[pcre-dev] [Bug 1889] New: PCRE2 Heap Overflow Vulnerability

Mon, 26 Sep 2016 06:49:24 -0700 

https://bugs.exim.org/show_bug.cgi?id=1889

            Bug ID: 1889
           Summary: PCRE2 Heap Overflow Vulnerability
           Product: PCRE
           Version: 10.22 (PCRE2)
          Hardware: x86-64
                OS: Linux
            Status: NEW
          Severity: security
          Priority: medium
         Component: Code
          Assignee: p...@hermes.cam.ac.uk
          Reporter: fumfi....@gmail.com
                CC: pcre-dev@exim.org

Created attachment 922
  --> https://bugs.exim.org/attachment.cgi?id=922&action=edit
POC to trigger buffer overflow (pcre2test)

PCRE2 library is prone to a vulnerability which leads to Heap Overflow.

Affected:
- PCRE2 version 10.23-RC1 2016-08-01 (cloned from SVN today)
- PCRE2 version 10.22 2016-07-29
- Other applications may also be affected

To reproduce the problem (pcre2test):
pcre2test bufover_1_min /dev/null

Valgrind output:

==11068== Memcheck, a memory error detector
==11068== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==11068== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==11068== Command: pcre2test /root/buffover_1_min /dev/null
==11068==
**11068** *** memcpy_chk: buffer overflow detected ***: program terminated
==11068== at 0x4C3085C: ??? (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==11068== by 0x4C3544A: __memcpy_chk (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==11068== by 0x4E42861: memcpy (string3.h:53)
==11068== by 0x4E42861: compile_branch (pcre2_compile.c:5232)
==11068== by 0x4E42861: compile_regex (pcre2_compile.c:7708)
==11068== by 0x4E46D66: pcre2_compile_8 (pcre2_compile.c:8678)
==11068== by 0x409F96: process_pattern (pcre2test.c:4996)
==11068== by 0x409F96: main (pcre2test.c:7665)
==11068==
==11068== HEAP SUMMARY:
==11068== in use at exit: 101,840 bytes in 11 blocks
==11068== total heap usage: 13 allocs, 2 frees, 110,032 bytes allocated
==11068==
==11068== LEAK SUMMARY:
==11068== definitely lost: 0 bytes in 0 blocks
==11068== indirectly lost: 0 bytes in 0 blocks
==11068== possibly lost: 0 bytes in 0 blocks
==11068== still reachable: 101,840 bytes in 11 blocks
==11068== suppressed: 0 bytes in 0 blocks
==11068== Rerun with --leak-check=full to see details of leaked memory
==11068==
==11068== For counts of detected and suppressed errors, rerun with: -v
==11068== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)

Regards,
Kamil Frankowicz

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-- 
## List details at https://lists.exim.org/mailman/listinfo/pcre-dev

Reply via email to