[pcre-dev] [Bug 1515] New: PCRE Call Stack Overflow Vulnerab…

Top Page
Delete this message
Author: hhjack
Date:  
To: pcre-dev
New-Topics: [pcre-dev] [Bug 1515] PCRE Call Stack Overflow Vulnerability
Subject: [pcre-dev] [Bug 1515] New: PCRE Call Stack Overflow Vulnerability
------- You are receiving this mail because: -------
You are on the CC list for the bug.

http://bugs.exim.org/show_bug.cgi?id=1515
           Summary: PCRE Call Stack Overflow Vulnerability
           Product: PCRE
           Version: 8.35
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: security
          Priority: medium
         Component: Code
        AssignedTo: ph10@???
        ReportedBy: rubymail@???
                CC: pcre-dev@???



Created an attachment (id=745)
--> (http://bugs.exim.org/attachment.cgi?id=745)
regular expression to reproduce the crash

PCRE Call Stack Overflow Vulnerability
------------------------------------------------------------------
I. Summary
PCRE library is prone to a vulnerability which leads to Stack Overflow. Without
enough bound checking inside compile_regex(), the stack memory could be
overflowed via a crafted regular expression. Since PCRE library is widely used,
this vulnerability should affect many applications. An attacker may exploit
this issue to DOS the user running the affected application.
------------------------------------------------------------------
II. Description
PCRE is a regular expression C library inspired by the regular expression
capabilities in the Perl programming language. The PCRE library is incorporated
into a number of prominent programs, such as the Adobe Flash, Apache HTTP
Server, Nginx HTTP Serer and PHP scripting languages. Latest version of PCRE is
prone to a Stack Overflow vulnerability which could caused by the following
regular expression.

/((?(R)a|(?1)))*/

To reproduce the problem, we could use pcretest provide by PCRE library or
applications which is wrapped with PCRE such as PHP.
For pcretest, simply type the regular expression after the re>
For PHP, latest version of PHP 5.5/5.6 (wrapped with PCRE 8.35) could be
triggered by following code snippet.

<?php
preg_match("/((?(R)a|(?1)))*/","abcd",$arr);
?>

Other versions and applications may also be affected. Although it cause
could_be_empty_branch() to recursively call itself forever, this is a different
bug from http://bugs.exim.org/show_bug.cgi?id=1503.
------------------------------------------------------------------
III. Impact
Stack Overflow
------------------------------------------------------------------
IV. Affected
Latest version of PCRE library.
Other versions and applications may also be affected.
------------------------------------------------------------------
V. Solution
There is no known workaround at this time.
------------------------------------------------------------------
VI. Credit
Wen Guanxing from Venustech is credited for this vulnerability.


--
Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email