Bug 906574 (CVE-2014-8964) - VUL-1: CVE-2014-8964: pcre: heap buffer overflow
Summary: VUL-1: CVE-2014-8964: pcre: heap buffer overflow
Status: RESOLVED FIXED
Alias: CVE-2014-8964
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Minor
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/110951/
Whiteboard: CVSSv2:RedHat:CVE-2015-2327:3.5:(AV:N...
Keywords:
Depends on:
Blocks:
 
Reported: 2014-11-21 12:10 UTC by Johannes Segitz
Modified: 2020-04-28 12:05 UTC (History)
6 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Johannes Segitz 2014-11-21 12:10:05 UTC 
http://bugs.exim.org/show_bug.cgi?id=1546

Heap buffer overflow with certain regular expressions.\

# echo "a" | /tmp/pcre-8.36/pcregrep "((?=(?(?=(?(?=(?(?=())))*))))){2}" -
=================================================================
==29857==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x61000000fb94 at pc 0x7faf416f0dc6 bp 0x7fff9c91d3b0 sp 0x7fff9c91d3a8
READ of size 1 at 0x61000000fb94 thread T0
    #0 0x7faf416f0dc5 in match /tmp/pcre-8.36/pcre_exec.c:1410:9
    #1 0x7faf416dfe35 in match /tmp/pcre-8.36/pcre_exec.c:1538:7
    #2 0x7faf416e46de in match /tmp/pcre-8.36/pcre_exec.c:1399:7
    #3 0x7faf416dfe35 in match /tmp/pcre-8.36/pcre_exec.c:1538:7
    #4 0x7faf416ee260 in match /tmp/pcre-8.36/pcre_exec.c:983:9
    #5 0x7faf416dcd49 in pcre_exec /tmp/pcre-8.36/pcre_exec.c:6923:8
    #6 0x4a4580 in match_patterns /tmp/pcre-8.36/pcregrep.c:1449:10
    #7 0x4a13ca in pcregrep /tmp/pcre-8.36/pcregrep.c:1679:11
    #8 0x4a3624 in grep_or_recurse /tmp/pcre-8.36/pcregrep.c:2122:10
    #9 0x49efbf in main /tmp/pcre-8.36/pcregrep.c:3251:13
    #10 0x7faf405b7ec4 in __libc_start_main
/build/buildd/eglibc-2.19/csu/libc-start.c:287
    #11 0x4172a6 in _start (/tmp/pcre-8.36/.libs/lt-pcregrep+0x4172a6)

Possible patch is described in the link provided above. Looks like SLE 12 and openSUSE 12.3, 13.1 and 13.2 are affected.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1166147
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8964
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8964
http://bugs.exim.org/show_bug.cgi?id=1546
Comment 1 Swamp Workflow Management 2014-11-21 23:00:32 UTC 
bugbot adjusting priority
Comment 2 Andreas Stieger 2015-04-07 15:05:27 UTC 
Analysis show SLE 12 affected only
Comment 3 Stephan Kulow 2015-04-24 07:50:02 UTC 
Fixed in home:coolo:branches:OBS_Maintained:pcre/pcre.SUSE_SLE-12_Update
Comment 4 Stephan Kulow 2015-04-24 09:23:25 UTC 
created request id Request: #56168 after checking the other VULs
Comment 7 Swamp Workflow Management 2015-05-12 15:06:47 UTC 
openSUSE-SU-2015:0858-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 906574,924960,924961
CVE References: CVE-2014-8964,CVE-2015-2325,CVE-2015-2326
Sources used:
openSUSE 13.2 (src):    pcre-8.37-3.5.1
openSUSE 13.1 (src):    pcre-8.37-2.4.1
Comment 8 Viktor Kijasev 2015-07-08 14:25:40 UTC 
mariadb-10.0.16-15.1.x86_64

MariaDB [(none)]> select 'a' RLIKE '((?=(?(?=(?(?=(?(?=())))*))))){2}';
+-----------------------------------------------+
| 'a' RLIKE '((?=(?(?=(?(?=(?(?=())))*))))){2}' |
+-----------------------------------------------+
|                                             1 |
+-----------------------------------------------+
1 row in set (0.00 sec)

MariaDB [(none)]> SELECT REGEXP_SUBSTR('a','((?=(?(?=(?(?=(?(?=())))*))))){2}');
+--------------------------------------------------------+
| REGEXP_SUBSTR('a','((?=(?(?=(?(?=(?(?=())))*))))){2}') |
+--------------------------------------------------------+
|                                                        |
+--------------------------------------------------------+
1 row in set (0.00 sec)

MariaDB [(none)]> SELECT REGEXP_INSTR('a','((?=(?(?=(?(?=(?(?=())))*))))){2}');
+-------------------------------------------------------+
| REGEXP_INSTR('a','((?=(?(?=(?(?=(?(?=())))*))))){2}') |
+-------------------------------------------------------+
|                                                     1 |
+-------------------------------------------------------+
1 row in set (0.00 sec)

MariaDB [(none)]> SELECT 'a' RLIKE '((?=(?(?=(?(?=(?(?=())))*))))){2}';
+-----------------------------------------------+
| 'a' RLIKE '((?=(?(?=(?(?=(?(?=())))*))))){2}' |
+-----------------------------------------------+
|                                             1 |
+-----------------------------------------------+
1 row in set (0.00 sec)


new version of mariadb
mariadb-10.0.20-18.1.x86_64

MariaDB [test]> SELECT REGEXP_SUBSTR('a','((?=(?(?=(?(?=(?(?=())))*))))){2}');
ERROR 1139 (42000): Got error 'nothing to repeat at offset 24' from regexp
MariaDB [test]> SELECT REGEXP_INSTR('a','((?=(?(?=(?(?=(?(?=())))*))))){2}');
ERROR 1139 (42000): Got error 'nothing to repeat at offset 24' from regexp
MariaDB [test]> SELECT 'a' RLIKE '((?=(?(?=(?(?=(?(?=())))*))))){2}';
ERROR 1139 (42000): Got error 'nothing to repeat at offset 24' from regexp

Is this OK?
Comment 9 Marcus Meissner 2015-07-08 14:48:07 UTC 
looks good to me!
Comment 10 Viktor Kijasev 2015-07-09 12:03:38 UTC 
For MariaDB

https://mariadb.com/kb/en/mariadb/security/
Comment 11 Swamp Workflow Management 2015-07-21 14:08:00 UTC 
SUSE-SU-2015:1273-1: An update that solves 12 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 906574,919053,919062,920865,920896,921333,924663,924960,924961,934789,936407,936408,936409
CVE References: CVE-2014-8964,CVE-2015-0433,CVE-2015-0441,CVE-2015-0499,CVE-2015-0501,CVE-2015-0505,CVE-2015-2325,CVE-2015-2326,CVE-2015-2568,CVE-2015-2571,CVE-2015-2573,CVE-2015-3152
Sources used:
SUSE Linux Enterprise Workstation Extension 12 (src):    mariadb-10.0.20-18.1
SUSE Linux Enterprise Software Development Kit 12 (src):    mariadb-10.0.20-18.1
SUSE Linux Enterprise Server 12 (src):    mariadb-10.0.20-18.1
SUSE Linux Enterprise Desktop 12 (src):    mariadb-10.0.20-18.1
Comment 13 Swamp Workflow Management 2016-12-02 15:07:52 UTC 
SUSE-SU-2016:2971-1: An update that fixes 25 vulnerabilities is now available.

Category: security (moderate)
Bug References: 906574,924960,933288,933878,936227,942865,957566,957567,957598,957600,960837,971741,972127
CVE References: CVE-2014-8964,CVE-2015-2325,CVE-2015-2327,CVE-2015-2328,CVE-2015-3210,CVE-2015-3217,CVE-2015-5073,CVE-2015-8380,CVE-2015-8381,CVE-2015-8382,CVE-2015-8383,CVE-2015-8384,CVE-2015-8385,CVE-2015-8386,CVE-2015-8387,CVE-2015-8388,CVE-2015-8389,CVE-2015-8390,CVE-2015-8391,CVE-2015-8392,CVE-2015-8393,CVE-2015-8394,CVE-2015-8395,CVE-2016-1283,CVE-2016-3191
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP2 (src):    pcre-8.39-5.1
SUSE Linux Enterprise Workstation Extension 12-SP1 (src):    pcre-8.39-5.1
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    pcre-8.39-5.1
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    pcre-8.39-5.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    pcre-8.39-5.1
SUSE Linux Enterprise Server 12-SP2 (src):    pcre-8.39-5.1
SUSE Linux Enterprise Server 12-SP1 (src):    pcre-8.39-5.1
SUSE Linux Enterprise High Availability 12-SP2 (src):    pcre-8.39-5.1
SUSE Linux Enterprise High Availability 12-SP1 (src):    pcre-8.39-5.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    pcre-8.39-5.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    pcre-8.39-5.1
Comment 14 Swamp Workflow Management 2016-12-12 18:11:32 UTC 
openSUSE-SU-2016:3099-1: An update that fixes 25 vulnerabilities is now available.

Category: security (moderate)
Bug References: 906574,924960,933288,933878,936227,942865,957566,957567,957598,957600,960837,971741,972127
CVE References: CVE-2014-8964,CVE-2015-2325,CVE-2015-2327,CVE-2015-2328,CVE-2015-3210,CVE-2015-3217,CVE-2015-5073,CVE-2015-8380,CVE-2015-8381,CVE-2015-8382,CVE-2015-8383,CVE-2015-8384,CVE-2015-8385,CVE-2015-8386,CVE-2015-8387,CVE-2015-8388,CVE-2015-8389,CVE-2015-8390,CVE-2015-8391,CVE-2015-8392,CVE-2015-8393,CVE-2015-8394,CVE-2015-8395,CVE-2016-1283,CVE-2016-3191
Sources used:
openSUSE Leap 42.2 (src):    pcre-8.39-6.1
openSUSE Leap 42.1 (src):    pcre-8.39-5.1
Comment 15 Swamp Workflow Management 2016-12-15 15:07:38 UTC 
SUSE-SU-2016:3161-1: An update that fixes 25 vulnerabilities is now available.

Category: security (moderate)
Bug References: 906574,924960,933288,933878,936227,942865,957566,957567,957598,957600,960837,971741,972127
CVE References: CVE-2014-8964,CVE-2015-2325,CVE-2015-2327,CVE-2015-2328,CVE-2015-3210,CVE-2015-3217,CVE-2015-5073,CVE-2015-8380,CVE-2015-8381,CVE-2015-8382,CVE-2015-8383,CVE-2015-8384,CVE-2015-8385,CVE-2015-8386,CVE-2015-8387,CVE-2015-8388,CVE-2015-8389,CVE-2015-8390,CVE-2015-8391,CVE-2015-8392,CVE-2015-8393,CVE-2015-8394,CVE-2015-8395,CVE-2016-1283,CVE-2016-3191
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP2 (src):    pcre-8.39-7.1
SUSE Linux Enterprise Workstation Extension 12-SP1 (src):    pcre-8.39-7.1
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    pcre-8.39-7.1
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    pcre-8.39-7.1
SUSE Linux Enterprise Server for SAP 12 (src):    pcre-8.39-7.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    pcre-8.39-7.1
SUSE Linux Enterprise Server 12-SP2 (src):    pcre-8.39-7.1
SUSE Linux Enterprise Server 12-SP1 (src):    pcre-8.39-7.1
SUSE Linux Enterprise Server 12-LTSS (src):    pcre-8.39-7.1
SUSE Linux Enterprise High Availability 12-SP2 (src):    pcre-8.39-7.1
SUSE Linux Enterprise High Availability 12-SP1 (src):    pcre-8.39-7.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    pcre-8.39-7.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    pcre-8.39-7.1
Comment 16 Swamp Workflow Management 2018-12-03 18:20:49 UTC 
This is an autogenerated message for OBS integration:
This bug (906574) was mentioned in
https://build.opensuse.org/request/show/653587 Backports:SLE-12 / pcre2
Comment 18 Alexandros Toptsoglou 2020-04-28 12:05:00 UTC 
Done