[pcre-dev] [Bug 2568] Error messages (DSN) are inconsistent …

Startseite
Nachricht löschen
Autor: admin
Datum:  
To: pcre-dev
Betreff: [pcre-dev] [Bug 2568] Error messages (DSN) are inconsistent and misleading
https://bugs.exim.org/show_bug.cgi?id=2568

rapepav820 <rapepav820@???> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |FIXED


--- Comment #3 from rapepav820 <rapepav820@???> ---
(In reply to Heiko Schlichting from comment #2)
> I insist that it is a bug.
>
> Commit message for 436bda2 also worries about "leaked information of the
> results of local forwarding", but this information is already in the
> text/plain part and there is no "leak" at all.
>
> And it is not "mailbox address of the recipient ... as it was when the
> Reporting MTA accepted the message for delivery." anyway, because there was
> only one recipient but there are multiple lines with all the same addresse
> per recipient after local processing (in my example there are two lines but
> there could be much more for long lists of recipients). And RFC 3464 says:
> "The Final-Recipient address may differ from the address originally provided
> by the sender". If Exim wants to show the unmodified address it should
> provide "Original-Recipient" (RFC 3464, 2.3.1) in addition(!). For
> "Original-Recipient" it would be correct to use the parent address but only
> once in my example.
>
> And this causes real problems if MTAs (like Exchange) only show the
> message/delivery-status part an strips the other text. While this is not a
> good idea at all (and not Exims fault), Exim should generate helpful and
> consistent DSNs with the same addresses in both parts. A for the sender (and
> the postmaster) it is important which address really fails, and this is NOT
> the parent address at all.
>
> Think of a large list of recipients and lists in lists. My example was very
> basic and stripped to the absolute minimum. In more realistic situations it
> is impossible to determine the failed addresses from the
> message/delivery-status part. This is not the idea of a DSN or RFC 3464.


The latest version of PCRE (pcre2-10.34-RC1, pcre2-10.33) is prone to a stack
http://www.sprite-ideas.com/
overflow vulnerability in internal_dfa_match() (pcre2_dfa_match.c) which can be
triggered using a crafted regular expression. Upon execution of the crafted
regular expression, the function internal_dfa_match() calls itself recursively,
resulting into uncontrolled recursion. It exceeds the stack size limit (8 MB),
finally resulting into stack exhaustion. An attacker can potentially exploit
this issue to perform remote code execution or denial of service attack.

=====================
Output of ASAN compiled library (-fsanitize=address)

Run as: ./pcre2test sbovf-input (attached herewith)
http://www.componentanalysis.org/

--------------------
ASAN:DEADLYSIGNAL

==17245==ERROR: AddressSanitizer: stack-overflow on address 0x7fffff7feff8 (pc
0x5555555afcc7 bp 0x7fffff7ff4b0 sp 0x7fffff7fefe0 T0)
    #0 0x5555555afcc6 in internal_dfa_match src/pcre2_dfa_match.c:2859
    #1 0x5555555b4020 in internal_dfa_match src/pcre2_dfa_match.c:2871
    #2 0x5555555b4020 in internal_dfa_match src/pcre2_dfa_match.c:2871
http://www.environmentaleducationnews.com/
    #3 0x5555555b4020 in internal_dfa_match src/pcre2_dfa_match.c:2871
    #4 0x5555555b4020 in internal_dfa_match src/pcre2_dfa_match.c:2871
    #5 0x5555555b4020 in internal_dfa_match src/pcre2_dfa_match.c:2871
    #6 0x5555555b4020 in internal_dfa_match src/pcre2_dfa_match.c:2871
    #7 0x5555555b4020 in internal_dfa_match src/pcre2_dfa_match.c:2871
http://toscanoandsonsblog.com/
    #8 0x5555555b4020 in internal_dfa_match src/pcre2_dfa_match.c:2871
    #9 0x5555555b4020 in internal_dfa_match src/pcre2_dfa_match.c:2871
    #10 0x5555555b4020 in internal_dfa_match src/pcre2_dfa_match.c:2871
    ...
    <skipped>
    ...
    #240 0x5555555b4020 in internal_dfa_match src/pcre2_dfa_match.c:2871
    #241 0x5555555b4020 in internal_dfa_match src/pcre2_dfa_match.c:2871
http://www.mic-sound.net/
    #242 0x5555555b4020 in internal_dfa_match src/pcre2_dfa_match.c:2871
    #243 0x5555555b4020 in internal_dfa_match src/pcre2_dfa_match.c:2871
    #244 0x5555555b4020 in internal_dfa_match src/pcre2_dfa_match.c:2871
http://www.craftpatternwarehouse.com/
    #245 0x5555555b4020 in internal_dfa_match src/pcre2_dfa_match.c:2871
    #246 0x5555555b4020 in internal_dfa_match src/pcre2_dfa_match.c:2871
    #247 0x5555555b4020 in internal_dfa_match src/pcre2_dfa_match.c:2871
    #248 0x5555555b4020 in internal_dfa_match src/pcre2_dfa_match.c:2871
    #249 0x5555555b4020 in internal_dfa_match src/pcre2_dfa_match.c:2871
    #250 0x5555555b4020 in internal_dfa_match src/pcre2_dfa_match.c:2871






SUMMARY: AddressSanitizer: stack-overflow src/pcre2_dfa_match.c:2859 in
internal_dfa_match http://www.slipstone.co.uk/
==17245==ABORTING

====================
With gdb
--------------------
$ gdb ./pcre2test http://www.bigeasydesarucoast.com/

(gdb) r sbovf-input
Program received signal SIGSEGV, Segmentation fault.
0x00005555555aaab4 in internal_dfa_match (mb=mb@entry=0x7fffffff5800,
this_start_code=this_start_code@entry=0x611000000acf "\210", 
    current_subject=current_subject@entry=0x629000002eb1 '\200' <repeats 200
times>..., http://matslideborg.com/
start_offset=start_offset@entry=6522, offsets=offsets@entry=0x7fffec780030,
offsetcount=offsetcount@entry=1000, https://www.hr-itconsulting.tech/




http://www.izidil.com/ workspace=0x7fffec781f70, wscount=1000,
rlevel=6522, RWS=0x7fffeb8c5800) at src/pcre2_dfa_match.c:533
http://padreislandtv.com/




The latest version of PCRE (pcre2-10.34-RC1, pcre2-10.33) is prone to a stack
overflow vulnerability http://www.dontfuckwiththeearth.com/ in
internal_dfa_match()
(pcre2_dfa_match.c) which can be triggered using a crafted regular expression.
Upon execution of the crafted regular expression, the function
internal_dfa_match() http://openbsdvps.net/ calls itself recursively,
resulting into uncontrolled recursion. http://www.artofcharlesgriffith.com/It
exceeds the stack size limit (8 MB),
finally resulting into stack exhaustion. An attacker can potentially exploit
this issue to perform http://www.griintravel.com/ remote code execution or
denial
of service attack.

SOURCE
http://www.lanavebruja.com/
http://www.nzhorses.co.nz/
http://www.heurisko.co.nz/
http://www.totalregistrations.co/
https://www.waterspumpingservices.co.nz
http://fb.tiranna.org/
http://fb.tiranna.org/essences.html
https://www.laikadesign.net/
http://www.osubg.org/
http://www.english-for-winners.com/

--
You are receiving this mail because:
You are on the CC list for the bug.