CVE-2008-2371 (outer level option with alternatives caused crash)

Bug #535090 reported by Michael Santos
266
This bug affects 2 people
Affects Status Importance Assigned to Milestone
erlang (Ubuntu)
Low
Jamie Strandboge
Intrepid
Low
Unassigned
Jaunty
Low
Unassigned
Karmic
Low
Jamie Strandboge
Lucid
Low
Jamie Strandboge

Bug Description

Binary package hint: erlang

erlang uses it's own version of PCRE for the re module in the R13 series. This version is derived from PCRE 7.6 and has the bug described in CVE-2008-2371. It can be triggered by compiling a regexp:

re:compile(<<"(?i)[\xc3\xa9\xc3\xbd]|[\xc3\xa9\xc3\xbdA]">>, [unicode]).

This commit resolves the bug:
http://github.com/erlang/otp/commit/bb6370a20be07e6bd0c9f6e89a3cd9719dccbfd3.diff

Only the patch to erts/emulator/pcre/pcre_compile needs to be applied.

Related branches

CVE References

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :
Changed in erlang (Ubuntu):
status: New → Confirmed
importance: Undecided → Low
visibility: private → public
Revision history for this message
Ralf Doering (rdoering) wrote :

I will try to prepare fixed packages for lucid and for SRU in karmic.

Revision history for this message
Ralf Doering (rdoering) wrote :

Here is a debdiff against current lucid sources to fix this. The fix was cherrypicked from upstream commit bb6370a20be07e6bd0c9f6e89a3cd9719dccbfd3 and slightly adjusted: the patch for the testsuite does not apply cleanly on lucid sources. As this test is not necessary for the fix it's hunk was removed.

Revision history for this message
Ralf Doering (rdoering) wrote :

Fixed packages built from the above branches/debdiffs (with modified version numbers ~ppa1) can be found in my ppa https://launchpad.net/~rdoering/+archive/fixes. Please test. Lucid packages are already there, Karmic packages are awaiting their build right now.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Subscribing ubuntu-security-sponsors as per the instructions here:

https://wiki.ubuntu.com/SecurityTeam/SponsorsQueue

Revision history for this message
Ralf Doering (rdoering) wrote :

This is a debdiff of packages build from the linked branch lp:~rdoering/ubuntu/karmic/erlang/fix-535090 for karmic. Packages can be build with the patch applied and fix the problem.

tags: added: patch
Revision history for this message
Ralf Doering (rdoering) wrote :

Sorry for not seeing the typos in the karmic changelog before uploading. Branch and debdiff updated.

Revision history for this message
Ralf Doering (rdoering) wrote :

Just to be complete I'll add the debdiffs for Intrepid and Jaunty for easier review. All debdiffs are built straight from the linked branches.

Revision history for this message
Ralf Doering (rdoering) wrote :
Changed in erlang (Ubuntu Intrepid):
status: New → In Progress
Changed in erlang (Ubuntu Jaunty):
status: New → In Progress
Changed in erlang (Ubuntu Lucid):
status: Confirmed → Triaged
Changed in erlang (Ubuntu Karmic):
status: New → Triaged
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thanks for the patches Ralf!

Intrepid and Jaunty: ACK

erlang is officially supported in Karmic and Lucid, so a member of the security team will review the patchsets, perform QA and release a USN (for karmic).

Changed in erlang (Ubuntu Intrepid):
status: In Progress → Fix Committed
Changed in erlang (Ubuntu Jaunty):
status: In Progress → Fix Committed
Changed in erlang (Ubuntu Lucid):
status: Triaged → In Progress
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in erlang (Ubuntu Karmic):
status: Triaged → In Progress
assignee: nobody → Jamie Strandboge (jdstrand)
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Packages for Intrepid and Jaunty have been uploaded to the security queue.

Changed in erlang (Ubuntu Intrepid):
importance: Undecided → Low
Changed in erlang (Ubuntu Jaunty):
importance: Undecided → Low
Changed in erlang (Ubuntu Karmic):
importance: Undecided → Low
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package erlang - 1:12.b.5-dfsg-2ubuntu0.1

---------------
erlang (1:12.b.5-dfsg-2ubuntu0.1) jaunty-security; urgency=low

  * SECURITY UPDATE: denial of service via Heap-based buffer overflow in
    pcre_compile.c in the Perl-Compatible Regular Expression (PCRE)
    library (LP: #535090)
    - CVE-2008-2371
    - debian/patches/pcre-crash.patch is cherrypicked from upstream commit
      http://github.com/erlang/otp/commit/bb6370a2. The hunk for the
      testsuite does not apply cleanly and is not needed for the fix so was
      stripped. This fix is part of the current upstream OTP release R13B04.
 -- Ralf Doering <email address hidden> Fri, 12 Mar 2010 16:06:36 +0100

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package erlang - 1:12.b.3-dfsg-1ubuntu1.1

---------------
erlang (1:12.b.3-dfsg-1ubuntu1.1) intrepid-security; urgency=low

  * SECURITY UPDATE: denial of service via Heap-based buffer overflow in
    pcre_compile.c in the Perl-Compatible Regular Expression (PCRE)
    library (LP: #535090)
    - CVE-2008-2371
    - debian/patches/pcre-crash.patch is cherrypicked from upstream commit
      http://github.com/erlang/otp/commit/bb6370a2. The hunk for the
      testsuite does not apply cleanly and is not needed for the fix so was
      stripped. This fix is part of the current upstream OTP release R13B04.
 -- Ralf Doering <email address hidden> Fri, 12 Mar 2010 15:57:04 +0100

Changed in erlang (Ubuntu Intrepid):
status: Fix Committed → Fix Released
Changed in erlang (Ubuntu Jaunty):
status: Fix Committed → Fix Released
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Uploaded karmic to the security queue.

Changed in erlang (Ubuntu Karmic):
status: In Progress → Fix Committed
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Uploaded lucid. The archive is frozen currently, so this won't show up until beta-2 is released.

Changed in erlang (Ubuntu Lucid):
status: In Progress → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package erlang - 1:13.b.1-dfsg-2ubuntu1.1

---------------
erlang (1:13.b.1-dfsg-2ubuntu1.1) karmic-security; urgency=low

  * SECURITY UPDATE: denial of service via Heap-based buffer overflow in
    pcre_compile.c in the Perl-Compatible Regular Expression (PCRE)
    library (LP: #535090)
    - CVE-2008-2371
    - debian/patches/pcre-crash.patch is cherrypicked from upstream commit
      http://github.com/erlang/otp/commit/bb6370a2. The hunk for the
      testsuite does not apply cleanly and is not needed for the fix so was
      stripped. This fix is part of the current upstream OTP release R13B04.
 -- Ralf Doering <email address hidden> Fri, 12 Mar 2010 09:40:49 +0100

Changed in erlang (Ubuntu Karmic):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package erlang - 1:13.b.3-dfsg-2ubuntu2

---------------
erlang (1:13.b.3-dfsg-2ubuntu2) lucid; urgency=low

  * CVE-2008-2371: outer level option with alternatives caused crash.
    (LP: #535090).
 -- Ralf Doering <email address hidden> Thu, 11 Mar 2010 15:20:06 +0100

Changed in erlang (Ubuntu Lucid):
status: Fix Committed → Fix Released
Changed in erlang (Ubuntu Intrepid):
status: Fix Released → Fix Committed
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers