fedo |pcre=affected,epel-7/mingw- |ra-all/pcre=affected,fedora |pcre=affected,fedora-all/pc |-all/mingw-pcre=affected,ep |re2=affected,epel-all/pcre2 |el-7/mingw-pcre=affected,fe |=affected,rhel-6/glib2=affe |dora-all/pcre2=affected,epe |cted,rhel-7/glib2=affected, |l-all/pcre2=affected,rhel-6 |fedora-all/glib2=affected,f |/glib2=affected,rhel-7/glib |edora-all/mingw-glib2=affec |2=affected,fedora-all/glib2 |ted,epel-7/mingw-glib2=affe |=affected,fedora-all/mingw- |cted,rhel-7/virtuoso-openso |glib2=affected,epel-7/mingw |urce=notaffected,rhscl-2/ph |-glib2=affected,rhel-7/virt |p54-php=affected,rhscl-2/ph |uoso-opensource=notaffected |p55-php=affected,rhscl-2/rh |,rhscl-2/php54-php=affected |-php56-php=affected,rhscl-2 |,rhscl-2/php55-php=affected |/rh-mariadb100-mariadb=affe |,rhscl-2/rh-php56-php=affec |cted,rhscl-2/rh-mariadb101- |ted,rhscl-2/rh-mariadb100-m |mariadb=affected,jbews-1/ht |ariadb=affected,rhscl-2/rh- |tpd=notaffected,jbews-2/htt |mariadb101-mariadb=affected |pd=notaffected,jbews-3/pcre |,jbews-1/httpd=notaffected, |=wontfix,directory_server_8 |jbews-2/httpd=notaffected,j |/pcre=notaffected |bews-3/pcre=wontfix,directo | |ry_server_8/pcre=notaffecte | |d Severity|medium |high
https://bugzilla.redhat.com/show_bug.cgi?id=1311503
Tomas Hoger thoger@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1330490 Depends On| |1330491
https://bugzilla.redhat.com/show_bug.cgi?id=1311503
Tomas Hoger thoger@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1330494
https://bugzilla.redhat.com/show_bug.cgi?id=1311503
Tomas Hoger thoger@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1330508 Depends On| |1330509
https://bugzilla.redhat.com/show_bug.cgi?id=1311503
--- Comment #6 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat Enterprise Linux 7
Via RHSA-2016:1025 https://rhn.redhat.com/errata/RHSA-2016-1025.html