Debian Bug report logs - #324531
pcre3: CAN-2005-2491

version graph

Package: pcre3; Maintainer for pcre3 is Mark Baker <mark@mnb.org.uk>;

Reported by: Adrian Bunk <bunk@stusta.de>

Date: Mon, 22 Aug 2005 16:33:03 UTC

Severity: critical

Tags: etch, patch, sarge, security, sid, woody

Found in versions pcre3/4.5-1.2, pcre3/5.0-1.1, pcre3/3.4-1.1

Fixed in version pcre3/6.3-1

Done: Mark Baker <mark@mnb.org.uk>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Mark Baker <mark@mnb.org.uk>:
Bug#324531; Package pcre3. Full text and rfc822 format available.

Acknowledgement sent to Adrian Bunk <bunk@stusta.de>:
New Bug report received and forwarded. Copy sent to Mark Baker <mark@mnb.org.uk>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Adrian Bunk <bunk@stusta.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: pcre3: CAN-2005-2491
Date: Mon, 22 Aug 2005 18:15:53 +0200
Package: pcre3
Severity: critical
Tags: security, woody, sarge, etch, sid


It should be checked which of the versions in unstable/testing,
stable and oldstable might be affected by CAN-2005-2491
(PCRE Heap Overflow May Let Users Execute Arbitrary Code).



Information forwarded to debian-bugs-dist@lists.debian.org, Mark Baker <mark@mnb.org.uk>:
Bug#324531; Package pcre3. Full text and rfc822 format available.

Acknowledgement sent to Sven Mueller <debian@incase.de>:
Extra info received and forwarded to list. Copy sent to Mark Baker <mark@mnb.org.uk>. Full text and rfc822 format available.

Message #10 received at 324531@bugs.debian.org (full text, mbox):

From: Sven Mueller <debian@incase.de>
To: Debian Bug Tracking System <324531@bugs.debian.org>
Subject: pcre3: Version in stable (4.5-1.2) affected, patch attached
Date: Mon, 22 Aug 2005 20:11:51 +0200
[Message part 1 (text/plain, inline)]
Package: pcre3
Followup-For: Bug #324531

Patch extracted from difference between upstream versions 6.0 and 6.1,
modified to patch version 4.5. Patch is attached.

Regards,
Sven


-- System Information:
Debian Release: 3.1
  APT prefers experimental
  APT policy: (400, 'experimental'), (90, 'testing'), (50, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.11.12-incase
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
[pcre3-CAN-2005-2491.diff (text/x-c, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Mark Baker <mark@mnb.org.uk>:
Bug#324531; Package pcre3. Full text and rfc822 format available.

Acknowledgement sent to Sven Mueller <debian@incase.de>:
Extra info received and forwarded to list. Copy sent to Mark Baker <mark@mnb.org.uk>. Full text and rfc822 format available.

Message #15 received at 324531@bugs.debian.org (full text, mbox):

From: Sven Mueller <debian@incase.de>
To: Debian Bug Tracking System <324531@bugs.debian.org>
Subject: pcre3: testing, unstable also effected
Date: Mon, 22 Aug 2005 20:14:42 +0200
Package: pcre3
Followup-For: Bug #324531

Same patch as in my previous mail also works for 5.0-1.1

Regards,
Sven

-- System Information:
Debian Release: 3.1
  APT prefers experimental
  APT policy: (400, 'experimental'), (90, 'testing'), (50, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.11.12-incase
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)




Bug marked as found in version 4.5-1.2. Request was from Sven Mueller <debian@incase.de> to control@bugs.debian.org. Full text and rfc822 format available.

Bug marked as found in version 5.0-1.1. Request was from Sven Mueller <debian@incase.de> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Mark Baker <mark@mnb.org.uk>:
Bug#324531; Package pcre3. Full text and rfc822 format available.

Acknowledgement sent to Sven Mueller <sm@ciphirelabs.com>:
Extra info received and forwarded to list. Copy sent to Mark Baker <mark@mnb.org.uk>. Full text and rfc822 format available.

Message #24 received at 324531@bugs.debian.org (full text, mbox):

From: Sven Mueller <sm@ciphirelabs.com>
To: 324531@bugs.debian.org
Subject: Additional note: unstable seems unaffected
Date: Mon, 22 Aug 2005 21:29:13 +0200
Hi.

The code used to actually parse regular expressions seems to be
completely different in pcre3-3.4-1.1 (version in oldstable), so it is
likely oldstable is not affected by this bug. But I can't tell for sure.

At the very least the fix will definately need to be modified, something
 I won't be able to do in a timely manner.

Regards,
Sven
-- 
"Writing a book is like washing an elephant: there's no good
 place to begin or end, and it's hard to keep track of what
 you've already covered."  -- Anonymous


--
------------------------ [ SECURITY NOTICE ] ------------------------
To: 324531@bugs.debian.org.
For your security, sm@ciphirelabs.com
digitally signed this message on 22 August 2005 at 19:29:15 UTC.
Verify this digital signature at http://www.ciphire.com/verify.
------------------- [ CIPHIRE DIGITAL SIGNATURE ] -------------------
Q2lwaGlyZSBTaWcuAVczMjQ1MzFAYnVncy5kZWJpYW4ub3JnAHNtQGNpcGhpcmVsYWJzL
mNvbQBlbWFpbCBib2R5AJsBAAB8AHwAAAABAAAAiycKQ5sBAAAYAgACAAIAAgAg7o81B3
u7SGhY8TUyOasP5PM9L/eo5WaZF6DK9DcIKJkBAKe4iRF7xBuVS5ZEqDwPUnOnv+9OIOo
KTcvFvXP3opHtvKxuIZGUxqnQ6F71SCNyLECE7ef392BjEaIPqyRLF8SEU2lnRW5k
--------------------- [ END DIGITAL SIGNATURE ] ---------------------




Information forwarded to debian-bugs-dist@lists.debian.org, Mark Baker <mark@mnb.org.uk>:
Bug#324531; Package pcre3. Full text and rfc822 format available.

Acknowledgement sent to Mark Baker <mark@p4-7014.uk2net.com>:
Extra info received and forwarded to list. Copy sent to Mark Baker <mark@mnb.org.uk>. Full text and rfc822 format available.

Message #29 received at 324531@bugs.debian.org (full text, mbox):

From: Mark Baker <mark@p4-7014.uk2net.com>
To: 324531@bugs.debian.org, security@debian.org
Subject: Re: Bug#324531: pcre3: CAN-2005-2491
Date: Mon, 22 Aug 2005 21:52:41 +0100
On Mon, Aug 22, 2005 at 06:15:53PM +0200, Adrian Bunk wrote:

> It should be checked which of the versions in unstable/testing,
> stable and oldstable might be affected by CAN-2005-2491
> (PCRE Heap Overflow May Let Users Execute Arbitrary Code).

I'm away on business until wednesday night; if anything needs doing
urgently it would be good if someone else could deal with it.



Information forwarded to debian-bugs-dist@lists.debian.org, Mark Baker <mark@mnb.org.uk>:
Bug#324531; Package pcre3. Full text and rfc822 format available.

Acknowledgement sent to Joey Hess <joeyh@debian.org>:
Extra info received and forwarded to list. Copy sent to Mark Baker <mark@mnb.org.uk>. Full text and rfc822 format available.

Message #34 received at 324531@bugs.debian.org (full text, mbox):

From: Joey Hess <joeyh@debian.org>
To: Adrian Bunk <bunk@stusta.de>, 324531@bugs.debian.org
Subject: Re: Bug#324531: pcre3: CAN-2005-2491
Date: Mon, 22 Aug 2005 19:43:53 -0400
[Message part 1 (text/plain, inline)]
Adrian Bunk wrote:
> It should be checked which of the versions in unstable/testing,
> stable and oldstable might be affected by CAN-2005-2491
> (PCRE Heap Overflow May Let Users Execute Arbitrary Code).

Which is unfortunatly still marked as "reserved" in the CVE db, so I
don't have any more info about it. URL?

-- 
see shy jo
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Mark Baker <mark@mnb.org.uk>:
Bug#324531; Package pcre3. Full text and rfc822 format available.

Acknowledgement sent to Adrian Bunk <bunk@stusta.de>:
Extra info received and forwarded to list. Copy sent to Mark Baker <mark@mnb.org.uk>. Full text and rfc822 format available.

Message #39 received at 324531@bugs.debian.org (full text, mbox):

From: Adrian Bunk <bunk@stusta.de>
To: Joey Hess <joeyh@debian.org>
Cc: 324531@bugs.debian.org
Subject: Re: Bug#324531: pcre3: CAN-2005-2491
Date: Tue, 23 Aug 2005 02:54:40 +0200
On Mon, Aug 22, 2005 at 07:43:53PM -0400, Joey Hess wrote:
> Adrian Bunk wrote:
> > It should be checked which of the versions in unstable/testing,
> > stable and oldstable might be affected by CAN-2005-2491
> > (PCRE Heap Overflow May Let Users Execute Arbitrary Code).
> 
> Which is unfortunatly still marked as "reserved" in the CVE db, so I
> don't have any more info about it. URL?

  http://www.securitytracker.com/alerts/2005/Aug/1014744.html

> see shy jo

cu
Adrian

-- 

       "Is there not promise of rain?" Ling Tan asked suddenly out
        of the darkness. There had been need of rain for many days.
       "Only a promise," Lao Er said.
                                       Pearl S. Buck - Dragon Seed




Information forwarded to debian-bugs-dist@lists.debian.org, Mark Baker <mark@mnb.org.uk>:
Bug#324531; Package pcre3. Full text and rfc822 format available.

Acknowledgement sent to Sven Mueller <sven@incase.de>:
Extra info received and forwarded to list. Copy sent to Mark Baker <mark@mnb.org.uk>. Full text and rfc822 format available.

Message #44 received at 324531@bugs.debian.org (full text, mbox):

From: Sven Mueller <sven@incase.de>
To: Joey Hess <joeyh@debian.org>, 324531@bugs.debian.org
Cc: Adrian Bunk <bunk@stusta.de>
Subject: Re: Bug#324531: pcre3: CAN-2005-2491
Date: Tue, 23 Aug 2005 12:39:51 +0200
Joey Hess wrote on 23/08/2005 01:43:
> Adrian Bunk wrote:
> 
>>It should be checked which of the versions in unstable/testing,
>>stable and oldstable might be affected by CAN-2005-2491
>>(PCRE Heap Overflow May Let Users Execute Arbitrary Code).
> 
> 
> Which is unfortunatly still marked as "reserved" in the CVE db, so I
> don't have any more info about it. URL?
> 

http://www.securitytracker.com/alerts/2005/Aug/1014744.html



Information forwarded to debian-bugs-dist@lists.debian.org, Mark Baker <mark@mnb.org.uk>:
Bug#324531; Package pcre3. Full text and rfc822 format available.

Acknowledgement sent to Stefan Fritsch <sf@sfritsch.de>:
Extra info received and forwarded to list. Copy sent to Mark Baker <mark@mnb.org.uk>. Full text and rfc822 format available.

Message #49 received at 324531@bugs.debian.org (full text, mbox):

From: Stefan Fritsch <sf@sfritsch.de>
To: 324531@bugs.debian.org, Sven Mueller <debian@incase.de>
Subject: pcre3: CAN-2005-2491
Date: Tue, 23 Aug 2005 23:15:04 +0200
Hi,

> Patch extracted from difference between upstream versions 6.0 and
> 6.1, modified to patch version 4.5. Patch is attached.

While the issue corresponding to your patch should be fixed as well, 
this is not the patch for CAN-2005-2491. The securitytracker page 
states that 6.1 and prior versions are vulnerable. One needs to look 
at the differences between 6.1 and 6.2. The relevant changes are a 
bit larger.


Cheers,
Stefan



Information forwarded to debian-bugs-dist@lists.debian.org, Mark Baker <mark@mnb.org.uk>:
Bug#324531; Package pcre3. Full text and rfc822 format available.

Acknowledgement sent to Martin Pitt <mpitt@debian.org>:
Extra info received and forwarded to list. Copy sent to Mark Baker <mark@mnb.org.uk>. Full text and rfc822 format available.

Message #54 received at 324531@bugs.debian.org (full text, mbox):

From: Martin Pitt <mpitt@debian.org>
To: 324531@bugs.debian.org
Cc: security@debian.org
Subject: pcre3: patch for CAN-2005-2491
Date: Wed, 24 Aug 2005 14:12:40 +0200
[Message part 1 (text/plain, inline)]
Hi!

Here is the relevant change from pcre3 6.1-> 6.2, ported to 5.0:

  http://patches.ubuntu.com/patches/pcre3.CAN-2005-2491.diff

Thanks,

Martin
-- 
Martin Pitt        http://www.piware.de
Ubuntu Developer   http://www.ubuntu.com
Debian Developer   http://www.debian.org
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Mark Baker <mark@mnb.org.uk>:
Bug#324531; Package pcre3. Full text and rfc822 format available.

Acknowledgement sent to Sven Mueller <debian@incase.de>:
Extra info received and forwarded to list. Copy sent to Mark Baker <mark@mnb.org.uk>. Full text and rfc822 format available.

Message #59 received at 324531@bugs.debian.org (full text, mbox):

From: Sven Mueller <debian@incase.de>
To: Stefan Fritsch <sf@sfritsch.de>, 324531@bugs.debian.org
Subject: Re: Bug#324531: pcre3: CAN-2005-2491
Date: Wed, 24 Aug 2005 14:52:41 +0200
[Message part 1 (text/plain, inline)]
Stefan Fritsch wrote on 23/08/2005 23:15:
>>Patch extracted from difference between upstream versions 6.0 and
>>6.1, modified to patch version 4.5. Patch is attached.
>
> While the issue corresponding to your patch should be fixed as well,
> this is not the patch for CAN-2005-2491. The securitytracker page
> states that 6.1 and prior versions are vulnerable. One needs to look
> at the differences between 6.1 and 6.2. The relevant changes are a
> bit larger.

You are right. I was confused because the pcre homepage still says 6.1
is the latest version. Working on the real fix now.

cu,
sven
[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Mark Baker <mark@mnb.org.uk>:
Bug#324531; Package pcre3. Full text and rfc822 format available.

Acknowledgement sent to Sven Mueller <debian@incase.de>:
Extra info received and forwarded to list. Copy sent to Mark Baker <mark@mnb.org.uk>. Full text and rfc822 format available.

Message #64 received at 324531@bugs.debian.org (full text, mbox):

From: Sven Mueller <debian@incase.de>
To: Stefan Fritsch <sf@sfritsch.de>, 324531@bugs.debian.org
Subject: Re: Bug#324531: pcre3: CAN-2005-2491
Date: Wed, 24 Aug 2005 15:20:46 +0200
[Message part 1 (text/plain, inline)]
Stefan Fritsch wrote on 23/08/2005 23:15:
>>Patch extracted from difference between upstream versions 6.0 and
>>6.1, modified to patch version 4.5. Patch is attached.
>
> While the issue corresponding to your patch should be fixed as well,
> this is not the patch for CAN-2005-2491. The securitytracker page
> states that 6.1 and prior versions are vulnerable. One needs to look
> at the differences between 6.1 and 6.2. The relevant changes are a
> bit larger.

Alright, this time I attach the correct patches (only source patches, no
debian changelog entry) for all three versions of libpcre3 currently in
the archive (3.4, 4.5, 5.0), attached. I could prepare a NMU, but as I
am no DD, I would need a sponsor for that (plus I don't really know how
to do the security-NMU to stable/oldstable anyhow - yet).

cu,
sven
[pcre3-4.5-CAN2005-2491.diff (text/plain, inline)]
diff -ur pcre3-4.5.orig/pcre.c pcre3-4.5/pcre.c
--- pcre3-4.5.orig/pcre.c	2003-12-10 17:45:44.000000000 +0100
+++ pcre3-4.5/pcre.c	2005-08-24 15:09:17.265537494 +0200
@@ -1047,7 +1047,18 @@
 int min = 0;
 int max = -1;

+/* Read the minimum value and do a paranoid check: a negative value indicates
+an integer overflow. */
+
 while ((digitab[*p] & ctype_digit) != 0) min = min * 10 + *p++ - '0';
+if (min < 0 || min > 65535)
+  {
+  *errorptr = ERR5;
+  return p;
+  }
+
+/* Read the maximum value if there is one, and again do a paranoid on its size.
+Also, max must not be less than min. */

 if (*p == '}') max = min; else
   {
@@ -1055,6 +1066,11 @@
     {
     max = 0;
     while((digitab[*p] & ctype_digit) != 0) max = max * 10 + *p++ - '0';
+    if (max < 0 || max > 65535)
+      {
+      *errorptr = ERR5;
+      return p;
+      }
     if (max < min)
       {
       *errorptr = ERR4;
@@ -1063,16 +1079,11 @@
     }
   }

-/* Do paranoid checks, then fill in the required variables, and pass back the
-pointer to the terminating '}'. */
+/* Fill in the required variables, and pass back the pointer to the terminating
+'}'. */

-if (min > 65535 || max > 65535)
-  *errorptr = ERR5;
-else
-  {
-  *minp = min;
-  *maxp = max;
-  }
+*minp = min;
+*maxp = max;
 return p;
 }

[pcre3-5.0-CAN2005-2491.diff (text/plain, inline)]
diff -ur pcre3-5.0.orig/pcre.c pcre3-5.0/pcre.c
--- pcre3-5.0.orig/pcre.c	2004-09-13 16:20:00.000000000 +0200
+++ pcre3-5.0/pcre.c	2005-08-24 15:10:28.346633583 +0200
@@ -1245,7 +1245,18 @@
 int min = 0;
 int max = -1;

+/* Read the minimum value and do a paranoid check: a negative value indicates
+an integer overflow. */
+
 while ((digitab[*p] & ctype_digit) != 0) min = min * 10 + *p++ - '0';
+if (min < 0 || min > 65535)
+  {
+  *errorptr = ERR5;
+  return p;
+  }
+
+/* Read the maximum value if there is one, and again do a paranoid on its size.
+Also, max must not be less than min. */

 if (*p == '}') max = min; else
   {
@@ -1253,6 +1264,11 @@
     {
     max = 0;
     while((digitab[*p] & ctype_digit) != 0) max = max * 10 + *p++ - '0';
+    if (max < 0 || max > 65535)
+      {
+      *errorptr = ERR5;
+      return p;
+      }
     if (max < min)
       {
       *errorptr = ERR4;
@@ -1261,16 +1277,11 @@
     }
   }

-/* Do paranoid checks, then fill in the required variables, and pass back the
-pointer to the terminating '}'. */
+/* Fill in the required variables, and pass back the pointer to the terminating
+'}'. */

-if (min > 65535 || max > 65535)
-  *errorptr = ERR5;
-else
-  {
-  *minp = min;
-  *maxp = max;
-  }
+*minp = min;
+*maxp = max;
 return p;
 }

Only in pcre3-5.0: pcre.c.orig
[pcre3-3.4-CAN2005-2491.diff (text/plain, inline)]
diff -ur pcre3-3.4.orig/pcre.c pcre3-3.4/pcre.c
--- pcre3-3.4.orig/pcre.c	2000-08-22 11:05:43.000000000 +0200
+++ pcre3-3.4/pcre.c	2005-08-24 15:16:05.140911310 +0200
@@ -711,7 +711,18 @@
 int min = 0;
 int max = -1;

+/* Read the minimum value and do a paranoid check: a negative value indicates
+an integer overflow. */
+
 while ((cd->ctypes[*p] & ctype_digit) != 0) min = min * 10 + *p++ - '0';
+if (min < 0 || min > 65535)
+  {
+  *errorptr = ERR5;
+  return p;
+  }
+
+/* Read the maximum value if there is one, and again do a paranoid on its size.
+Also, max must not be less than min. */

 if (*p == '}') max = min; else
   {
@@ -719,6 +730,11 @@
     {
     max = 0;
     while((cd->ctypes[*p] & ctype_digit) != 0) max = max * 10 + *p++ - '0';
+    if (max < 0 || max > 65535)
+      {
+      *errorptr = ERR5;
+      return p;
+      }
     if (max < min)
       {
       *errorptr = ERR4;
@@ -727,16 +743,11 @@
     }
   }

-/* Do paranoid checks, then fill in the required variables, and pass back the
-pointer to the terminating '}'. */
+/* Fill in the required variables, and pass back the pointer to the terminating
+'}'. */

-if (min > 65535 || max > 65535)
-  *errorptr = ERR5;
-else
-  {
-  *minp = min;
-  *maxp = max;
-  }
+*minp = min;
+*maxp = max;
 return p;
 }

[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Mark Baker <mark@mnb.org.uk>:
Bug#324531; Package pcre3. Full text and rfc822 format available.

Acknowledgement sent to Martin Pitt <mpitt@debian.org>:
Extra info received and forwarded to list. Copy sent to Mark Baker <mark@mnb.org.uk>. Full text and rfc822 format available.

Message #69 received at 324531@bugs.debian.org (full text, mbox):

From: Martin Pitt <mpitt@debian.org>
To: 324531@bugs.debian.org
Cc: security@debian.org
Subject: PCRE3: CAN-2005-2491 for oldstable
Date: Wed, 24 Aug 2005 15:27:20 +0200
[Message part 1 (text/plain, inline)]
Hi!

Since I have to fix apache2 2.0.50 for Ubuntu, which still has an
embedded pcre 3.x, I also took a look at the woody version. I took a
look at the code and played with the test suite, and it seems to me
that the capture part works ok; just the integer underflow must be
fixed:

--- pcre.c
+++ pcre.c
@@ -733,7 +733,7 @@
 /* Do paranoid checks, then fill in the required variables, and pass back the
 pointer to the terminating '}'. */

-if (min > 65535 || max > 65535)
+if (min < 0 || min > 65535 || max < 0 || max > 65535)
   *errorptr = ERR5;
 else
   {

However, it would be nice to have a second pair of eyes to confirm
that this version is not vulnerable to the capturing overflow.

Thanks,

Martin
-- 
Martin Pitt        http://www.piware.de
Ubuntu Developer   http://www.ubuntu.com
Debian Developer   http://www.debian.org
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Mark Baker <mark@mnb.org.uk>:
Bug#324531; Package pcre3. Full text and rfc822 format available.

Acknowledgement sent to Sven Mueller <sven@incase.de>:
Extra info received and forwarded to list. Copy sent to Mark Baker <mark@mnb.org.uk>. Full text and rfc822 format available.

Message #74 received at 324531@bugs.debian.org (full text, mbox):

From: Sven Mueller <sven@incase.de>
To: Martin Pitt <mpitt@debian.org>, 324531@bugs.debian.org, control@bugs.debian.org
Subject: Re: Bug#324531: pcre3: patch for CAN-2005-2491
Date: Wed, 24 Aug 2005 15:49:34 +0200
[Message part 1 (text/plain, inline)]
Package pcre3
Tags 324531 +patch
thanks

Martin Pitt wrote on 24/08/2005 14:12:
> Here is the relevant change from pcre3 6.1-> 6.2, ported to 5.0:
> 
>   http://patches.ubuntu.com/patches/pcre3.CAN-2005-2491.diff

Hmm, didn't get that the capturing fix is also needed. But your are
right there.

Attached are the patches which also include that  capture-related fix
(4.5 and 5.0. The patch to 3.4 doesn't include anything to that part,
since it doesn't seem vulnerable to the capturing problem (and uses a
different approach to capturing anyway).

I also didn't include the patches made to the testing suite of the
package, since they by themself are not part of the security problem.

All three packages compile fine after the patches were applied.
Functionality also seems to be fine.

regards,
Sven
[pcre3-3.4-CAN2005-2491.diff (text/plain, inline)]
diff -ur pcre3-3.4.orig/pcre.c pcre3-3.4/pcre.c
--- pcre3-3.4.orig/pcre.c	2000-08-22 11:05:43.000000000 +0200
+++ pcre3-3.4/pcre.c	2005-08-24 15:16:05.140911310 +0200
@@ -711,7 +711,18 @@
 int min = 0;
 int max = -1;
 
+/* Read the minimum value and do a paranoid check: a negative value indicates
+an integer overflow. */
+
 while ((cd->ctypes[*p] & ctype_digit) != 0) min = min * 10 + *p++ - '0';
+if (min < 0 || min > 65535)
+  {
+  *errorptr = ERR5;
+  return p;
+  }
+
+/* Read the maximum value if there is one, and again do a paranoid on its size.
+Also, max must not be less than min. */
 
 if (*p == '}') max = min; else
   {
@@ -719,6 +730,11 @@
     {
     max = 0;
     while((cd->ctypes[*p] & ctype_digit) != 0) max = max * 10 + *p++ - '0';
+    if (max < 0 || max > 65535)
+      {
+      *errorptr = ERR5;
+      return p;
+      }
     if (max < min)
       {
       *errorptr = ERR4;
@@ -727,16 +743,11 @@
     }
   }
 
-/* Do paranoid checks, then fill in the required variables, and pass back the
-pointer to the terminating '}'. */
+/* Fill in the required variables, and pass back the pointer to the terminating
+'}'. */
 
-if (min > 65535 || max > 65535)
-  *errorptr = ERR5;
-else
-  {
-  *minp = min;
-  *maxp = max;
-  }
+*minp = min;
+*maxp = max;
 return p;
 }
 
[pcre3-4.5-CAN2005-2491.diff (text/plain, inline)]
diff -ur pcre3-4.5.orig/pcre.c pcre3-4.5/pcre.c
--- pcre3-4.5.orig/pcre.c	2003-12-10 17:45:44.000000000 +0100
+++ pcre3-4.5/pcre.c	2005-08-24 15:25:17.580242557 +0200
@@ -1047,7 +1047,18 @@
 int min = 0;
 int max = -1;
 
+/* Read the minimum value and do a paranoid check: a negative value indicates
+an integer overflow. */
+
 while ((digitab[*p] & ctype_digit) != 0) min = min * 10 + *p++ - '0';
+if (min < 0 || min > 65535)
+  {
+  *errorptr = ERR5;
+  return p;
+  }
+
+/* Read the maximum value if there is one, and again do a paranoid on its size.
+Also, max must not be less than min. */
 
 if (*p == '}') max = min; else
   {
@@ -1055,6 +1066,11 @@
     {
     max = 0;
     while((digitab[*p] & ctype_digit) != 0) max = max * 10 + *p++ - '0';
+    if (max < 0 || max > 65535)
+      {
+      *errorptr = ERR5;
+      return p;
+      }
     if (max < min)
       {
       *errorptr = ERR4;
@@ -1063,16 +1079,11 @@
     }
   }
 
-/* Do paranoid checks, then fill in the required variables, and pass back the
-pointer to the terminating '}'. */
+/* Fill in the required variables, and pass back the pointer to the terminating
+'}'. */
 
-if (min > 65535 || max > 65535)
-  *errorptr = ERR5;
-else
-  {
-  *minp = min;
-  *maxp = max;
-  }
+*minp = min;
+*maxp = max;
 return p;
 }
 
@@ -4113,6 +4124,7 @@
 BOOL class_utf8;
 #endif
 BOOL inescq = FALSE;
+BOOL capturing;
 unsigned int brastackptr = 0;
 size_t size;
 uschar *code;
@@ -4528,6 +4540,7 @@
     case '(':
     branch_newextra = 0;
     bracket_length = 1 + LINK_SIZE;
+    capturing = FALSE;
 
     /* Handle special forms of bracket, which all start (? */
 
@@ -4615,6 +4628,9 @@
 
         case 'P':
         ptr += 3;
+
+        /* Handle the definition of a named subpattern */
+
         if (*ptr == '<')
           {
           const uschar *p;    /* Don't amalgamate; some compilers */
@@ -4627,9 +4643,12 @@
             }
           name_count++;
           if (ptr - p > max_name_size) max_name_size = (ptr - p);
+          capturing = TRUE;   /* Named parentheses are always capturing */
           break;
           }
 
+        /* Handle back references and recursive calls to named subpatterns */
+
         if (*ptr == '=' || *ptr == '>')
           {
           while ((compile_block.ctypes[*(++ptr)] & ctype_word) != 0);
@@ -4804,18 +4823,24 @@
           continue;
           }
 
-        /* If options were terminated by ':' control comes here. Fall through
-        to handle the group below. */
+        /* If options were terminated by ':' control comes here. This is a
+        non-capturing group with an options change. There is nothing more that
+        needs to be done because "capturing" is already set FALSE by default;
+        we can just fall through. */
+
         }
       }
 
-    /* Extracting brackets must be counted so we can process escapes in a
-    Perlish way. If the number exceeds EXTRACT_BASIC_MAX we are going to
-    need an additional 3 bytes of store per extracting bracket. However, if
-    PCRE_NO_AUTO)CAPTURE is set, unadorned brackets become non-capturing, so we
-    must leave the count alone (it will aways be zero). */
+    /* Ordinary parentheses, not followed by '?', are capturing unless
+    PCRE_NO_AUTO_CAPTURE is set. */
+
+    else capturing = (options & PCRE_NO_AUTO_CAPTURE) == 0;
+
+    /* Capturing brackets must be counted so we can process escapes in a
+    Perlish way. If the number exceeds EXTRACT_BASIC_MAX we are going to need
+    an additional 3 bytes of memory per capturing bracket. */
 
-    else if ((options & PCRE_NO_AUTO_CAPTURE) == 0)
+    if (capturing)
       {
       bracount++;
       if (bracount > EXTRACT_BASIC_MAX) bracket_length += 3;
Only in pcre3-4.5: pcre.c.orig
Only in pcre3-4.5: pcre.c.rej
[pcre3-5.0-CAN2005-2491.diff (text/plain, inline)]
diff -ur pcre3-5.0.orig/pcre.c pcre3-5.0/pcre.c
--- pcre3-5.0.orig/pcre.c	2004-09-13 16:20:00.000000000 +0200
+++ pcre3-5.0/pcre.c	2005-08-24 15:27:25.960768783 +0200
@@ -1245,7 +1245,18 @@
 int min = 0;
 int max = -1;
 
+/* Read the minimum value and do a paranoid check: a negative value indicates
+an integer overflow. */
+
 while ((digitab[*p] & ctype_digit) != 0) min = min * 10 + *p++ - '0';
+if (min < 0 || min > 65535)
+  {
+  *errorptr = ERR5;
+  return p;
+  }
+
+/* Read the maximum value if there is one, and again do a paranoid on its size.
+Also, max must not be less than min. */
 
 if (*p == '}') max = min; else
   {
@@ -1253,6 +1264,11 @@
     {
     max = 0;
     while((digitab[*p] & ctype_digit) != 0) max = max * 10 + *p++ - '0';
+    if (max < 0 || max > 65535)
+      {
+      *errorptr = ERR5;
+      return p;
+      }
     if (max < min)
       {
       *errorptr = ERR4;
@@ -1261,16 +1277,11 @@
     }
   }
 
-/* Do paranoid checks, then fill in the required variables, and pass back the
-pointer to the terminating '}'. */
+/* Fill in the required variables, and pass back the pointer to the terminating
+'}'. */
 
-if (min > 65535 || max > 65535)
-  *errorptr = ERR5;
-else
-  {
-  *minp = min;
-  *maxp = max;
-  }
+*minp = min;
+*maxp = max;
 return p;
 }
 
@@ -4475,6 +4486,7 @@
 BOOL class_utf8;
 #endif
 BOOL inescq = FALSE;
+BOOL capturing;
 unsigned int brastackptr = 0;
 size_t size;
 uschar *code;
@@ -5021,6 +5033,7 @@
     case '(':
     branch_newextra = 0;
     bracket_length = 1 + LINK_SIZE;
+    capturing = FALSE;
 
     /* Handle special forms of bracket, which all start (? */
 
@@ -5108,6 +5121,9 @@
 
         case 'P':
         ptr += 3;
+
+        /* Handle the definition of a named subpattern */
+
         if (*ptr == '<')
           {
           const uschar *p;    /* Don't amalgamate; some compilers */
@@ -5120,9 +5136,12 @@
             }
           name_count++;
           if (ptr - p > max_name_size) max_name_size = (ptr - p);
+          capturing = TRUE;   /* Named parentheses are always capturing */
           break;
           }
 
+        /* Handle back references and recursive calls to named subpatterns */
+
         if (*ptr == '=' || *ptr == '>')
           {
           while ((compile_block.ctypes[*(++ptr)] & ctype_word) != 0);
@@ -5297,18 +5316,24 @@
           continue;
           }
 
-        /* If options were terminated by ':' control comes here. Fall through
-        to handle the group below. */
+        /* If options were terminated by ':' control comes here. This is a
+        non-capturing group with an options change. There is nothing more that
+        needs to be done because "capturing" is already set FALSE by default;
+        we can just fall through. */
+
         }
       }
 
-    /* Extracting brackets must be counted so we can process escapes in a
-    Perlish way. If the number exceeds EXTRACT_BASIC_MAX we are going to
-    need an additional 3 bytes of store per extracting bracket. However, if
-    PCRE_NO_AUTO)CAPTURE is set, unadorned brackets become non-capturing, so we
-    must leave the count alone (it will aways be zero). */
+    /* Ordinary parentheses, not followed by '?', are capturing unless
+    PCRE_NO_AUTO_CAPTURE is set. */
+
+    else capturing = (options & PCRE_NO_AUTO_CAPTURE) == 0;
+
+    /* Capturing brackets must be counted so we can process escapes in a
+    Perlish way. If the number exceeds EXTRACT_BASIC_MAX we are going to need
+    an additional 3 bytes of memory per capturing bracket. */
 
-    else if ((options & PCRE_NO_AUTO_CAPTURE) == 0)
+    if (capturing)
       {
       bracount++;
       if (bracount > EXTRACT_BASIC_MAX) bracket_length += 3;
Only in pcre3-5.0: pcre.c.orig

Tags added: patch Request was from Sven Mueller <sven@incase.de> to control@bugs.debian.org. Full text and rfc822 format available.

Bug marked as found in version 3.4-1.1. Request was from Sven Mueller <debian@incase.de> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Mark Baker <mark@mnb.org.uk>:
Bug#324531; Package pcre3. Full text and rfc822 format available.

Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Mark Baker <mark@mnb.org.uk>. Full text and rfc822 format available.

Message #83 received at 324531@bugs.debian.org (full text, mbox):

From: Martin Schulze <joey@infodrom.org>
To: 324531@bugs.debian.org, security@debian.org
Subject: Re: pcre3: patch for CAN-2005-2491
Date: Wed, 24 Aug 2005 20:08:24 +0200
Martin Pitt wrote:
> Hi!
> 
> Here is the relevant change from pcre3 6.1-> 6.2, ported to 5.0:
> 
>   http://patches.ubuntu.com/patches/pcre3.CAN-2005-2491.diff

Patch originally sent by Marcus Meissner from SuSE.

Regards,

	Joey

-- 
It's time to close the windows.

Please always Cc to me when replying to me on the lists.



Information forwarded to debian-bugs-dist@lists.debian.org, Mark Baker <mark@mnb.org.uk>:
Bug#324531; Package pcre3. Full text and rfc822 format available.

Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Mark Baker <mark@mnb.org.uk>. Full text and rfc822 format available.

Message #88 received at 324531@bugs.debian.org (full text, mbox):

From: Martin Schulze <joey@infodrom.org>
To: Martin Pitt <mpitt@debian.org>
Cc: 324531@bugs.debian.org, security@debian.org
Subject: Re: PCRE3: CAN-2005-2491 for oldstable
Date: Wed, 24 Aug 2005 21:04:50 +0200
Martin Pitt wrote:
> Hi!
> 
> Since I have to fix apache2 2.0.50 for Ubuntu, which still has an
> embedded pcre 3.x, I also took a look at the woody version. I took a
> look at the code and played with the test suite, and it seems to me
> that the capture part works ok; just the integer underflow must be
> fixed:
> 
> --- pcre.c
> +++ pcre.c
> @@ -733,7 +733,7 @@
>  /* Do paranoid checks, then fill in the required variables, and pass back the
>  pointer to the terminating '}'. */
> 
> -if (min > 65535 || max > 65535)
> +if (min < 0 || min > 65535 || max < 0 || max > 65535)
>    *errorptr = ERR5;
>  else
>    {
> 
> However, it would be nice to have a second pair of eyes to confirm
> that this version is not vulnerable to the capturing overflow.

Confirmed.  Named subpatterns are not available in the 3.* version,
so they don't need to be fixed.

Regards,

	Joey

-- 
It's time to close the windows.



Information forwarded to debian-bugs-dist@lists.debian.org, Mark Baker <mark@mnb.org.uk>:
Bug#324531; Package pcre3. Full text and rfc822 format available.

Acknowledgement sent to Florian Weimer <fw@deneb.enyo.de>:
Extra info received and forwarded to list. Copy sent to Mark Baker <mark@mnb.org.uk>. Full text and rfc822 format available.

Message #93 received at 324531@bugs.debian.org (full text, mbox):

From: Florian Weimer <fw@deneb.enyo.de>
To: Sven Mueller <debian@incase.de>
Cc: 324531@bugs.debian.org, Stefan Fritsch <sf@sfritsch.de>
Subject: Re: Bug#324531: pcre3: CAN-2005-2491
Date: Wed, 24 Aug 2005 22:18:34 +0200
* Sven Mueller:

> +/* Read the minimum value and do a paranoid check: a negative value indicates
> +an integer overflow. */
> +
>  while ((digitab[*p] & ctype_digit) != 0) min = min * 10 + *p++ - '0';
> +if (min < 0 || min > 65535)

This doesn't work.  Signed integer overflow is undefined.  Future GCC
version are likely to detect that the "min < 0" test is superfluous as
a result, and will optimize it away.



Reply sent to Mark Baker <mark@mnb.org.uk>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Adrian Bunk <bunk@stusta.de>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #98 received at 324531-close@bugs.debian.org (full text, mbox):

From: Mark Baker <mark@mnb.org.uk>
To: 324531-close@bugs.debian.org
Subject: Bug#324531: fixed in pcre3 6.3-1
Date: Sat, 27 Aug 2005 10:47:07 -0700
Source: pcre3
Source-Version: 6.3-1

We believe that the bug you reported is fixed in the latest version of
pcre3, which is due to be installed in the Debian FTP archive:

libpcre3-dev_6.3-1_i386.deb
  to pool/main/p/pcre3/libpcre3-dev_6.3-1_i386.deb
libpcre3_6.3-1_i386.deb
  to pool/main/p/pcre3/libpcre3_6.3-1_i386.deb
pcre3_6.3-1.diff.gz
  to pool/main/p/pcre3/pcre3_6.3-1.diff.gz
pcre3_6.3-1.dsc
  to pool/main/p/pcre3/pcre3_6.3-1.dsc
pcre3_6.3.orig.tar.gz
  to pool/main/p/pcre3/pcre3_6.3.orig.tar.gz
pcregrep_6.3-1_i386.deb
  to pool/main/p/pcre3/pcregrep_6.3-1_i386.deb
pgrep_6.3-1_all.deb
  to pool/main/p/pcre3/pgrep_6.3-1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 324531@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Mark Baker <mark@mnb.org.uk> (supplier of updated pcre3 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat, 27 Aug 2005 18:12:22 +0100
Source: pcre3
Binary: pcregrep libpcre3 pgrep libpcre3-dev
Architecture: source all i386
Version: 6.3-1
Distribution: unstable
Urgency: low
Maintainer: Mark Baker <mark@mnb.org.uk>
Changed-By: Mark Baker <mark@mnb.org.uk>
Description: 
 libpcre3   - Perl 5 Compatible Regular Expression Library - runtime files
 libpcre3-dev - Perl 5 Compatible Regular Expression Library - development files
 pcregrep   - grep utility that uses perl 5 compatible regexes.
 pgrep      - Dummy package for transition to pcregrep
Closes: 309606 323761 324531
Changes: 
 pcre3 (6.3-1) unstable; urgency=low
 .
   * New upstream release (Closes: 323761).
   * This includes fix to security issue CAN-2005-2491 (Closes: 324531)
 .
 pcre3 (5.0-1.1) unstable; urgency=low
 .
   * Non-maintainer upload.
   * Correct an alignment error in the pcretest.c test case, which was
     causing build failures on ia64 (closes: #309606).
Files: 
 91f444f5eba58bc3c20d99de6214a71a 577 libs optional pcre3_6.3-1.dsc
 6a2934e0cce1656692430d9788002c93 819268 libs optional pcre3_6.3.orig.tar.gz
 9d837723421e35117bd76b7a7deab9b6 11204 libs optional pcre3_6.3-1.diff.gz
 07acbabbd4b230c13c68081220ffa8fc 762 oldlibs optional pgrep_6.3-1_all.deb
 2aae0dc35274f210c1e9baafb6e17e9f 187420 libs important libpcre3_6.3-1_i386.deb
 70788faf301fb344de90d2a3cf705f35 215714 libdevel optional libpcre3-dev_6.3-1_i386.deb
 f31e373cb5444605af90290e0ed2d888 12084 utils optional pcregrep_6.3-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDEKNjLk+GuosNQvkRAv/7AKCGbkgdwyHuCqgg1Uj+MAAgRjMLfgCdH8/Z
a6cdR3p7Kv8J4oIyjnaVr4c=
=eNym
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Mark Baker <mark@mnb.org.uk>:
Bug#324531; Package pcre3. Full text and rfc822 format available.

Acknowledgement sent to Daniel Tiefnig <dantie@gmx.at>:
Extra info received and forwarded to list. Copy sent to Mark Baker <mark@mnb.org.uk>. Full text and rfc822 format available.

Message #103 received at 324531@bugs.debian.org (full text, mbox):

From: Daniel Tiefnig <dantie@gmx.at>
To: 324531@bugs.debian.org
Subject: Re: Bug#324531: fixed in pcre3 6.3-1
Date: Thu, 01 Sep 2005 11:23:18 +0200
Hej,

so how about libpcre in sarge? It's also affected, isn't it? The upload
to unstable won't fix that. Has the security team been contacted?


lg,
daniel



Information forwarded to debian-bugs-dist@lists.debian.org, Mark Baker <mark@mnb.org.uk>:
Bug#324531; Package pcre3. Full text and rfc822 format available.

Acknowledgement sent to Daniel Tiefnig <dantie@gmx.at>:
Extra info received and forwarded to list. Copy sent to Mark Baker <mark@mnb.org.uk>. Full text and rfc822 format available.

Message #108 received at 324531@bugs.debian.org (full text, mbox):

From: Daniel Tiefnig <dantie@gmx.at>
To: 324531@bugs.debian.org
Subject: Re: Bug#324531: fixed in pcre3 6.3-1
Date: Fri, 02 Sep 2005 16:06:03 +0200
Daniel Tiefnig wrote:
> so how about libpcre in sarge?

Duh, here it is now:
http://www.us.debian.org/security/2005/dsa-800

Thanks for catching this bug!


daniel



Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 25 Jun 2007 02:38:00 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 05:32:02 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.