[Secure-testing-team] Bug#783285: pcre3: CVE-2015-2326: heap buffer overflow in pcre_compile2()

Salvatore Bonaccorso carnil at debian.org
Sat Apr 25 08:36:58 UTC 2015 

Source: pcre3
Version: 2:8.35-3.3
Severity: important
Tags: security upstream

Hi,

the following vulnerability was published for pcre3.

CVE-2015-2326[0]:
heap buffer overflow in pcre_compile2()

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

It seems to be caused as side effect from some refactoring between
8.33 and 8.35, and an invalid can be reproduced. Upstream report [1]
has a detailed explanation.

| ==15750== Memcheck, a memory error detector
| ==15750== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
| ==15750== Using Valgrind-3.10.1 and LibVEX; rerun with -h for copyright info
| ==15750== Command: .libs/pcretest
| ==15750==
| PCRE version 8.35 2014-04-04
| 
|   re> /((?+1)(\1))/
| ==15750== Invalid read of size 1
| ==15750==    at 0x4E3863D: could_be_empty_branch (pcre_compile.c:2395)
| ==15750==    by 0x4E388CA: could_be_empty_branch (pcre_compile.c:2468)
| ==15750==    by 0x4E388CA: could_be_empty_branch (pcre_compile.c:2468)
| ==15750==    by 0x4E4523C: pcre_compile2 (pcre_compile.c:9462)
| ==15750==    by 0x4E439B3: pcre_compile (pcre_compile.c:8734)
| ==15750==    by 0x10EC7B: main (pcretest.c:4023)
| ==15750==  Address 0x58a39a2 is 32,914 bytes inside an unallocated block of size 4,093,648 in arena "client"
| ==15750==
| data> abc
| No match
| data>
| ==15750==
| ==15750== HEAP SUMMARY:
| ==15750==     in use at exit: 0 bytes in 0 blocks
| ==15750==   total heap usage: 9 allocs, 9 frees, 133,767 bytes allocated
| ==15750==
| ==15750== All heap blocks were freed -- no leaks are possible
| ==15750==
| ==15750== For counts of detected and suppressed errors, rerun with: -v
| ==15750== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2015-2326
[1] http://bugs.exim.org/show_bug.cgi?id=1592

Regards,
Salvatore

More information about the Secure-testing-team mailing list