Debian Bug report logs - #400121
CVE-2006-6015: Buffer overflow in konqueror

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Stefan Fritsch <sf@sfritsch.de>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: CVE-2006-6015: Buffer overflow in konqueror

Date: Thu, 23 Nov 2006 23:24:18 +0100

Package: konqueror
Version: 4:3.5.5a.dfsg.1-2
Severity: grave
Tags: security
Justification: user security hole


Konqueror crashes when opening the following page:

<html>
<head>
<script>
var reg = /(.)*/;
var z = 'Z';
while (z.length <= 8192) z+=z;
var boum = reg.exec(z);
</script>
</head>
</html>

The original poster claimed this could be used to execute arbitrary
code:
http://www.securityfocus.com/archive/1/archive/1/451542/100/0/threaded

Please mention the CVE id in the changelog

-- System Information:
Debian Release: 4.0
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Locale: LANG=de_DE@euro, LC_CTYPE=de_DE@euro (charmap=ISO-8859-15)

Versions of packages konqueror depends on:
ii  kcontrol               4:3.5.5a.dfsg.1-2 control center for KDE
ii  kdebase-kio-plugins    4:3.5.5a.dfsg.1-2 core I/O slaves for KDE
ii  kdelibs4c2a            4:3.5.5a.dfsg.1-5 core libraries and binaries for al
ii  kdesktop               4:3.5.5a.dfsg.1-2 miscellaneous binaries and files f
ii  kfind                  4:3.5.5a.dfsg.1-2 file-find utility for KDE
ii  libacl1                2.2.41-1          Access control list shared library
ii  libart-2.0-2           2.3.17-1          Library of functions for 2D graphi
ii  libattr1               2.4.32-1          Extended attribute shared library
ii  libaudio2              1.8-2             The Network Audio System (NAS). (s
ii  libc6                  2.3.6.ds1-8       GNU C Library: Shared libraries
ii  libfam0                2.7.0-11          Client library to control the FAM 
ii  libfontconfig1         2.4.1-2           generic font configuration library
ii  libfreetype6           2.2.1-5           FreeType 2 font engine, shared lib
ii  libgcc1                1:4.1.1-20        GCC support library
ii  libice6                1:1.0.1-2         X11 Inter-Client Exchange library
ii  libidn11               0.6.5-1           GNU libidn library, implementation
ii  libjpeg62              6b-13             The Independent JPEG Group's JPEG 
ii  libkonq4               4:3.5.5a.dfsg.1-2 core libraries for Konqueror
ii  libpng12-0             1.2.13-4          PNG library - runtime
ii  libqt3-mt              3:3.3.7-1         Qt GUI Library (Threaded runtime v
ii  libsm6                 1:1.0.1-3         X11 Session Management library
ii  libstdc++6             4.1.1-20          The GNU Standard C++ Library v3
ii  libx11-6               2:1.0.3-4         X11 client-side library
ii  libxcursor1            1.1.7-4           X cursor management library
ii  libxext6               1:1.0.1-2         X11 miscellaneous extension librar
ii  libxft2                2.1.8.2-8         FreeType-based font drawing librar
ii  libxi6                 1:1.0.1-3         X11 Input extension library
ii  libxinerama1           1:1.0.1-4.1       X11 Xinerama extension library
ii  libxrandr2             2:1.1.0.2-4       X11 RandR extension library
ii  libxrender1            1:0.9.1-3         X Rendering Extension client libra
ii  libxt6                 1:1.0.2-2         X11 toolkit intrinsics library
ii  zlib1g                 1:1.2.3-13        compression library - runtime

konqueror recommends no packages.

-- no debconf information

Message #12 received at 400121@bugs.debian.org (full text, mbox, reply):

From: Olivier Trichet <nive@nivalis.org>

To: Stefan Fritsch <sf@sfritsch.de>, 400121@bugs.debian.org, control@bugs.debian.org

Subject: Re: Bug#400121: CVE-2006-6015: Buffer overflow in konqueror

Date: Sun, 26 Nov 2006 14:18:46 +0100

reassign 400121 libpcre3
stop

The problem is in the libpcre which konqueror calls : the pcretest program 
itself crashes.

nive@bruine:~$ pcretest
PCRE version 6.7 04-Jul-2006
  re> /^(.)*$/
data> ZZZZZZZZZZZZZZZZZ.......ZZZZ (a "few" thousand "Z" in a row)
Erreur de segmentation

Message #19 received at 400121@bugs.debian.org (full text, mbox, reply):

From: Tom Parker <palfrey@tevp.net>

To: 400121@bugs.debian.org

Cc: 400121-subscribe@bugs.debian.org

Subject: Can't reproduce 400121 with libpcre3

Date: Wed, 29 Nov 2006 12:59:47 +0100

I've just been doing the test that Olivier Trichet mentioned with 
pcretest, with a file containing 30,000 Z's, and I don't get a crash. 
This is with libpcre3 6.7-1 on i386.

Any more details on a good testcase for libpcre3?

Tom Parker
-- 
palfrey@tevp.net - http://tevp.net
Illegitimus non carborundum

Message #24 received at 400121@bugs.debian.org (full text, mbox, reply):

From: Florian Weimer <fw@deneb.enyo.de>

To: 400121@bugs.debian.org

Subject: Seems to be stack overflow (too deep recursion)

Date: Wed, 29 Nov 2006 14:04:33 +0100

I could reproduce the issue, using pcretest.  GDB shows that this is a
stack overflow due to deep recursion.

The impact of this bug on availability is hard to estimate, even if
code injection should be impossible.

Message #29 received at 400121@bugs.debian.org (full text, mbox, reply):

From: Mark Baker <mark@mnb.org.uk>

To: Tom Parker <palfrey@tevp.net>, 400121@bugs.debian.org

Subject: Re: Bug#400121: Can't reproduce 400121 with libpcre3

Date: Wed, 29 Nov 2006 14:00:23 +0000

On Wed, Nov 29, 2006 at 12:59:47PM +0100, Tom Parker wrote:
> I've just been doing the test that Olivier Trichet mentioned with 
> pcretest, with a file containing 30,000 Z's, and I don't get a crash. 
> This is with libpcre3 6.7-1 on i386.

I can reproduce it with pcregrep; no idea why pcretest might not suffer
from it. It crashes when it gets to 8192 recursive instances of the
match function, possibly due to running out of stack space?

You are looking for a pattern of (.)* I assume? 

Message #34 received at 400121@bugs.debian.org (full text, mbox, reply):

From: Tom Parker <palfrey@tevp.net>

To: Mark Baker <mark@mnb.org.uk>

Cc: 400121@bugs.debian.org

Subject: Re: Bug#400121: Can't reproduce 400121 with libpcre3

Date: Wed, 29 Nov 2006 15:49:02 +0100

Mark Baker wrote:
> On Wed, Nov 29, 2006 at 12:59:47PM +0100, Tom Parker wrote:
>> I've just been doing the test that Olivier Trichet mentioned with 
>> pcretest, with a file containing 30,000 Z's, and I don't get a crash. 
>> This is with libpcre3 6.7-1 on i386.
> 
> I can reproduce it with pcregrep; no idea why pcretest might not suffer
> from it. It crashes when it gets to 8192 recursive instances of the
> match function, possibly due to running out of stack space?
> 
> You are looking for a pattern of (.)* I assume? 

I was looking for a ^(.)*$ pattern, but I've just double-checked with 
(.)* and ^(.)*, none of them crash pcretest. pcregrep (6.7-1) also 
doesn't crash with that pattern. There appears to be something different 
about my system... where exactly does pcregrep crash? A stack trace 
would be nice.

Tom Parker
-- 
palfrey@tevp.net - http://tevp.net
Illegitimus non carborundum

Message #39 received at 400121@bugs.debian.org (full text, mbox, reply):

From: Mark Baker <mark@mnb.org.uk>

To: Tom Parker <palfrey@tevp.net>, 400121@bugs.debian.org

Subject: Re: Bug#400121: Can't reproduce 400121 with libpcre3

Date: Wed, 29 Nov 2006 17:14:37 +0000

On Wed, Nov 29, 2006 at 03:49:02PM +0100, Tom Parker wrote:

> about my system... where exactly does pcregrep crash? A stack trace 
> would be nice.

p4-7088:~>for i in $(seq 1 8192); do echo -n Z >>file; done
p4-7088:~>pcregrep '(.)*' file
Segmentation fault

Running it under gdb, using the copy in the build tree (as the installed
version is stripped):

(gdb) run '(.)*' /home/mark/file
Starting program: /home/mark/debian/pcre/pcre3-6.7/.libs/pcregrep '(.)*'
/home/mark/file

Program received signal SIGSEGV, Segmentation fault.
match (eptr=0xbfff842d 'Z' <repeats 200 times>..., ecode=0x804df0f "\vC",
    offset_top=4, md=0xbfff72f8, ims=0, eptrb=0xbf800644, flags=2, rdepth=8156)
    at ./pcre_exec.c:378
378     {
(gdb) bt
#0  match (eptr=0xbfff842d 'Z' <repeats 200 times>..., ecode=0x804df0f "\vC",
    offset_top=4, md=0xbfff72f8, ims=0, eptrb=0xbf800644, flags=2, rdepth=8156)
    at ./pcre_exec.c:378
#1  0x40029014 in match (eptr=<value optimized out>,
    ecode=<value optimized out>, offset_top=<value optimized out>,
    md=0xbfff72f8, ims=0, eptrb=0xbf800644, flags=<value optimized out>,
    rdepth=8155) at ./pcre_exec.c:629
#2  0x400255b7 in match (eptr=0xbfff842d 'Z' <repeats 200 times>...,
    ecode=<value optimized out>, offset_top=4, md=0xbfff72f8, ims=0,
    eptrb=0xbf800e44, flags=<value optimized out>, rdepth=8154)
    at ./pcre_exec.c:1190
#3  0x40029014 in match (eptr=<value optimized out>,
    ecode=<value optimized out>, offset_top=<value optimized out>,
    md=0xbfff72f8, ims=0, eptrb=0xbf800e44, flags=<value optimized out>,
    rdepth=8153) at ./pcre_exec.c:629
#4  0x400255b7 in match (eptr=0xbfff842d 'Z' <repeats 200 times>...,
    ecode=<value optimized out>, offset_top=4, md=0xbfff72f8, ims=0,
    eptrb=0xbf801644, flags=<value optimized out>, rdepth=8152)
    at ./pcre_exec.c:1190

and so on for thousands more calls to match(), with alternating calling
addresses. Where it's actually failed is right at the beginning of the
function, before it's got to any code. Looks like a stack overflow?

Ah, yes, if I use ulimit to make my stack size unlimited it works as
expected. (presumably that's what's different about your system).

I don't think there's a bug here. Using lots of stack space for a
pattern like this is not unreasonable, and dying horribly when you run
out is something you don't get a whole lot of control over.

There is a limit recursion feature of PCRE, which the calling program
could use.

Message #44 received at 400121@bugs.debian.org (full text, mbox, reply):

From: Tom Parker <palfrey@tevp.net>

To: Mark Baker <mark@mnb.org.uk>

Cc: 400121@bugs.debian.org

Subject: Re: Bug#400121: Can't reproduce 400121 with libpcre3

Date: Thu, 30 Nov 2006 00:00:13 +0100

Mark Baker wrote:
> There is a limit recursion feature of PCRE, which the calling program
> could use.

There appears to be two options here:
1) Punt back to Konqueror, and get them (or whatever they're calling 
that uses libpcre3 - note that libpcre3 is *not* in the dependancies of 
konqueror 4:3.5.5a.dfsg.1-2, so this probably needs doing somewhere 
else) and get them to use the recursion limiting of pcre to clip it at a 
few thousand - your stack trace got to 8156 iterations, so clipping at 
say 4000 or so should be plenty for most sane things while not limiting 
most applications. This is a bit of a hack around, but would fix the 
security issue (well, unless some user sets their stack size even smaller)

2) Figure out a way to fix this properly by getting libpcre to realise 
it's run out of stack space (possibly by not spawning new copies of 
match() unless there's some minimum value of stack free), and to return 
some form of "match failed badly, here's an error" up to the calling 
app. Not sure how you'd do that cleanly offhand. Catching SIGSEGV might 
work, but would be like using a sledgehammer to crack peanuts (as well 
as screwing with any application that's catching SIGSEGV for it's own 
reasons). Best option here is probably forwarding to upstream and seeing 
what their thoughts are. I guess as the package maintainer you're 
probably on the mailing list for them?

Tom Parker

Message #49 received at 400121@bugs.debian.org (full text, mbox, reply):

From: Andreas Barth <aba@not.so.argh.org>

To: 400121@bugs.debian.org

Subject: "only" important

Date: Sat, 9 Dec 2006 00:06:25 +0100

severity 400121 important
thanks

Hi,

though this is a security bug, it is not bad enough to warrant RC-grade:
23:52 < jmm> aba: non-issue
23:53 < jmm> aba: browser-crashes w/o potential for code injection don't
need to be RC

Cheers,
Andi
-- 
  http://home.arcor.de/andreas-barth/

Message #56 received at 400121@bugs.debian.org (full text, mbox, reply):

From: Sune Vuorela <sune@debian.org>

To: 400121@bugs.debian.org

Subject: fixxed in khtml

Date: Fri, 16 Mar 2012 00:37:10 +0100

Quite some time ago, probably before the squeeze release, this bug got fixed 
in khtml to cut off the recursiveness after enough steps if pcre is using the 
stack for recursion. So I guess this bug can be closed.

/Sune
-- 
I cannot digit from the front-end, how does it work?

The point is that you never need to open the mailer and from the drawer menu 
inside Office XP you neither can ever log in the board on a MIDI utility, nor 
must telnet from the wordprocessor of the digital window over a AT tower, so 
that you neither should ever link a attachment, nor must boot the directory 
for installing the file on a ISDN microprocessor.

Send a report that this bug log contains spam.