http://bugzilla.opensuse.org/show_bug.cgi?id=1170036 Bug ID: 1170036 Summary: VUL-1: CVE-2020-11958: re2c: heap overflow in Scanner:fill (scanner.cc) Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.1 Hardware: Other URL: https://smash.suse.de/issue/258062/ OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: peter.simons@suse.com Reporter: atoptsoglou@suse.com QA Contact: security-team@suse.de Found By: Security Response Team Blocker: --- through oss Description: re2c is a tool for generating C-based recognizers from regular expressions. There is an heap overflow reproducible with a crafted file. ~ $ re2c -o /tmp/out $FILE ================================================================= ==43995==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x629000004212 at pc 0x00000049937f bp 0x7ffc0521bc00 sp 0x7ffc0521b3c8 WRITE of size 18 at 0x629000004212 thread T0 #0 0x49937e in __asan_memset /var/tmp/portage/sys-libs/compiler-rt- sanitizers-9.0.0/work/compiler-rt-9.0.0.src/lib/asan/ asan_interceptors_memintrinsics.cc:26:3 #1 0x67a291 in re2c::Scanner::fill(unsigned long) /var/tmp/portage/dev- util/re2c-1.3/work/re2c-1.3/src/parse/scanner.cc:167:9 #2 0x682a51 in re2c::Scanner::echo(re2c::Output&) /var/tmp/portage/dev- util/re2c-1.3/work/re2c-1.3/src/parse/lex.cc:94:33 #3 0x61d5f4 in re2c::compile(re2c::Scanner&, re2c::Output&, re2c::Opt&) / var/tmp/portage/dev-util/re2c-1.3/work/re2c-1.3/src/compile.cc:148:41 #4 0x4cc668 in main /var/tmp/portage/dev-util/re2c-1.3/work/re2c-1.3/src/ main.cc:33:5 #5 0x7f26392c9dca in __libc_start_main /var/tmp/portage/sys-libs/ glibc-2.29-r2/work/glibc-2.29/csu/../csu/libc-start.c:308:16 #6 0x421d39 (/usr/bin/re2c+0x421d39) 0x629000004212 is located 0 bytes to the right of 16402-byte region [0x629000000200,0x629000004212) allocated by thread T0 here: #0 0x4c949d in operator new[](unsigned long) /var/tmp/portage/sys-libs/ compiler-rt-sanitizers-9.0.0/work/compiler-rt-9.0.0.src/lib/asan/ asan_new_delete.cc:102:3 #1 0x67a0f2 in re2c::Scanner::fill(unsigned long) /var/tmp/portage/dev- util/re2c-1.3/work/re2c-1.3/src/parse/scanner.cc:154:22 #2 0x682a51 in re2c::Scanner::echo(re2c::Output&) /var/tmp/portage/dev- util/re2c-1.3/work/re2c-1.3/src/parse/lex.cc:94:33 #3 0x61d5f4 in re2c::compile(re2c::Scanner&, re2c::Output&, re2c::Opt&) / var/tmp/portage/dev-util/re2c-1.3/work/re2c-1.3/src/compile.cc:148:41 #4 0x4cc668 in main /var/tmp/portage/dev-util/re2c-1.3/work/re2c-1.3/src/ main.cc:33:5 #5 0x7f26392c9dca in __libc_start_main /var/tmp/portage/sys-libs/ glibc-2.29-r2/work/glibc-2.29/csu/../csu/libc-start.c:308:16 SUMMARY: AddressSanitizer: heap-buffer-overflow /var/tmp/portage/sys-libs/ compiler-rt-sanitizers-9.0.0/work/compiler-rt-9.0.0.src/lib/asan/ asan_interceptors_memintrinsics.cc:26:3 in __asan_memset Affected version: 1.3 Fixed version: Will be 2.0 Commit fix: https://github.com/skvadrik/re2c/commit/ c4603ba5ce229db83a2a4fb93e6d4b4e3ec3776a Credit: This bug was discovered by Agostino Sarubbo. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-11958 http://seclists.org/oss-sec/2020/q2/43 http://blogs.gentoo.org/ago/2020/04/19/re2c-heap-overflow-in-scannerfill-sca... -- You are receiving this mail because: You are on the CC list for the bug.