http://bugzilla.opensuse.org/show_bug.cgi?id=1025709 Bug ID: 1025709 Summary: VUL-0: CVE-2017-6004: php7: Segmentation fault in PHP7.1.1(bundled PCRE8.38) Classification: openSUSE Product: openSUSE Distribution Version: Leap 42.2 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: mikhail.kasimov@gmail.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- Ref: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-6004 ==================================================================== Original release date: 02/16/2017 Last revised: 02/16/2017 Source: US-CERT/NIST Awaiting Analysis This vulnerability is currently awaiting analysis. Overview The compile_bracket_matchingpath function in pcre_jit_compile.c in PCRE through 8.x before revision 1680 (e.g., the PHP 7.1.1 bundled version) allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted regular expression. References to Advisories, Solutions, and Tools By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov. External Source: CONFIRM Name: https://vcs.pcre.org/pcre/code/trunk/pcre_jit_compile.c?r1=1676&r2=1680&view=patch Hyperlink: https://vcs.pcre.org/pcre/code/trunk/pcre_jit_compile.c?r1=1676&r2=1680&view=patch External Source: CONFIRM Name: https://bugs.exim.org/show_bug.cgi?id=2035 Hyperlink: https://bugs.exim.org/show_bug.cgi?id=2035 ====================================================================

From https://bugs.exim.org/show_bug.cgi?id=2035 ==================================================================== Segmentation fault in php_src/ext/pcre/pcrelib/pcre_jit_compile.c:7336.

$ php -r "echo PCRE_VERSION;" 8.38 2015-11-23 $ php -v PHP 7.1.1 (cli) (built: Feb 12 2017 15:35:23) ( NTS ) Copyright (c) 1997-2017 The PHP Group Zend Engine v3.1.0, Copyright (c) 1998-2017 Zend Technologies Test script: --------------- <?php $pattern = "/(((?(?!))0(?1))(?''))/"; preg_match($pattern, "helloworld"); ?> Actual result: -------------- ASAN Result: ==106214==ERROR: AddressSanitizer: SEGV on unknown address 0x60b000017fe0 (pc 0x000000750be8 bp 0x7ffe5a0aeb60 sp 0x7ffe5a0adf00 T0) ==106214==The signal is caused by a READ memory access. #0 0x750be7 in compile_bracket_matchingpath (/tmp/php+0x750be7) #1 0x70cf95 in compile_matchingpath (/tmp/php+0x70cf95) #2 0x750fe3 in compile_bracket_matchingpath (/tmp/php+0x750fe3) #3 0x70cf95 in compile_matchingpath (/tmp/php+0x70cf95) #4 0x711ebd in compile_recurse (/tmp/php+0x711ebd) #5 0x6fbe01 in _pcre_jit_compile (/tmp/php+0x6fbe01) #6 0x6e99ed in php_pcre_study (/tmp/php+0x6e99ed) #7 0x77b1ce in pcre_get_compiled_regex_cache (/tmp/php+0x77b1ce) #8 0x79aa23 in php_do_pcre_match (/tmp/php+0x79aa23) #9 0x78a61e in zif_preg_match (/tmp/php+0x78a61e) #10 0x1a52c81 in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER (/tmp/php+0x1a52c81) #11 0x17c8be3 in execute_ex (/tmp/php+0x17c8be3) #12 0x17cae8a in zend_execute (/tmp/php+0x17cae8a) #13 0x15c0a84 in zend_execute_scripts (/tmp/php+0x15c0a84) #14 0x1351285 in php_execute_script (/tmp/php+0x1351285) #15 0x1c94879 in do_cli (/tmp/php+0x1c94879) #16 0x1c91ca0 in main (/tmp/php+0x1c91ca0) #17 0x7f98bd6d082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #18 0x43a768 in _start (/tmp/php+0x43a768) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV (/tmp/php+0x750be7) in compile_bracket_matchingpath GDB backtrace: #0 0x0000000000661138 in compile_bracket_matchingpath (common=0x7fffffffa5e8, cc=0x1f04d4f "x", parent=0x7fffffffa870) at /home/idaifish/Workspace/PHP/PHPs/php-7.1.1/ext/pcre/pcrelib/pcre_jit_compile.c:7336 #1 0x000000000062aa23 in compile_matchingpath (common=0x7fffffffa5e8, cc=<optimized out>, ccend=0x1f04d57 "x", parent=0x7fffffffa870) at /home/idaifish/Workspace/PHP/PHPs/php-7.1.1/ext/pcre/pcrelib/pcre_jit_compile.c:8497 #2 0x0000000000609e7c in compile_recurse (common=<optimized out>) at /home/idaifish/Workspace/PHP/PHPs/php-7.1.1/ext/pcre/pcrelib/pcre_jit_compile.c:9719 #3 _pcre_jit_compile (re=0x1f04d00, extra=0x1f04d70, mode=0) at /home/idaifish/Workspace/PHP/PHPs/php-7.1.1/ext/pcre/pcrelib/pcre_jit_compile.c:10223 #4 0x00000000005e97d5 in php_pcre_study (external_re=0x1f04d00, options=1, errorptr=<optimized out>) at /home/idaifish/Workspace/PHP/PHPs/php-7.1.1/ext/pcre/pcrelib/pcre_study.c:1628 #5 0x00000000006ac7e9 in pcre_get_compiled_regex_cache (regex=0x7ffff3c71120) at ext/pcre/php_pcre.c:518 #6 0x00000000006bf5dc in php_pcre_replace (regex=0x1f1b541, subject=<optimized out>, subject_len=<optimized out>, replace_val=<optimized out>, is_callable_replace=<optimized out>, limit=<optimized out>, replace_count=<optimized out>, subject_str=<optimized out>) at ext/pcre/php_pcre.c:1132 #7 php_replace_in_subject (regex=0x7ffff3c13230, replace=0x7ffff3c13240, subject=<optimized out>, limit=-1, is_callable_replace=0, replace_count=0x7fffffffabf4) at ext/pcre/php_pcre.c:1495 #8 0x00000000006be0ff in preg_replace_impl (return_value=0x7fffffffac78, regex=0x7ffff3c13230, replace=0x7ffff3c13240, subject=0x7ffff3c13250, limit_val=-1, is_callable_replace=0, is_filter=<optimized out>) at ext/pcre/php_pcre.c:1554 #9 0x00000000006bb5ef in zif_preg_filter (execute_data=0x7ffff3c131e0, return_value=0x7fffffffac78) at ext/pcre/php_pcre.c:1721 #10 0x00000000015ba4b5 in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER (execute_data=0x7ffff3c13030) at Zend/zend_vm_execute.h:628 #11 0x00000000014a7510 in execute_ex (ex=<optimized out>) at Zend/zend_vm_execute.h:432 #12 0x00000000014a812b in zend_execute (op_array=0x7ffff3c7d000, return_value=<optimized out>) at Zend/zend_vm_execute.h:474 #13 0x0000000001371f21 in zend_execute_scripts (type=<optimized out>, retval=0x0, file_count=3) at Zend/zend.c:1474 #14 0x00000000011a84dc in php_execute_script (primary_file=0x7fffffffe218) at main/main.c:2537 #15 0x00000000016a555d in do_cli (argc=<optimized out>, argv=<optimized out>) at sapi/cli/php_cli.c:993 #16 0x00000000016a1dd9 in main (argc=<optimized out>, argv=<optimized out>) at sapi/cli/php_cli.c:1381 ==================================================================== https://software.opensuse.org/package/php7 TW: 7.0.15 (official repo) 42.2: 7.0.7 (official repo) devel:languages:php repo: 7.1.1 -- You are receiving this mail because: You are on the CC list for the bug.