Bugzilla – Bug 933878
VUL-1: CVE-2015-3217: pcre: PCRE Library Call Stack Overflow Vulnerability in match()
Last modified: 2022-05-20 14:15:19 UTC
via oss-sec From: wen_guanxing <wen_guanxing@venustech.com.cn> Subject: [oss-security] CVE-2015-3217: PCRE Library Call Stack Overflow Vulnerability in match() Date: Wed, 3 Jun 2015 22:23:40 +0800 PCRE library is prone to a vulnerability which leads to Stack Overflow. Without enough bound checking inside match(), the stack memory could be overflowed via a crafted regular expression. +Since PCRE library is widely used, this vulnerability should affect many applications. At least, an attacker may exploit this issue to DOS the user running the affected application. Reference: https://bugs.exim.org/show_bug.cgi?id=1638
from reporter: As far as I tested, 8.33, 8.34, 8.35, 8.36, 8.37 were confirmed to be affected. PCRE2 10.10 is also confirmed to be vulnerable. Other version may also be affected.
from reporter: Although PHP is not setting the match_limit_recursion correctly, this pattern revealed a bug in the zero length recursion detector.Running the pattern with pcretest, the process will also +hang. It's fair to say that both PHP and PCRE has made a mistake. I will report this later to PHP later. From: Felipe Pena <felipensp@gmail.com> AFAIK this is not a bug on PHP at all, this is a long time known issue on PCRE lib instead. Check the documentation for futher details: http://pcre.org/current/doc/html/pcre2stack.html
from reporter: Thanks for your explanation. It has also been confirmed from PHP that this is not a bug of their product: " We cannot do much for it. Increase the stack of your server (apache has an option for that for example) or simplify your regex. One should really not feed pcre with custom inputs :) " Cheers, Wen.
it's much easier to DoS sites that accept user provided REs - do we really have to track every non-exploitable crash in this library? We will never finish doing so.
upstream seems also very reluctant to accept it as bug
bugbot adjusting priority
What is your interpretation of the following changes... svn log svn://vcs.exim.org/pcre/code/trunk -c1559,1560,1562 -v ------------------------------------------------------------------------ r1559 | ph10 | 2015-05-16 13:05:40 +0200 (Sat, 16 May 2015) | 2 lines Changed paths: M /code/trunk/ChangeLog M /code/trunk/pcre_compile.c M /code/trunk/testdata/testinput1 M /code/trunk/testdata/testoutput1 Fix named forward reference to duplicate group number overflow bug. ------------------------------------------------------------------------ r1560 | ph10 | 2015-05-19 18:02:06 +0200 (Tue, 19 May 2015) | 2 lines Changed paths: M /code/trunk/ChangeLog M /code/trunk/pcre_compile.c M /code/trunk/testdata/testinput2 M /code/trunk/testdata/testoutput2 Fix buffer overflow for lookbehind within mutually recursive subroutines. ------------------------------------------------------------------------ r1562 | ph10 | 2015-06-03 18:51:59 +0200 (Wed, 03 Jun 2015) | 2 lines Changed paths: M /code/trunk/ChangeLog M /code/trunk/pcre_compile.c M /code/trunk/testdata/testinput2 M /code/trunk/testdata/testoutput11-16 M /code/trunk/testdata/testoutput11-32 M /code/trunk/testdata/testoutput11-8 M /code/trunk/testdata/testoutput2 Fix another buffer overflow. ------------------------------------------------------------------------
This is fixed in the upstream release 8.38
This is an autogenerated message for OBS integration: This bug (933878) was mentioned in https://build.opensuse.org/request/show/437711 13.2 / pcre
openSUSE-SU-2016:2805-1: An update that solves 6 vulnerabilities and has three fixes is now available. Category: security (moderate) Bug References: 933288,933878,936227,942865,957566,957598,960837,971741,972127 CVE References: CVE-2015-3210,CVE-2015-3217,CVE-2015-5073,CVE-2015-8380,CVE-2016-1283,CVE-2016-3191 Sources used: openSUSE 13.2 (src): pcre-8.39-3.8.1
SUSE-SU-2016:2971-1: An update that fixes 25 vulnerabilities is now available. Category: security (moderate) Bug References: 906574,924960,933288,933878,936227,942865,957566,957567,957598,957600,960837,971741,972127 CVE References: CVE-2014-8964,CVE-2015-2325,CVE-2015-2327,CVE-2015-2328,CVE-2015-3210,CVE-2015-3217,CVE-2015-5073,CVE-2015-8380,CVE-2015-8381,CVE-2015-8382,CVE-2015-8383,CVE-2015-8384,CVE-2015-8385,CVE-2015-8386,CVE-2015-8387,CVE-2015-8388,CVE-2015-8389,CVE-2015-8390,CVE-2015-8391,CVE-2015-8392,CVE-2015-8393,CVE-2015-8394,CVE-2015-8395,CVE-2016-1283,CVE-2016-3191 Sources used: SUSE Linux Enterprise Workstation Extension 12-SP2 (src): pcre-8.39-5.1 SUSE Linux Enterprise Workstation Extension 12-SP1 (src): pcre-8.39-5.1 SUSE Linux Enterprise Software Development Kit 12-SP2 (src): pcre-8.39-5.1 SUSE Linux Enterprise Software Development Kit 12-SP1 (src): pcre-8.39-5.1 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src): pcre-8.39-5.1 SUSE Linux Enterprise Server 12-SP2 (src): pcre-8.39-5.1 SUSE Linux Enterprise Server 12-SP1 (src): pcre-8.39-5.1 SUSE Linux Enterprise High Availability 12-SP2 (src): pcre-8.39-5.1 SUSE Linux Enterprise High Availability 12-SP1 (src): pcre-8.39-5.1 SUSE Linux Enterprise Desktop 12-SP2 (src): pcre-8.39-5.1 SUSE Linux Enterprise Desktop 12-SP1 (src): pcre-8.39-5.1
openSUSE-SU-2016:3099-1: An update that fixes 25 vulnerabilities is now available. Category: security (moderate) Bug References: 906574,924960,933288,933878,936227,942865,957566,957567,957598,957600,960837,971741,972127 CVE References: CVE-2014-8964,CVE-2015-2325,CVE-2015-2327,CVE-2015-2328,CVE-2015-3210,CVE-2015-3217,CVE-2015-5073,CVE-2015-8380,CVE-2015-8381,CVE-2015-8382,CVE-2015-8383,CVE-2015-8384,CVE-2015-8385,CVE-2015-8386,CVE-2015-8387,CVE-2015-8388,CVE-2015-8389,CVE-2015-8390,CVE-2015-8391,CVE-2015-8392,CVE-2015-8393,CVE-2015-8394,CVE-2015-8395,CVE-2016-1283,CVE-2016-3191 Sources used: openSUSE Leap 42.2 (src): pcre-8.39-6.1 openSUSE Leap 42.1 (src): pcre-8.39-5.1
SUSE-SU-2016:3161-1: An update that fixes 25 vulnerabilities is now available. Category: security (moderate) Bug References: 906574,924960,933288,933878,936227,942865,957566,957567,957598,957600,960837,971741,972127 CVE References: CVE-2014-8964,CVE-2015-2325,CVE-2015-2327,CVE-2015-2328,CVE-2015-3210,CVE-2015-3217,CVE-2015-5073,CVE-2015-8380,CVE-2015-8381,CVE-2015-8382,CVE-2015-8383,CVE-2015-8384,CVE-2015-8385,CVE-2015-8386,CVE-2015-8387,CVE-2015-8388,CVE-2015-8389,CVE-2015-8390,CVE-2015-8391,CVE-2015-8392,CVE-2015-8393,CVE-2015-8394,CVE-2015-8395,CVE-2016-1283,CVE-2016-3191 Sources used: SUSE Linux Enterprise Workstation Extension 12-SP2 (src): pcre-8.39-7.1 SUSE Linux Enterprise Workstation Extension 12-SP1 (src): pcre-8.39-7.1 SUSE Linux Enterprise Software Development Kit 12-SP2 (src): pcre-8.39-7.1 SUSE Linux Enterprise Software Development Kit 12-SP1 (src): pcre-8.39-7.1 SUSE Linux Enterprise Server for SAP 12 (src): pcre-8.39-7.1 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src): pcre-8.39-7.1 SUSE Linux Enterprise Server 12-SP2 (src): pcre-8.39-7.1 SUSE Linux Enterprise Server 12-SP1 (src): pcre-8.39-7.1 SUSE Linux Enterprise Server 12-LTSS (src): pcre-8.39-7.1 SUSE Linux Enterprise High Availability 12-SP2 (src): pcre-8.39-7.1 SUSE Linux Enterprise High Availability 12-SP1 (src): pcre-8.39-7.1 SUSE Linux Enterprise Desktop 12-SP2 (src): pcre-8.39-7.1 SUSE Linux Enterprise Desktop 12-SP1 (src): pcre-8.39-7.1
Looks done to me, but evaluate yourself
Done.