security
security copied to clipboard
NixOS
Roundup: [oss-security] libpcre: invalid memory read in _pcre32_xclass (pcre_xclass.c)
Here is a report from the oss-security mailing list for Vulnerability Roundup 27.
Skip to First Email
Instructions:
Identification
Identify if we have the software, in 16.09, 17.03, and unstable. Then determine if we are vulnerable, and make a comment with your findings. It can also be helpful to specify if you think there is a patch, or if it can be fixed via a general update.
Example:
unstable: we are not vulnerable (link to the package)
17.03: we are vulnerable (link to the package)
16.09: we don't have it packaged
IMPORTANT: If you believe there are possibly related issues, bring them up on the parent issue!
Patching
Start by commenting on this issue saying you're working on a patch. This way, we don't duplicate work.
If you open a pull request, tag this issue and the master issue for the roundup.
If you commit the patch directly to a branch, please leave a comment on this issue with the branch and the commit hash, example:
fixed:
release-16.09: abc123
Skip to First Email
Upon Completion ...
- [ ] Update Graham's database
Info
Triage Indicator:
-needs-triage +roundup27 thread:0000000000004260
- File Search: https://search.nix.gsc.io/?q=UNKNOWN&i=fosho&repos=nixos-nixpkgs
- GitHub Search: https://github.com/NixOS/nixpkgs/search?utf8=%E2%9C%93&q=UNKNOWN+in%3Apath&type=Code
Should the search term be changed from UNKNOWN? Suggest a new package search by commenting:
-suggested:UNKNOWN +suggested:correctPackageName thread:0000000000004260
Known CVEs: CVE-2017-7244
Skip to End
Mon, 20 Mar 2017 10:31:24 +0000 "Agostino Sarubbo" <ago-at-gentoo.org>, 620190.49757825-sendEmail@localhost
Description:
libpcre is a perl-compatible regular expression library.
A fuzz on libpcre1 through the pcretest utility revealed an invalid memory read. Upstream says that this bug is fixed by one of the previous commit. However I’m providing as usual the stacktrace and the
reproducer, so if you are not running the latest upstream release, like happen on debian/rhel based distros, you may want to check better the status of this bug.
The complete ASan output:
# pcretest -32 -d $FILE
==27914==ERROR: AddressSanitizer: SEGV on unknown address 0x7f3f580efe04 (pc 0x7f3f577b8048 bp 0x7ffcb035b390 sp 0x7ffcb035b320 T0)
==27914==The signal is caused by a READ memory access.
#0 0x7f3f577b8047 in _pcre32_xclass /tmp/portage/dev-libs/libpcre-8.40/work/pcre-8.40/pcre_xclass.c:135:30
#1 0x7f3f576137ca in match /tmp/portage/dev-libs/libpcre-8.40/work/pcre-8.40/pcre_exec.c:3203:16
#2 0x7f3f575e7226 in pcre32_exec /tmp/portage/dev-libs/libpcre-8.40/work/pcre-8.40/pcre_exec.c:6936:8
#3 0x527d6c in main /tmp/portage/dev-libs/libpcre-8.40/work/pcre-8.40/pcretest.c:5218:9
#4 0x7f3f565b478f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
#5 0x41b438 in _init (/usr/bin/pcretest+0x41b438)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /tmp/portage/dev-libs/libpcre-8.40/work/pcre-8.40/pcre_xclass.c:135:30 in _pcre32_xclass
==27914==ABORTING
Affected version:
8.40
Fixed version:
8.41 (not released atm)
Commit fix:
N/A
Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.
Reproducer:
https://github.com/asarubbo/poc/blob/master/00206-pcre-invalidread-_pcre32_xclass
Timeline:
2017-02-24: bug discovered and reported to upstream
2017-03-20: blog post about the issue
Note:
This bug was found with American Fuzzy Lop.
Permalink:
https://blogs.gentoo.org/ago/2017/03/20/libpcre-invalid-memory-read-in-_pcre32_xclass-pcre_xclass-c
--
Agostino Sarubbo
Gentoo Linux Developer
Skip to End
Fri, 24 Mar 2017 10:47:48 +0100 Agostino Sarubbo <ago-at-gentoo.org>, 2055295.Eyc2jNN39U@blackgate
On Monday 20 March 2017 10:31:24 Agostino Sarubbo wrote:
> Permalink:
> https://blogs.gentoo.org/ago/2017/03/20/libpcre-invalid-memory-read-in-_pcre
> 32_xclass-pcre_xclass-c
This is CVE-2017-7244
--
Agostino Sarubbo
Gentoo Linux Developer
Skip to End
