Bugzilla – Bug 1164384
VUL-0: CVE-2019-20454: pcre2: out-of-bounds read in JIT mode when \X is used in non-UTF mode
Last modified: 2024-05-07 11:10:00 UTC
CVE-2019-20454 A flaw was found in libpcre. A buffer overread in JIT mode when \X is used in non-UTF mode may cause application crash and denial of service. The flaw is in function do_extuni_no_utf() in pcre2_jit_compile.c, which uses the macro GETCHARINC to read a character. However, in case there is an invalid UTF character the value read is too big, which causes an out-of-bounds read in the next statement, while executing macro UCD_GRAPHBREAK. References: https://bugs.exim.org/show_bug.cgi?id=2421 https://bugs.php.net/bug.php?id=78338 Upstream patch: http://git.php.net/?p=php-src.git;a=commitdiff;h=8947fd9e9fdce87cd6c59817b1db58e789538fe9 References: https://bugzilla.redhat.com/show_bug.cgi?id=1735494 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-20454 http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-20454.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20454 https://bugs.exim.org/show_bug.cgi?id=2421 https://bugs.php.net/bug.php?id=78338 https://vcs.pcre.org/pcre2?view=revision&revision=1092
Only pcre2 is affected. The fix can be found at [1] along with some test cases at [2]. Reproduced the issue by running the following: gdb pcre2test (gdb) run -jit $POC OUTPUT: Starting program: /usr/bin/pcre2test -jit pcretest Missing separate debuginfos, use: zypper install glibc-debuginfo-2.26-lp151.18.7.x86_64 [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib64/libthread_db.so.1". PCRE2 version 10.31 2018-02-12 #newline_default lf anycrlf any #perltest /\X*/ \xF3aaa\xE4\xEA\xEB\xFEa Program received signal SIGSEGV, Segmentation fault. 0x00007ffff79382eb in do_extuni_no_utf (args=<optimized out>, cc=0x5555557944a4 "") at src/pcre2_jit_compile.c:7281 7281 lgb = UCD_GRAPHBREAK(c); Alternatively running with valgrind will throw: Invalid read of size 1 ==8904== at 0x508E593: do_extuni_no_utf (pcre2_jit_compile.c:7280) [1] https://vcs.pcre.org/pcre2/code/trunk/src/pcre2_jit_compile.c?r1=1092&r2=1091&pathrev=1092 [2] https://vcs.pcre.org/pcre2?view=revision&revision=1091
Created attachment 830707 [details] POC
Tracked pcre2 in SLE15 as affected. PHP could have potentially been affected by this but pcre2 is included in versions 7.3 and on. The issue had been fixed in version of PHP 7.3.8 and 7.4. However, non of our PHP versions are among the affected versions.
At present, Leap 15.2 seems to be affected. ~> rpm -qa libpcre2* libpcre2-8-0-10.31-lp152.3.9.x86_64 libpcre2-16-0-10.31-lp152.3.9.x86_64 ~> rpm -q --qf '%{disturl}' libpcre2-8-0-10.31-lp152.3.9.x86_64 obs://build.opensuse.org/openSUSE:Leap:15.2/standard/24bc55cc557ddb378880b0bba3cb5887-pcre2 ~> rpm -q --qf '%{disturl}' libpcre2-16-0-10.31-lp152.3.9.x86_64 obs://build.opensuse.org/openSUSE:Leap:15.2/standard/24bc55cc557ddb378880b0bba3cb5887-pcre2 osc co -r 24bc55cc557ddb378880b0bba3cb5887 openSUSE:Leap:15.2 pcre2 This contains the affected version of pcre2-10.31/src/pcre2_jit_compile.c I don't see a patch that contains the fix. Please bring this fix into Leap 15.2.
This is the commit in question and it was introduced in pcre2-10.34. commit 342c16ecd31bd12fc350ee31d2dcc041832ebb3f Author: Philip.Hazel <Philip.Hazel@gmail.com> Date: Mon May 13 16:38:18 2019 +0000 Forgot this file in previous commit. Fixes JIT non-UTF bug. diff --git a/src/pcre2_jit_compile.c b/src/pcre2_jit_compile.c index ae0fbcf..a19ce8b 100644 --- a/src/pcre2_jit_compile.c +++ b/src/pcre2_jit_compile.c @@ -8571,7 +8571,10 @@ int lgb, rgb, ricount; PCRE2_SPTR bptr; uint32_t c; -GETCHARINC(c, cc); +/* Patch by PH */ +/* GETCHARINC(c, cc); */ + +c = *cc++; #if PCRE2_CODE_UNIT_WIDTH == 32 if (c >= 0x110000) return NULL;
Only SUSE:SLE-12:Update/pcre2 is affected. @Jason, any update on this?
(In reply to Gabriele Sonnu from comment #7) > Only SUSE:SLE-12:Update/pcre2 is affected. > > @Jason, any update on this? Alexander's patch (from comment #5) is correct. There is also another patch labeled "Fix crash when \X is used without UTF in JIT" that contains test data, but no fix. The fix and the test are here: - https://github.com/PCRE2Project/pcre2/commit/342c16ecd31bd12fc350ee31d2dcc041832ebb3f - https://github.com/PCRE2Project/pcre2/commit/e118e60a68f03f38dd2ff3d16ca2e2e0d800e1d9 Also, this fix was introduced in pcre2 version 10.34, so only versions below that are affected by this issue. Interestingly, SLE-15 contains the older, affected version whereas SLE-12 has the newer, unaffected version. Anyway, a fix for SLE-15 has been submitted. | Stream | Version | Status | |------------------------+---------+---------------------------| | SUSE:SLE-12:Update | 10.34 | Not Affected | | SUSE:SLE-15:Update | 10.31 | created request id 276067 | | SUSE:SLE-15-SP4:Update | 10.39 | Not Affected | No version bump is necessary, I believe.
SUSE-SU-2022:2649-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 1164384,1199235 CVE References: CVE-2019-20454,CVE-2022-1587 JIRA References: Sources used: openSUSE Leap 15.3 (src): pcre2-10.31-150000.3.12.1 SUSE Manager Server 4.1 (src): pcre2-10.31-150000.3.12.1 SUSE Manager Retail Branch Server 4.1 (src): pcre2-10.31-150000.3.12.1 SUSE Manager Proxy 4.1 (src): pcre2-10.31-150000.3.12.1 SUSE Linux Enterprise Server for SAP 15-SP2 (src): pcre2-10.31-150000.3.12.1 SUSE Linux Enterprise Server for SAP 15-SP1 (src): pcre2-10.31-150000.3.12.1 SUSE Linux Enterprise Server for SAP 15 (src): pcre2-10.31-150000.3.12.1 SUSE Linux Enterprise Server 15-SP2-LTSS (src): pcre2-10.31-150000.3.12.1 SUSE Linux Enterprise Server 15-SP2-BCL (src): pcre2-10.31-150000.3.12.1 SUSE Linux Enterprise Server 15-SP1-LTSS (src): pcre2-10.31-150000.3.12.1 SUSE Linux Enterprise Server 15-SP1-BCL (src): pcre2-10.31-150000.3.12.1 SUSE Linux Enterprise Server 15-LTSS (src): pcre2-10.31-150000.3.12.1 SUSE Linux Enterprise Module for Basesystem 15-SP3 (src): pcre2-10.31-150000.3.12.1 SUSE Linux Enterprise Micro 5.2 (src): pcre2-10.31-150000.3.12.1 SUSE Linux Enterprise Micro 5.1 (src): pcre2-10.31-150000.3.12.1 SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src): pcre2-10.31-150000.3.12.1 SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src): pcre2-10.31-150000.3.12.1 SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src): pcre2-10.31-150000.3.12.1 SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src): pcre2-10.31-150000.3.12.1 SUSE Linux Enterprise High Performance Computing 15-LTSS (src): pcre2-10.31-150000.3.12.1 SUSE Linux Enterprise High Performance Computing 15-ESPOS (src): pcre2-10.31-150000.3.12.1 SUSE Enterprise Storage 7 (src): pcre2-10.31-150000.3.12.1 SUSE Enterprise Storage 6 (src): pcre2-10.31-150000.3.12.1 SUSE CaaS Platform 4.0 (src): pcre2-10.31-150000.3.12.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Done. Assigning to Security Team.
openSUSE-SU-2022:2649-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 1164384,1199235 CVE References: CVE-2019-20454,CVE-2022-1587 JIRA References: Sources used: openSUSE Leap Micro 5.2 (src): pcre2-10.31-150000.3.12.1
I'm currently on Leap 15.4 and I have the fixes, thanks. I'm happy to close this.