Bug 1025709 (CVE-2017-6004) - VUL-1: CVE-2017-6004: pcre: crafted regular expression may cause denial of service
Summary: VUL-1: CVE-2017-6004: pcre: crafted regular expression may cause denial of se...
Status: RESOLVED FIXED
Alias: CVE-2017-6004
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P4 - Low : Normal
Target Milestone: unspecified
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/180627/
Whiteboard: CVSSv3.1:SUSE:CVE-2017-6004:7.5:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2017-02-16 15:47 UTC by Mikhail Kasimov
Modified: 2024-05-09 18:20 UTC (History)
8 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Mikhail Kasimov 2017-02-16 15:47:33 UTC 
Ref: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-6004
====================================================================
 Original release date: 02/16/2017
Last revised: 02/16/2017
Source: US-CERT/NIST
Awaiting Analysis

This vulnerability is currently awaiting analysis.
Overview

The compile_bracket_matchingpath function in pcre_jit_compile.c in PCRE through 8.x before revision 1680 (e.g., the PHP 7.1.1 bundled version) allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted regular expression.
References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.


External Source: CONFIRM
Name: https://vcs.pcre.org/pcre/code/trunk/pcre_jit_compile.c?r1=1676&r2=1680&view=patch
Hyperlink: https://vcs.pcre.org/pcre/code/trunk/pcre_jit_compile.c?r1=1676&r2=1680&view=patch
External Source: CONFIRM
Name: https://bugs.exim.org/show_bug.cgi?id=2035
Hyperlink: https://bugs.exim.org/show_bug.cgi?id=2035

====================================================================

From https://bugs.exim.org/show_bug.cgi?id=2035
====================================================================
Segmentation fault in php_src/ext/pcre/pcrelib/pcre_jit_compile.c:7336.

$ php -r "echo PCRE_VERSION;"
8.38 2015-11-23
$ php -v
PHP 7.1.1 (cli) (built: Feb 12 2017 15:35:23) ( NTS )
Copyright (c) 1997-2017 The PHP Group
Zend Engine v3.1.0, Copyright (c) 1998-2017 Zend Technologies


Test script:
---------------
<?php
$pattern = "/(((?(?!))0(?1))(?''))/";
preg_match($pattern, "helloworld");
?>


Actual result:
--------------
ASAN Result:
==106214==ERROR: AddressSanitizer: SEGV on unknown address 0x60b000017fe0 (pc 0x000000750be8 bp 0x7ffe5a0aeb60 sp 0x7ffe5a0adf00 T0)
==106214==The signal is caused by a READ memory access.
   #0 0x750be7 in compile_bracket_matchingpath (/tmp/php+0x750be7)
   #1 0x70cf95 in compile_matchingpath (/tmp/php+0x70cf95)
   #2 0x750fe3 in compile_bracket_matchingpath (/tmp/php+0x750fe3)
   #3 0x70cf95 in compile_matchingpath (/tmp/php+0x70cf95)
   #4 0x711ebd in compile_recurse (/tmp/php+0x711ebd)
   #5 0x6fbe01 in _pcre_jit_compile (/tmp/php+0x6fbe01)
   #6 0x6e99ed in php_pcre_study (/tmp/php+0x6e99ed)
   #7 0x77b1ce in pcre_get_compiled_regex_cache (/tmp/php+0x77b1ce)
   #8 0x79aa23 in php_do_pcre_match (/tmp/php+0x79aa23)
   #9 0x78a61e in zif_preg_match (/tmp/php+0x78a61e)
   #10 0x1a52c81 in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER (/tmp/php+0x1a52c81)
   #11 0x17c8be3 in execute_ex (/tmp/php+0x17c8be3)
   #12 0x17cae8a in zend_execute (/tmp/php+0x17cae8a)
   #13 0x15c0a84 in zend_execute_scripts (/tmp/php+0x15c0a84)
   #14 0x1351285 in php_execute_script (/tmp/php+0x1351285)
   #15 0x1c94879 in do_cli (/tmp/php+0x1c94879)
   #16 0x1c91ca0 in main (/tmp/php+0x1c91ca0)
   #17 0x7f98bd6d082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
   #18 0x43a768 in _start (/tmp/php+0x43a768)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/tmp/php+0x750be7) in compile_bracket_matchingpath


GDB backtrace:
#0  0x0000000000661138 in compile_bracket_matchingpath (common=0x7fffffffa5e8, cc=0x1f04d4f "x", parent=0x7fffffffa870) at /home/idaifish/Workspace/PHP/PHPs/php-7.1.1/ext/pcre/pcrelib/pcre_jit_compile.c:7336
#1  0x000000000062aa23 in compile_matchingpath (common=0x7fffffffa5e8, cc=<optimized out>, ccend=0x1f04d57 "x", parent=0x7fffffffa870) at /home/idaifish/Workspace/PHP/PHPs/php-7.1.1/ext/pcre/pcrelib/pcre_jit_compile.c:8497
#2  0x0000000000609e7c in compile_recurse (common=<optimized out>) at /home/idaifish/Workspace/PHP/PHPs/php-7.1.1/ext/pcre/pcrelib/pcre_jit_compile.c:9719
#3  _pcre_jit_compile (re=0x1f04d00, extra=0x1f04d70, mode=0) at /home/idaifish/Workspace/PHP/PHPs/php-7.1.1/ext/pcre/pcrelib/pcre_jit_compile.c:10223
#4  0x00000000005e97d5 in php_pcre_study (external_re=0x1f04d00, options=1, errorptr=<optimized out>) at /home/idaifish/Workspace/PHP/PHPs/php-7.1.1/ext/pcre/pcrelib/pcre_study.c:1628
#5  0x00000000006ac7e9 in pcre_get_compiled_regex_cache (regex=0x7ffff3c71120) at ext/pcre/php_pcre.c:518
#6  0x00000000006bf5dc in php_pcre_replace (regex=0x1f1b541, subject=<optimized out>, subject_len=<optimized out>, replace_val=<optimized out>, is_callable_replace=<optimized out>, limit=<optimized out>, replace_count=<optimized out>, subject_str=<optimized out>) at ext/pcre/php_pcre.c:1132
#7  php_replace_in_subject (regex=0x7ffff3c13230, replace=0x7ffff3c13240, subject=<optimized out>, limit=-1, is_callable_replace=0, replace_count=0x7fffffffabf4) at ext/pcre/php_pcre.c:1495
#8  0x00000000006be0ff in preg_replace_impl (return_value=0x7fffffffac78, regex=0x7ffff3c13230, replace=0x7ffff3c13240, subject=0x7ffff3c13250, limit_val=-1, is_callable_replace=0, is_filter=<optimized out>) at ext/pcre/php_pcre.c:1554
#9  0x00000000006bb5ef in zif_preg_filter (execute_data=0x7ffff3c131e0, return_value=0x7fffffffac78) at ext/pcre/php_pcre.c:1721
#10 0x00000000015ba4b5 in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER (execute_data=0x7ffff3c13030) at Zend/zend_vm_execute.h:628
#11 0x00000000014a7510 in execute_ex (ex=<optimized out>) at Zend/zend_vm_execute.h:432
#12 0x00000000014a812b in zend_execute (op_array=0x7ffff3c7d000, return_value=<optimized out>) at Zend/zend_vm_execute.h:474
#13 0x0000000001371f21 in zend_execute_scripts (type=<optimized out>, retval=0x0, file_count=3) at Zend/zend.c:1474
#14 0x00000000011a84dc in php_execute_script (primary_file=0x7fffffffe218) at main/main.c:2537
#15 0x00000000016a555d in do_cli (argc=<optimized out>, argv=<optimized out>) at sapi/cli/php_cli.c:993
#16 0x00000000016a1dd9 in main (argc=<optimized out>, argv=<optimized out>) at sapi/cli/php_cli.c:1381
====================================================================

https://software.opensuse.org/package/php7

TW: 7.0.15 (official repo)
42.2: 7.0.7 (official repo)

devel:languages:php repo: 7.1.1
Comment 1 Andreas Stieger 2017-02-16 19:51:44 UTC 
Affects pcre, not PHP.

On php5/7:

> BuildRequires:  pcre-devel
> [...]
> %{__rm} -r ext/pcre/pcrelib
> [...]
> %if 0%{?suse_version} > 1010
>         --with-pcre-regex=%{_usr} \
> %else
>         --with-pcre-regex \
> %endif
Comment 2 Swamp Workflow Management 2017-02-16 23:01:34 UTC 
bugbot adjusting priority
Comment 3 Alexander Bergmann 2017-02-17 16:50:09 UTC 
Therefore only pcre SLE-12 / openSUSE is affected.
Comment 4 Petr Gajdos 2017-02-20 07:39:23 UTC 
(In reply to Andreas Stieger from comment #1)
> Affects pcre, not PHP.

Thanks for looking into.
Comment 5 Stephan Kulow 2017-05-24 18:01:31 UTC 
trigger a version update as you need it, I have no intent to work on single pcre issues
Comment 7 Marina Latini 2021-07-07 09:54:08 UTC 
(In reply to junwei chen from comment #6)

Hello Junwei Chen,
this is Marina from the maintenance team.

> (In reply to Stephan Kulow from comment #5)
> > trigger a version update as you need it, I have no intent to work on single
> > pcre issues
> 
> Hi I would like to ask you when the next version of pcre be released in
> SLES12 SP5? Now Huawei need to fix this patch in SLES12 SP2 and SLES12 SP5.

given that we have a customer asking for this specific fix, could you please start a L3 ticket?
Comment 8 junwei chen 2021-07-08 03:04:55 UTC 
 
> given that we have a customer asking for this specific fix, could you please
> start a L3 ticket?

Thanks Marina, I have got the ptf.
Comment 9 Marina Latini 2021-07-08 06:54:54 UTC 
(In reply to junwei chen from comment #8)
>  
> > given that we have a customer asking for this specific fix, could you please
> > start a L3 ticket?
> 
> Thanks Marina, I have got the ptf.

Hello,
I can't find the L3 reference in the Whiteboard field. could you please share some more details?
Comment 10 junwei chen 2021-07-08 07:43:36 UTC 
> I can't find the L3 reference in the Whiteboard field. could you please
> share some more details?

https://bugzilla.suse.com/show_bug.cgi?id=1187843
You can see it. Thanks.
Comment 11 Stephan Kulow 2021-07-08 12:58:08 UTC 
That's a fix for tiff. How does that help?
Comment 12 junwei chen 2021-07-08 13:24:24 UTC 
(In reply to Stephan Kulow from comment #11)
> That's a fix for tiff. How does that help?

It works fine. Thanks.
Comment 13 junwei chen 2021-10-14 07:52:04 UTC 
(In reply to Stephan Kulow from comment #11)
> That's a fix for tiff. How does that help?

Sorry, I make a mistake. Need to open a bug for L3?
Comment 14 Marina Latini 2021-10-14 09:13:30 UTC 
(In reply to junwei chen from comment #13)
> (In reply to Stephan Kulow from comment #11)
> > That's a fix for tiff. How does that help?
> 
> Sorry, I make a mistake. Need to open a bug for L3?

if your customer is still asking to have a fix I suppose a L3 issue related to this bsc should be opened. in the whiteboard I can't see any reference to a SolidGround case.
Comment 15 junwei chen 2021-10-14 09:22:13 UTC 
> in the whiteboard I can't see any reference to
> a SolidGround case.

Sorry, I don't understand the meaning. Would you help to open a L3?
Comment 16 Marina Latini 2021-10-15 07:05:40 UTC 
(In reply to junwei chen from comment #15)
> > in the whiteboard I can't see any reference to
> > a SolidGround case.
> 
> Sorry, I don't understand the meaning. Would you help to open a L3?

Hello Junwei Chen,
I'm at maintenance, I can't open a L3 support case. 

Sorry for the misunderstanding, 
Marina
Comment 21 Swamp Workflow Management 2021-11-10 20:29:54 UTC 
SUSE-SU-2021:3652-1: An update that fixes 7 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1025709,1030066,1030803,1030805,1030807,1172973,1172974
CVE References: CVE-2017-6004,CVE-2017-7186,CVE-2017-7244,CVE-2017-7245,CVE-2017-7246,CVE-2019-20838,CVE-2020-14155
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    pcre-8.45-8.7.1, selinux-policy-20140730-36.5.2
SUSE OpenStack Cloud Crowbar 8 (src):    pcre-8.45-8.7.1, selinux-policy-20140730-36.5.2
SUSE OpenStack Cloud 9 (src):    pcre-8.45-8.7.1, selinux-policy-20140730-36.5.2
SUSE OpenStack Cloud 8 (src):    pcre-8.45-8.7.1, selinux-policy-20140730-36.5.2
SUSE Linux Enterprise Workstation Extension 12-SP5 (src):    pcre-8.45-8.7.1
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    pcre-8.45-8.7.1, selinux-policy-20140730-36.5.2
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    pcre-8.45-8.7.1, selinux-policy-20140730-36.5.2
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    pcre-8.45-8.7.1, selinux-policy-20140730-36.5.2
SUSE Linux Enterprise Server 12-SP5 (src):    pcre-8.45-8.7.1, selinux-policy-20140730-36.5.2
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    pcre-8.45-8.7.1, selinux-policy-20140730-36.5.2
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    pcre-8.45-8.7.1, selinux-policy-20140730-36.5.2
SUSE Linux Enterprise Server 12-SP3-BCL (src):    pcre-8.45-8.7.1, selinux-policy-20140730-36.5.2
SUSE Linux Enterprise Server 12-SP2-BCL (src):    pcre-8.45-8.7.1, selinux-policy-20140730-36.5.2
SUSE Linux Enterprise High Availability 12-SP5 (src):    pcre-8.45-8.7.1
SUSE Linux Enterprise High Availability 12-SP4 (src):    pcre-8.45-8.7.1
SUSE Linux Enterprise High Availability 12-SP3 (src):    pcre-8.45-8.7.1
HPE Helion Openstack 8 (src):    pcre-8.45-8.7.1, selinux-policy-20140730-36.5.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.