Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2019-20454: Array cross-border reading/global variable coverage in PCRE

An out-of-bounds read was discovered in PCRE before 10.34 when the pattern \X is JIT compiled and used to match specially crafted subjects in non-UTF mode. Applications that use PCRE to parse untrusted input may be vulnerable to this flaw, which would allow an attacker to crash the application. The flaw occurs in do_extuni_no_utf in pcre2_jit_compile.c.

CVE
#ubuntu#git#php#c++#sap

Sec Bug #78338

Array cross-border reading/global variable coverage in PCRE

Submitted:

2019-07-28 04:17 UTC

Modified:

2019-07-29 22:01 UTC

From:

3556158925 at qq dot com

Assigned:

stas (profile)

Status:

Closed

Package:

PCRE related

PHP Version:

7.3.8

OS:

Ubuntu 18.04.1 LTS

Private report:

No

CVE-ID:

None

[2019-07-28 04:17 UTC] 3556158925 at qq dot com

Description:

Get the lastest version of PHP: git clone https://github.com/php/php-src

Configure PHP: ./configure PCRE is the default extension in PHP, even if use "./configure --disable-all", you can still trigger the following bugs.

The test script is very easy: <?php $fuzz=file_get_contents($argv[1]); preg_match($fuzz,$fuzz);

The input file you can download here: http://47.104.189.187/input.zip Unzip this file and use the “input_file.txt” as input file

Then ./php-src/sapi/cli/php ./test.php ./input_file.txt you will see "Segmentation fault (core dumped)"

Use gdb to see the details: Program received signal SIGSEGV, Segmentation fault. 0x0000555555710367 in do_extuni_no_utf (args=0x7fffffffa110, cc=0x7ffff3a58868 “\377\066\250\250\250\066\066\066zzzz=*\377/\n”) at /home/daige/Desktop/test/php-src/ext/pcre/pcre2lib/pcre2_jit_compile.c:8546 8546 lgb = UCD_GRAPHBREAK©;

I analyse this crash,it is caused by array cross-border reading, then I use AFL to fuzz PHP,it reports some global variable coverage,you can see the crash cases in "input.zip".

Test script:

The test script is very easy: <?php $fuzz=file_get_contents($argv[1]); preg_match($fuzz,$fuzz);

The input file you can download here: http://47.104.189.187/input.zip Unzip this file and use the “input_file.txt” as input file

Then ./php-src/sapi/cli/php ./test.php ./input_file.txt you will see "Segmentation fault (core dumped)"

Actual result:

Program received signal SIGSEGV, Segmentation fault. 0x0000555555710367 in do_extuni_no_utf (args=0x7fffffffa110, cc=0x7ffff3a58868 “\377\066\250\250\250\066\066\066zzzz=*\377/\n”) at /home/daige/Desktop/test/php-src/ext/pcre/pcre2lib/pcre2_jit_compile.c:8546 8546 lgb = UCD_GRAPHBREAK©;

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2019-07-28 04:21 UTC] [email protected]

This looks like segfault inside PCRE library. Did you report it to the PCRE maintainers?

[2019-07-28 07:22 UTC] 3556158925 at qq dot com

I send this report to PRCE maintainer just now, thanks.

[2019-07-29 17:17 UTC] [email protected]

-Status: Open +Status: Analyzed -Assigned To: +Assigned To: stas

[2019-07-29 17:17 UTC] [email protected]

This issue has already been fixed upstream. Since it is caused by erroneous treatment of the subject (which may be user supplied), we should consider to apply the following patch to our bundled pcre2 (PHP-7.3+):

ext/pcre/pcre2lib/pcre2_jit_compile.c | 2 ± 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ext/pcre/pcre2lib/pcre2_jit_compile.c b/ext/pcre/pcre2lib/pcre2_jit_compile.c index 1f21bfb6ad…283aeff83c 100644 — a/ext/pcre/pcre2lib/pcre2_jit_compile.c +++ b/ext/pcre/pcre2lib/pcre2_jit_compile.c @@ -8538,7 +8538,7 @@ int lgb, rgb, ricount; PCRE2_SPTR bptr; uint32_t c;

-GETCHARINC(c, cc); +c = *cc++; #if PCRE2_CODE_UNIT_WIDTH == 32 if (c >= 0x110000) return NULL;

[2019-07-29 22:01 UTC] [email protected]

-Status: Analyzed +Status: Closed

[2019-07-29 22:01 UTC] [email protected]

The fix for this bug has been committed. If you are still experiencing this bug, try to check out latest source from https://github.com/php/php-src and re-test. Thank you for the report, and for helping us make PHP better.

[2019-07-29 22:01 UTC] [email protected]

-PHP Version: 7.4Git-2019-07-28 (Git) +PHP Version: 7.3.8

Related news

CVE-2023-43074: DSA-2023-141: Dell Unity, Unity VSA and Unity XT Security Update for Multiple Vulnerability

Dell Unity 5.3 contain(s) an Arbitrary File Creation vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability by crafting arbitrary files through a request to the server.

CVE-2022-46756: DSA-2022-335: Dell VxRail Security Update for Multiple Third-Party Component Vulnerabilities

Dell VxRail, versions prior to 7.0.410, contain a Container Escape Vulnerability. A local high-privileged attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the container's underlying OS. Exploitation may lead to a system take over by an attacker.

Red Hat Security Advisory 2022-5924-01

Red Hat Security Advisory 2022-5924-01 - Service Telemetry Framework provides automated collection of measurements and data from remote clients, such as Red Hat OpenStack Platform or third-party nodes. STF then transmits the information to a centralized, receiving Red Hat OpenShift Container Platform deployment for storage, retrieval, and monitoring.

RHSA-2022:5924: Red Hat Security Advisory: Service Telemetry Framework 1.4 security update

An update is now available for Service Telemetry Framework 1.4 for RHEL 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-30631: golang: compress/gzip: stack exhaustion in Reader.Read

CVE-2020-10977: GitLab Security Release: 12.9.1, 12.8.8, and 12.7.8

GitLab EE/CE 8.5 to 12.9 is vulnerable to a an path traversal when moving an issue between projects.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907