CVE-2008-2371 (outer level option with alternatives caused crash)

Bug #535090 reported by Michael Santos on 2010-03-09
266
This bug affects 2 people
Affects Status Importance Assigned to Milestone
erlang (Ubuntu)
Low
Jamie Strandboge
Intrepid
Low
Unassigned
Jaunty
Low
Unassigned
Karmic
Low
Jamie Strandboge
Lucid
Low
Jamie Strandboge

Bug Description

Binary package hint: erlang

erlang uses it's own version of PCRE for the re module in the R13 series. This version is derived from PCRE 7.6 and has the bug described in CVE-2008-2371. It can be triggered by compiling a regexp:

re:compile(<<"(?i)[\xc3\xa9\xc3\xbd]|[\xc3\xa9\xc3\xbdA]">>, [unicode]).

This commit resolves the bug:
http://github.com/erlang/otp/commit/bb6370a20be07e6bd0c9f6e89a3cd9719dccbfd3.diff

Only the patch to erts/emulator/pcre/pcre_compile needs to be applied.

Related branches

CVE References

Changed in erlang (Ubuntu):
status: New → Confirmed
importance: Undecided → Low
visibility: private → public
Ralf Doering (rdoering) wrote :

I will try to prepare fixed packages for lucid and for SRU in karmic.

Ralf Doering (rdoering) wrote :

Here is a debdiff against current lucid sources to fix this. The fix was cherrypicked from upstream commit bb6370a20be07e6bd0c9f6e89a3cd9719dccbfd3 and slightly adjusted: the patch for the testsuite does not apply cleanly on lucid sources. As this test is not necessary for the fix it's hunk was removed.

Ralf Doering (rdoering) wrote :

Fixed packages built from the above branches/debdiffs (with modified version numbers ~ppa1) can be found in my ppa https://launchpad.net/~rdoering/+archive/fixes. Please test. Lucid packages are already there, Karmic packages are awaiting their build right now.

Marc Deslauriers (mdeslaur) wrote :

Subscribing ubuntu-security-sponsors as per the instructions here:

https://wiki.ubuntu.com/SecurityTeam/SponsorsQueue

Ralf Doering (rdoering) wrote :

This is a debdiff of packages build from the linked branch lp:~rdoering/ubuntu/karmic/erlang/fix-535090 for karmic. Packages can be build with the patch applied and fix the problem.

tags: added: patch
Ralf Doering (rdoering) wrote :

Sorry for not seeing the typos in the karmic changelog before uploading. Branch and debdiff updated.

Ralf Doering (rdoering) wrote :

Just to be complete I'll add the debdiffs for Intrepid and Jaunty for easier review. All debdiffs are built straight from the linked branches.

Ralf Doering (rdoering) wrote :
Changed in erlang (Ubuntu Intrepid):
status: New → In Progress
Changed in erlang (Ubuntu Jaunty):
status: New → In Progress
Changed in erlang (Ubuntu Lucid):
status: Confirmed → Triaged
Changed in erlang (Ubuntu Karmic):
status: New → Triaged
Jamie Strandboge (jdstrand) wrote :

Thanks for the patches Ralf!

Intrepid and Jaunty: ACK

erlang is officially supported in Karmic and Lucid, so a member of the security team will review the patchsets, perform QA and release a USN (for karmic).

Changed in erlang (Ubuntu Intrepid):
status: In Progress → Fix Committed
Changed in erlang (Ubuntu Jaunty):
status: In Progress → Fix Committed
Changed in erlang (Ubuntu Lucid):
status: Triaged → In Progress
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in erlang (Ubuntu Karmic):
status: Triaged → In Progress
assignee: nobody → Jamie Strandboge (jdstrand)
Jamie Strandboge (jdstrand) wrote :

Packages for Intrepid and Jaunty have been uploaded to the security queue.

Changed in erlang (Ubuntu Intrepid):
importance: Undecided → Low
Changed in erlang (Ubuntu Jaunty):
importance: Undecided → Low
Changed in erlang (Ubuntu Karmic):
importance: Undecided → Low
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package erlang - 1:12.b.5-dfsg-2ubuntu0.1

---------------
erlang (1:12.b.5-dfsg-2ubuntu0.1) jaunty-security; urgency=low

  * SECURITY UPDATE: denial of service via Heap-based buffer overflow in
    pcre_compile.c in the Perl-Compatible Regular Expression (PCRE)
    library (LP: #535090)
    - CVE-2008-2371
    - debian/patches/pcre-crash.patch is cherrypicked from upstream commit
      http://github.com/erlang/otp/commit/bb6370a2. The hunk for the
      testsuite does not apply cleanly and is not needed for the fix so was
      stripped. This fix is part of the current upstream OTP release R13B04.
 -- Ralf Doering <email address hidden> Fri, 12 Mar 2010 16:06:36 +0100

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package erlang - 1:12.b.3-dfsg-1ubuntu1.1

---------------
erlang (1:12.b.3-dfsg-1ubuntu1.1) intrepid-security; urgency=low

  * SECURITY UPDATE: denial of service via Heap-based buffer overflow in
    pcre_compile.c in the Perl-Compatible Regular Expression (PCRE)
    library (LP: #535090)
    - CVE-2008-2371
    - debian/patches/pcre-crash.patch is cherrypicked from upstream commit
      http://github.com/erlang/otp/commit/bb6370a2. The hunk for the
      testsuite does not apply cleanly and is not needed for the fix so was
      stripped. This fix is part of the current upstream OTP release R13B04.
 -- Ralf Doering <email address hidden> Fri, 12 Mar 2010 15:57:04 +0100

Changed in erlang (Ubuntu Intrepid):
status: Fix Committed → Fix Released
Changed in erlang (Ubuntu Jaunty):
status: Fix Committed → Fix Released
Jamie Strandboge (jdstrand) wrote :

Uploaded karmic to the security queue.

Changed in erlang (Ubuntu Karmic):
status: In Progress → Fix Committed
Jamie Strandboge (jdstrand) wrote :

Uploaded lucid. The archive is frozen currently, so this won't show up until beta-2 is released.

Changed in erlang (Ubuntu Lucid):
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package erlang - 1:13.b.1-dfsg-2ubuntu1.1

---------------
erlang (1:13.b.1-dfsg-2ubuntu1.1) karmic-security; urgency=low

  * SECURITY UPDATE: denial of service via Heap-based buffer overflow in
    pcre_compile.c in the Perl-Compatible Regular Expression (PCRE)
    library (LP: #535090)
    - CVE-2008-2371
    - debian/patches/pcre-crash.patch is cherrypicked from upstream commit
      http://github.com/erlang/otp/commit/bb6370a2. The hunk for the
      testsuite does not apply cleanly and is not needed for the fix so was
      stripped. This fix is part of the current upstream OTP release R13B04.
 -- Ralf Doering <email address hidden> Fri, 12 Mar 2010 09:40:49 +0100

Changed in erlang (Ubuntu Karmic):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package erlang - 1:13.b.3-dfsg-2ubuntu2

---------------
erlang (1:13.b.3-dfsg-2ubuntu2) lucid; urgency=low

  * CVE-2008-2371: outer level option with alternatives caused crash.
    (LP: #535090).
 -- Ralf Doering <email address hidden> Thu, 11 Mar 2010 15:20:06 +0100

Changed in erlang (Ubuntu Lucid):
status: Fix Committed → Fix Released
Changed in erlang (Ubuntu Intrepid):
status: Fix Released → Fix Committed
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers